Italy Requires Explicit Consent for Email Tracking
Italy's Garante issues binding guidelines requiring explicit consent for tracking pixels. Six months to comply with new email privacy rules across EU marketing.
Italy Requires Explicit Consent for Email Tracking
Italy's Garante issues binding guidelines requiring explicit consent for tracking pixels. Six months to comply with new email privacy rules across EU marketing.
Italy's data protection authority just drew a hard line around one of email marketing's most common but least transparent tools. The Garante, Italy's Data Protection Authority, has issued new guidelines that reshape how organizations can use tracking pixels in emails. The rules, adopted on April 17, 2026, and reported by Byte.Legali on April 21, require explicit user consent before any tracking pixel can fire in a commercial email. For marketers who rely on open-rate data, this is a significant operational shift with a tight deadline.
What the Garante Actually Ruled
Tracking pixels are transparent images often just a single pixel in size, embedded in emails and hosted on remote servers. When a recipient opens a message, the pixel downloads automatically, allowing the sender to know whether and when the email was read, how many times it was opened, from which device, and technical data including the IP address.
The regulator described this technology as particularly invasive, especially when deployed without the recipient's full awareness. Until now, no specific rule in Italian law addressed the practice directly. Up until April 17, 2026, no specific guidance disciplined their use in the Italian legal system, and the Garante has now filled that gap with a ruling that sets out precise technical and legal obligations for anyone using these tools.
The Authority confirmed that tracking pixels fall under Article 122 of Italy's Privacy Code, which governs technologies that access information on a user's device or monitor online activity. In practical terms, this places email tracking pixels in the same regulatory category as browser cookies, and subjects them to the same consent requirements.
Consent Must Be Prior, Free, and Specific
At the center of the framework is a clear expectation that organizations must obtain prior, informed consent before using tracking pixels in most cases. The Garante's language is direct: consent cannot be bundled quietly into a privacy policy or assumed from a subscriber's general opt-in to receive marketing emails.
Italy's data protection authority just drew a hard line around one of email marketing's most common but least transparent tools. The Garante, Italy's Data Protection Authority, has issued new guidelines that reshape how organizations can use tracking pixels in emails. The rules, adopted on April 17, 2026, and reported by Byte.Legali on April 21, require explicit user consent before any tracking pixel can fire in a commercial email. For marketers who rely on open-rate data, this is a significant operational shift with a tight deadline.
What the Garante Actually Ruled
Tracking pixels are transparent images often just a single pixel in size, embedded in emails and hosted on remote servers. When a recipient opens a message, the pixel downloads automatically, allowing the sender to know whether and when the email was read, how many times it was opened, from which device, and technical data including the IP address.
The regulator described this technology as particularly invasive, especially when deployed without the recipient's full awareness. Until now, no specific rule in Italian law addressed the practice directly. Up until April 17, 2026, no specific guidance disciplined their use in the Italian legal system, and the Garante has now filled that gap with a ruling that sets out precise technical and legal obligations for anyone using these tools.
The Authority confirmed that tracking pixels fall under Article 122 of Italy's Privacy Code, which governs technologies that access information on a user's device or monitor online activity. In practical terms, this places email tracking pixels in the same regulatory category as browser cookies, and subjects them to the same consent requirements.
Consent Must Be Prior, Free, and Specific
At the center of the framework is a clear expectation that organizations must obtain prior, informed consent before using tracking pixels in most cases. The Garante's language is direct: consent cannot be bundled quietly into a privacy policy or assumed from a subscriber's general opt-in to receive marketing emails.
The good news for marketers managing consent fatigue: the Garante does allow some consolidation. The consent for tracking pixels can be included within the broader consent to receive promotional communications, avoiding multiple redundant requests. The condition is that the request must be worded neutrally, without pressure, and the subscriber must be clearly informed that tracking is involved.
Particular emphasis is placed on "granular" withdrawal: users must be able to choose whether to continue receiving emails without tracking, or to stop communications entirely, without facing penalties or service restrictions. This opt-out mechanism must be accessible through a standardized link or icon in the footer of every email, leading to a dedicated preference page.
Who Must Comply
The scope is broad. The guidelines apply to information society service providers, organizations offering publicly accessible online services, email providers, bulk email sending platforms, and, more generally, all entities that use tracking pixels. This covers ESPs, newsletter operators, and any business sending commercial email to Italian residents.
Tracking pixels were found, through the Garante's own inspections conducted between October 2025 and February 2026, to be present in virtually all digital communication campaigns. That scale means few senders will be exempt.
Narrow Exceptions Remain
The Authority stopped short of an outright ban. Limited exceptions remain for security-related uses, strictly necessary technical functions, and certain institutional or service communications. Even in those cases, organizations must adhere to proportionality and data minimization principles.
Statistical use of pixels requires full anonymization of the data, preventing any individual identification. If your open-rate reporting is aggregated and non-identifiable, it may fall outside the consent requirement, but individual-level engagement tracking does not.
Six Months to Comply
The Garante has set a transitional period of six months from the publication of the guidelines in the Gazzetta Ufficiale (Italy's official journal), within which all affected parties must bring their practices into line. The clock has not yet started formally, as publication in the Gazzetta Ufficiale was still pending at the time of the ruling, but teams should treat this as an immediate priority.
