Monthly Archives: May 2026

Email Tracking Pixels: New Guidelines

Legal news, , , , , , , , ,

On 17 April 2026, the Italian Data Protection Authority (the Garante) published Guidelines on the use of tracking pixels in email communications, aimed at strengthening transparency and giving users greater control over their personal data. These Guidelines apply to anyone who uses tracking pixels, regardless of their capacity or the purpose of their communications.

Tracking pixels are tiny, virtually invisible images inserted into emails through HTML code and loaded from remote servers when a recipient opens a message. Without the user’s full awareness, this process automatically sends a request to the sender’s server, allowing the sender — or its partners — to collect data such as whether the email was opened, the type of device used, the time spent consulting the message, and the number of times it was opened. Importantly, the Garante clarifies that tracking pixels do not directly access or analyse the substantive content of the email; rather, they monitor the event of the email being opened and consulted. Their intrusiveness therefore stems primarily from their hidden nature and the recipient’s lack of awareness, as well as from the behavioural inferences that may subsequently be drawn from their use. While tracking pixels may serve a range of legitimate purposes — including improving email deliverability, measuring audience engagement, combating spam, and detecting phishing — their covert nature raises significant data protection concerns.

Under the Guidelines, the use of tracking pixels must always be disclosed to recipients in advance accordance with the principles of lawfulness, fairness and transparency under Article 5(1)(a) GDPR and the Italian Personal Data Protection Code. The Garante also clarifies that the use of tracking pixels falls within the scope of Article 122 of the Italian Personal Data Protection Code, as it involves the storage of information in the user’s terminal equipment and/or access to information already stored therein. Accordingly, where no exemption under Article 122 applies, data controllers must obtain the recipient’s prior, informed, free, specific and unambiguous consent before deploying tracking pixels. Such exemptions may apply, for instance, where pixels are used solely for aggregate statistical counts subject to appropriate anonymisation measures, for security and authentication purposes, or where institutional, service-related or legally mandated communications make it necessary to verify that the recipient has actually become aware of the message.

Where consent is required, it must be collected when the email address is obtained and must be easily revocable by the user. For processing already underway at the time the Guidelines come into force, data controllers must promptly fulfil their information obligations and implement a clearly visible and user-friendly consent withdrawal mechanism. All parties concerned have six months from the Guidelines’ publication in the Official Gazette to ensure full compliance.

Pseudonymisation Under the GDPR: Where We Are, What May change Under the Digital Omnibus, and What Regulators think

Legal news

Pseudonymisation has long been a key safeguard under the GDPR. A new “Digital Omnibus” proposal aims to clarify when pseudonymised data may fall outside the scope of personal data – an idea the EDPB and EDPS have pushed back on. Here’s a quick overview of the landscape and what to watch.

1) Pseudonymisation under the GDPR today

Definition (Article 4(5))
Pseudonymisation is any processing of personal data that prevents attribution to a specific data subject without additional information, provided that such information is kept separately and protected by appropriate technical and organisational measures.

Where it matters in practice

  • Purpose compatibility (Article 6): When assessing whether further processing is compatible with the original purpose, controllers should consider safeguards like pseudonymisation or encryption.
  • Privacy by design/default (Article 25): Controllers must implement suitable measures – including pseudonymization – to embed data protection principles (e.g., minimisation) into processing activities.
  • Security (Article 32): Pseudonymisation is listed among the measures that can ensure a level of security appropriate to risk.
  • Research & statistics (Article 89): For archiving in the public interest, scientific or historical research, or statistical purposes, controllers must adopt safeguards to uphold data minimisation; pseudonymisation may be used where it allows achieving those purposes. If purposes can be achieved without identifying individuals, processing should proceed in that non‑identifying way.

Bottom line today:
Pseudonymisation reduces risk and supports compliance, but does not remove data from the GDPR’s scope; the data remain personal unless it is no longer reasonably identifiable.

2) The Digital Omnibus proposal: clarifying pseudonymisation and its boundary with personal data

The Commission’s Digital Omnibus proposal seeks to simplify and harmonise the digital legislative framework. In the GDPR context, it also aims to:

  • Clarify key definitions, including personal data and pseudonymisation;
  • Facilitate compliance by supporting controllers with criteria and means to determine when data resulting from pseudonymisation do not constitute personal data (e.g., considering state of the art techniques and re‑identification risks);

New Article 41a (proposed)
The proposal would add Article 41a to the GDPR empowering the Commission to adopt implementing acts that:

  • Specify means and criteria to assess whether pseudonymised data no longer constitute personal data for certain entities;
  • Take into account the state of the art and risk of re‑identification for typical recipients;
  • Involve the EDPB closely; the EDPB would issue an opinion within 8 weeks on draft implementing acts;
  • Allow controllers to use those means/criteria as an element of proof that data cannot lead to re‑identification.

What this tries to achieve:
More legal certainty and practical guidance for controllers on when pseudonymised outputs can be treated as non‑personal, potentially easing compliance burdens – especially for smaller organisations – where re‑identification risk is demonstrably negligible.

3) The EDPB–EDPS joint opinion: concerns and a clear recommendation

In Joint Opinion 2/2026, the EDPB and EDPS express significant concerns with proposed Article 41a:

  1. Material scope of EU data protection law at stake
    Deciding whether information is personal data defines when the GDPR applies. Allowing the Commission – via implementing acts – to determine means and criteria for when pseudonymised data are no longer personal could de facto reshape the GDPR’s material scope “for whom and when,” which the authorities argue should be determined independently by supervisory authorities, under court control, with the EDPB ensuring consistent application.
  1. Legal certainty may not improve
    The draft says implementation of the Commission’s means/criteria “may be used as an element” to show non‑identifiability. The authorities find this ambiguous: Would it create a rebuttable presumption or merely one factor among others? Such uncertainty risks more complexity and confusion, contrary to the proposal’s simplification goals.

Regulatory ask:
The EDPB and EDPS recommend deleting Article 41a from the proposal.

What this means for organisations

  • Today’s steady state remains: Pseudonymised data are generally still personal data; pseudonymisation reduces risk and supports lawfulness, security, and privacy by design, but does not itself exclude GDPR applicability.
  • If Article 41a were adopted: There could be structured criteria (and potentially industry‑specific or recipient‑specific categories) to support assertions that certain pseudonymised datasets are non‑personal. However, the legal effect might be limited if criteria only serve as one evidentiary element rather than a presumption – leaving residual uncertainty.
  • Regulatory trajectory: Given the EDPB–EDPS stance, expect intense debate in the legislative process. Controllers should not plan on deregulatory outcomes; continue to treat pseudonymised data as personal unless robustly anonymised per existing standards.