Short answer: On 14 April 2026 the CNIL published the final version of its recommendation on tracking pixels in emails. For most marketing uses, a pixel now requires consent that is separate from consent to send the message itself. HubSpot gives you controls that help you align with the rules (disabling tracking, data privacy settings, legal basis for processing), but it does not make you automatically compliant and cannot natively vary tracking per recipient for marketing emails. Full "pixel only for people who consented" control is usually achieved through an external tool (an ESP or router), with HubSpot acting as the CRM and consent record.
An email tracking pixel is an invisible file (usually a 1-by-1 pixel image) embedded in the body of an email that automatically sends information to the sender when the message is opened. According to the CNIL, the sender can use it to determine, for each individual recipient, whether the message was opened, at what time (day and hour), on what type of device, and an approximate location derived from the IP address.
The CNIL compares the function of email pixels to the cookies used while browsing websites. The pixel itself does not give access to the content of other messages or to the recipient's mailbox.
The recommendation clarifies when the use of tracking pixels requires consent and when it falls within a narrow exemption.
Consent covers most typical marketing uses. The CNIL lists open-rate measurement to evaluate and optimize campaign performance (for example, adjusting send frequency), profile building to target recipients on other channels (websites, mobile apps), detection of fraudulent behavior, and open measurement for deliverability when it goes beyond the strict exemption described below.
The exemption is limited to two groups: security measures linked to authentication, and open measurement strictly confined to deliverability. The second group is permitted only for precise purposes such as managing recipient inactivity, adjusting frequency or contact channel, or proving a statutory information obligation. In exchange, the CNIL requires storing only the date of the last open, without the time, overwriting it on each subsequent open.
Exemptions apply only to messages the recipient solicited: transactional emails (order confirmation, alert, invoice) or marketing emails for which consent was given.
The most common interpretation error is to merge the two consents. The CNIL treats them separately. A consent-requiring pixel can appear even in emails that do not require consent to send, such as transactional messages, B2B prospecting, or communication to existing customers. The absence of a send-consent obligation therefore does not remove the pixel-consent obligation.
The responsible party is the sender, understood as the entity that decides to send, even if a third party sends technically. The CNIL treats it as the data controller for pixel-related processing. A service provider (for example, an email platform vendor or a pixel vendor) acts in principle as a processor, but can become a joint controller if it uses the data for its own purposes.
The CNIL prefers collecting consent at the moment the email address is obtained, directly in the signup form, which in practice means adding checkboxes. Consent can also be collected through a dedicated email without a pixel, leading to a page with an explicit action. The second route applies especially to addresses not obtained directly, such as lists purchased from data brokers. If the recipient refuses, the CNIL recommends waiting six months before any new contact attempt.
In principle, each distinct purpose corresponds to a separate opt-in. The CNIL allows two relaxations: a single consent for "connected" purposes, and a two-level interface in which a global consent at the first level is possible provided the purposes are clearly presented and the second level lets the user choose purpose by purpose.
For addresses collected earlier, the CNIL requires sending recipients information that lets them object to future operations. The deadline is three months from publication of the recommendation, meaning by mid-July 2026. The CNIL has announced inspections in the following months.
Every email should contain a withdrawal link in the footer, as easy to use as giving consent and without re-entering the address. Withdrawal must be immediate for future sends and, where possible, neutralize pixels in messages already sent. The industry considers this retroactive neutralization technically difficult.
On proof, you must be able to demonstrate valid, individualized consent at any time: date, form version, channel, and purposes covered. A contractual clause alone is not enough when collection has been delegated to a partner; effective proof, regular audits, and the ability to suspend data flows in case of failure are required.
HubSpot supports compliance efforts, but it does not make you automatically compliant. It provides concrete mechanisms whose scope depends on whether you mean marketing emails, 1:1 emails, or website and ad pixels.
Open tracking for marketing emails can be turned off in HubSpot under Settings → Marketing → Email → Tracking, where open tracking, click tracking, source tracking, and identity tracking are managed at the account level. HubSpot confirms that open tracking uses an invisible one-pixel image.
The key limitation: HubSpot does not offer a native option to "track opens for non-French recipients but not for French recipients." The setting is global for the account. So if French recipients are in the same tracked marketing sends, the safest native option is to turn off open tracking for marketing emails. HubSpot also notes that even after opens are turned off, it may still anonymously track data for email infrastructure health.
For one-to-one messages, HubSpot offers more control. An admin manages tracking for all users under Settings → Data Management → Objects → Activities → Email Log & Track. An individual user can turn off tracking for a specific message, and in the extension settings can exclude specific contacts or email domains.
The strongest native safeguard here is the data privacy feature. When data privacy settings are enabled, HubSpot tracks opens for 1:1 emails only for contacts with an assigned legal basis for processing. For contacts without a legal basis, opens are not tracked and the tracking checkbox can be grayed out. This uses the contact property "Legal basis for processing contact's data."
For website tracking and ad pixels, HubSpot has consent banner tools that can require opt-in before nonessential cookies or certain pixels fire. The limitation is that these banners are designed mainly for website and cookie tracking and are not a complete, CNIL-specific consent framework for email tracking pixels.
For marketing emails, not natively. Open tracking is an account-level setting, so HubSpot cannot split behavior by country within a single marketing send. To get different treatment, you need an operational workaround, for example separate sends for France outside HubSpot's tracked marketing emails.
For 1:1 emails it is more flexible, but there is still no automatic "country = France, so disable tracking" rule. Differentiation is handled operationally: per message, per contact, or per domain, and through legal-basis gating in the data privacy settings.
The realistic path is to move the consent logic and the pixel logic outside HubSpot's native marketing-email tracking, then sync consent status back into HubSpot. HubSpot remains the CRM and the consent record, while the external tool decides per-recipient pixel behavior.
email_tracking_consent, email_tracking_consent_timestamp, email_tracking_consent_source, email_tracking_consent_text_version.When evaluating a vendor, check whether it can collect separate consent for the tracking pixel, insert an individual pixel only for consented recipients, use anonymized or campaign-level measurement for everyone else, honor consent withdrawal server-side, export proof of consent for audits, and sync consent fields with HubSpot via API or native integration.
If you keep sending marketing emails directly from HubSpot, an external tool usually cannot override HubSpot's built-in, account-level per-recipient open-tracking behavior in the native send flow. In practice, the external tool must either become the sending platform for those campaigns or run a separate, compliant send path for French recipients.
The CNIL recommendation of 14 April 2026 requires separate consent for the tracking pixel for most marketing uses and treats that consent independently of consent to send. HubSpot provides useful mechanisms (global disabling of marketing tracking, granular controls for 1:1, legal-basis gating, website consent banners), but it does not vary tracking per recipient for marketing emails and does not guarantee full compliance on its own. Full control is achieved through an external tool, where HubSpot remains the CRM and consent record and the pixel reaches only those who consented.