The Garante requires the adoption of privacy by design and by default principles, obliging data controllers to build data protection into system design from the outset. Recommended measures include the use of anonymous identifiers, separation of personal data from tracking systems, and limiting the circulation of collected information.
This is not Italy acting in isolation. France's data protection authority (CNIL) launched a public consultation in June 2025 on tracking pixels in emails, potentially requiring explicit consent for even basic email open tracking. The direction across European regulators is consistent: individual-level email tracking without clear prior consent is no longer a grey area.
What Email Marketers Should Do Now
For any team sending to Italian subscribers, or managing cross-border EU campaigns, the compliance checklist is clear:
The good news for marketers managing consent fatigue: the Garante does allow some consolidation. The consent for tracking pixels can be included within the broader consent to receive promotional communications, avoiding multiple redundant requests. The condition is that the request must be worded neutrally, without pressure, and the subscriber must be clearly informed that tracking is involved.
Particular emphasis is placed on "granular" withdrawal: users must be able to choose whether to continue receiving emails without tracking, or to stop communications entirely, without facing penalties or service restrictions. This opt-out mechanism must be accessible through a standardized link or icon in the footer of every email, leading to a dedicated preference page.
Who Must Comply
The scope is broad. The guidelines apply to information society service providers, organizations offering publicly accessible online services, email providers, bulk email sending platforms, and, more generally, all entities that use tracking pixels. This covers ESPs, newsletter operators, and any business sending commercial email to Italian residents.
Tracking pixels were found, through the Garante's own inspections conducted between October 2025 and February 2026, to be present in virtually all digital communication campaigns. That scale means few senders will be exempt.
Narrow Exceptions Remain
The Authority stopped short of an outright ban. Limited exceptions remain for security-related uses, strictly necessary technical functions, and certain institutional or service communications. Even in those cases, organizations must adhere to proportionality and data minimization principles.
Statistical use of pixels requires full anonymization of the data, preventing any individual identification. If your open-rate reporting is aggregated and non-identifiable, it may fall outside the consent requirement, but individual-level engagement tracking does not.
Six Months to Comply
The Garante has set a transitional period of six months from the publication of the guidelines in the Gazzetta Ufficiale (Italy's official journal), within which all affected parties must bring their practices into line. The clock has not yet started formally, as publication in the Gazzetta Ufficiale was still pending at the time of the ruling, but teams should treat this as an immediate priority.
The Garante requires the adoption of privacy by design and by default principles, obliging data controllers to build data protection into system design from the outset. Recommended measures include the use of anonymous identifiers, separation of personal data from tracking systems, and limiting the circulation of collected information.
This is not Italy acting in isolation. France's data protection authority (CNIL) launched a public consultation in June 2025 on tracking pixels in emails, potentially requiring explicit consent for even basic email open tracking. The direction across European regulators is consistent: individual-level email tracking without clear prior consent is no longer a grey area.
What Email Marketers Should Do Now
For any team sending to Italian subscribers, or managing cross-border EU campaigns, the compliance checklist is clear:
Audit your consent flows. Verify that your sign-up forms explicitly disclose tracking pixel use, not just email marketing in general.
Add granular opt-out controls. Every email footer needs a mechanism for subscribers to disable tracking without losing their subscription entirely.
Review your ESP agreements. If your email service provider deploys tracking pixels for its own purposes, such as improving deliverability or list quality, both you and the provider may be classified as joint data controllers, which triggers shared documentation and disclosure responsibilities.
Anonymize aggregate reporting. If you only need campaign-level open data, switching to anonymized aggregates removes the consent requirement for that processing.
Document everything. Under GDPR Article 7.1, you must be able to demonstrate that users gave consent. Systems should keep an individual record of each subscriber's consent together with the circumstances in which it was obtained.
Audit your consent flows. Verify that your sign-up forms explicitly disclose tracking pixel use, not just email marketing in general.
Add granular opt-out controls. Every email footer needs a mechanism for subscribers to disable tracking without losing their subscription entirely.
Review your ESP agreements. If your email service provider deploys tracking pixels for its own purposes, such as improving deliverability or list quality, both you and the provider may be classified as joint data controllers, which triggers shared documentation and disclosure responsibilities.
Anonymize aggregate reporting. If you only need campaign-level open data, switching to anonymized aggregates removes the consent requirement for that processing.
Document everything. Under GDPR Article 7.1, you must be able to demonstrate that users gave consent. Systems should keep an individual record of each subscriber's consent together with the circumstances in which it was obtained.
The Garante's decision also arrives alongside separate enforcement action: the Authority simultaneously sanctioned Poste Italiane with 6.6 million euros and Postepay with 5.8 million euros for unlawful data processing. The message is clear. Regulators are not just writing rules; they are enforcing them.
No comments yet. Be the first!
The Garante's decision also arrives alongside separate enforcement action: the Authority simultaneously sanctioned Poste Italiane with 6.6 million euros and Postepay with 5.8 million euros for unlawful data processing. The message is clear. Regulators are not just writing rules; they are enforcing them.