On 17 April 2026, the Italian Data Protection Authority (the Garante) published Guidelines on the use of tracking pixels in email communications, aimed at strengthening transparency and giving users greater control over their personal data. These Guidelines apply to anyone who uses tracking pixels, regardless of their capacity or the purpose of their communications.

Tracking pixels are tiny, virtually invisible images inserted into emails through HTML code and loaded from remote servers when a recipient opens a message. Without the user’s full awareness, this process automatically sends a request to the sender’s server, allowing the sender — or its partners — to collect data such as whether the email was opened, the type of device used, the time spent consulting the message, and the number of times it was opened. Importantly, the Garante clarifies that tracking pixels do not directly access or analyse the substantive content of the email; rather, they monitor the event of the email being opened and consulted. Their intrusiveness therefore stems primarily from their hidden nature and the recipient’s lack of awareness, as well as from the behavioural inferences that may subsequently be drawn from their use. While tracking pixels may serve a range of legitimate purposes — including improving email deliverability, measuring audience engagement, combating spam, and detecting phishing — their covert nature raises significant data protection concerns.

Under the Guidelines, the use of tracking pixels must always be disclosed to recipients in advance accordance with the principles of lawfulness, fairness and transparency under Article 5(1)(a) GDPR and the Italian Personal Data Protection Code. The Garante also clarifies that the use of tracking pixels falls within the scope of Article 122 of the Italian Personal Data Protection Code, as it involves the storage of information in the user’s terminal equipment and/or access to information already stored therein. Accordingly, where no exemption under Article 122 applies, data controllers must obtain the recipient’s prior, informed, free, specific and unambiguous consent before deploying tracking pixels. Such exemptions may apply, for instance, where pixels are used solely for aggregate statistical counts subject to appropriate anonymisation measures, for security and authentication purposes, or where institutional, service-related or legally mandated communications make it necessary to verify that the recipient has actually become aware of the message.

Where consent is required, it must be collected when the email address is obtained and must be easily revocable by the user. For processing already underway at the time the Guidelines come into force, data controllers must promptly fulfil their information obligations and implement a clearly visible and user-friendly consent withdrawal mechanism. All parties concerned have six months from the Guidelines’ publication in the Official Gazette to ensure full compliance.