Email Tracking & GDPR: What's Actually Legal in 2026

Is email tracking legal under GDPR in 2026? Learn the two-layer consent problem, what regulators say, and what to do instead. Practical checklist inside.

6 min readProspeo Team

Email Tracking Under GDPR: What's Actually Legal in 2026

A RevOps lead we know disabled open-tracking pixels across all outbound sequences last year. Open rates dropped overnight. The kicker? Those numbers were already inflated by Apple Mail Privacy Protection - the "real" open rate had been a fiction for years. Email tracking under GDPR in 2026 isn't just legally questionable. It's technically broken.

The Short Answer

  • Email tracking pixels require consent under two separate frameworks - ePrivacy (device access) and GDPR (personal data processing). Both must be satisfied.
  • Legitimate interest doesn't bypass the ePrivacy consent requirement. This trips up almost every sales team we talk to.
  • Open tracking is technically broken. Apple devices accounted for roughly 52% of all email opens in 2021, and Apple Mail Privacy Protection has made that data increasingly noisy since.
  • Shift to click and reply metrics paired with verified contact data. If you can't trust opens, invest in knowing your emails reach real people before you hit send.

How Email Tracking Works

When you send a tracked email, your ESP embeds a 1x1 invisible image hosted on its server. The recipient's email client loads that image, pings back with their IP address, device type, timestamp, and approximate location. Tracked links work the same way - each URL routes through the ESP's server before redirecting, logging who clicked, when, and from where.

Both mechanisms store or access information on the recipient's device. That's the legal trigger.

Most compliance advice gets this wrong: pixel tracking doesn't face one legal hurdle. It faces two, stacked on top of each other.

Two-layer ePrivacy and GDPR consent stack diagram
Two-layer ePrivacy and GDPR consent stack diagram

Layer 1 - ePrivacy Directive Art. 5(3). Any time you store information on, or access information from, a user's terminal equipment, you need consent. The only exceptions are transmitting a communication or providing a service the user explicitly requested. A tracking pixel is neither.

Layer 2 - GDPR Art. 6. Once the pixel fires and you collect personal data (IP, device info, behavior patterns), you need a separate lawful basis under GDPR to process it.

The EDPB adopted Guidelines 2/2023 on October 16, 2024, taking a technology-neutral view of Art. 5(3): any device with a network interface can count as "terminal equipment," and even temporary storage in RAM or CPU can qualify. That brings both pixel-based tracking and URL-based tracking identifiers squarely into the Art. 5(3) device-access rule.

The ePrivacy Regulation was formally withdrawn on October 6, 2025. The 2002 Directive remains the framework indefinitely. If you were waiting for a modernized regulation to clarify things, stop waiting.

Why Legitimate Interest Won't Save You

Here's the thing: legitimate interest is a GDPR Art. 6 lawful basis. It operates at Layer 2. But Layer 1 - ePrivacy Art. 5(3) - requires consent specifically. You can't use a GDPR lawful basis to override an ePrivacy consent requirement. They're separate legal instruments.

If your legal team is telling you LI covers pixel tracking, get a second opinion. No UK or EU regulator has taken enforcement action specifically targeting email tracking pixels yet, but regulators are explicitly treating email pixels and tracking links like cookie-style tracking. Enforcement is a matter of timing, not probability.

Prospeo

If open tracking is legally risky and technically broken, the only thing that matters is reaching real inboxes. Prospeo's 5-step email verification delivers 98% accuracy - so your reply-rate metrics actually mean something. Bounce rates under 4%, no phantom opens.

Replace vanity open rates with verified contacts at $0.01 per email.

What Regulators Are Saying

EU - EDPB Guidelines 2/2023

The EDPB's adopted guidelines take a deliberately broad approach. Any tracking mechanism that stores or accesses information on terminal equipment falls under Art. 5(3) - regardless of whether personal data is involved. The move from the November 2023 consultation draft to the October 2024 adopted version included minimal changes, signaling confidence in this reading.

UK - ICO and PECR

The ICO is unambiguous: email tracking pixels fall under PECR's cookie and similar technologies rules, not email marketing rules. Their draft guidance on storage and access technologies, updated July 2025, explicitly lists tracking pixels and link decoration as covered technologies. PECR penalties run up to GBP 500,000, and B2B email addresses identifying individuals are still personal data under UK GDPR.

CNIL launched a public consultation on June 12, 2025 proposing the strictest framework yet. The draft requires separate consent for receiving marketing emails and for tracking pixels within those emails.

The operationally brutal part: withdrawal of tracking consent must take effect retroactively. Controllers need to prevent pixel activation in emails already delivered. If someone withdraws consent and reopens an old email, the pixel shouldn't fire. Directionally correct, but a nightmare to implement with most ESPs. We haven't seen a single platform that handles this cleanly out of the box.

Open Tracking Is Broken Anyway

Even if you solve every legal problem, the data you're collecting is garbage.

Why open tracking data is unreliable in 2026
Why open tracking data is unreliable in 2026

Apple Mail Privacy Protection preloads email content - including tracking pixels - through Apple's proxy servers, masks IP addresses, and generates false opens. MPP is opt-in, not automatic, yet 77% of marketers believed it was activated by default. iOS 18's Link Tracking Protection goes further, stripping tracking parameters from URLs in Mail and Safari.

For cold email, this breaks everything downstream. Open-based follow-up triggers fire on phantom opens. A/B tests on subject lines produce meaningless results. Segmentation by engagement level becomes fiction. Teams targeting recipients across the EU are especially affected, since Apple's market share in Western Europe is among the highest globally.

Let's be honest: the real problem was never GDPR. The data was already garbage before regulators got involved. GDPR is just forcing teams to stop pretending otherwise.

What to Do Instead

Shift Your Metrics

Click-through rates, reply rates, and conversion tracking all measure actual engagement without requiring device access. These metrics survive both regulatory scrutiny and Apple's privacy stack. For teams pursuing GDPR-compliant alternatives to open tracking, reply-based workflows are the safest path forward.

If you still need a playbook for what to send next, use proven sales follow-up templates instead of open-triggered nudges.

Decision flow for GDPR-compliant email tracking alternatives
Decision flow for GDPR-compliant email tracking alternatives

Start With Verified Contact Data

If you can't track opens, you need to know your emails reach real people before you hit send. Prospeo verifies 143M+ email addresses with 98% accuracy on a 7-day refresh cycle. When open tracking is off the table, data quality becomes your leading indicator - a bounced email is a wasted email you'll never know about. The 5-step verification process includes catch-all handling, spam-trap removal, and honeypot filtering, keeping deliverability clean even without pixel-level feedback.

In our experience, teams that shift budget from tracking tools to data verification see better results faster. One agency we work with, Stack Optimize, maintains 94%+ deliverability and under 3% bounce rates across all their clients - without a single tracking pixel.

Explore Aggregate Tracking

Thread-level tracking - measuring engagement at the conversation level without identifying individual recipients - is one approach some ESPs already support. CNIL's draft includes the idea of carve-outs for anonymized, high-level statistics. Campaign-level metrics without individual identification are a promising direction for teams navigating EU privacy requirements.

For teams that retain pixel tracking with consent, here's sample language. Place this in your email preference center or sign-up form - not buried in a privacy policy:

We use tracking pixels to measure email engagement. I consent to email open tracking. You can withdraw consent at any time by emailing privacy@company.com or clicking "Manage Preferences" in any email.

Compliance Checklist for 2026

  1. Audit all current tracking - pixels, tracked links, and any ESP-level tracking you didn't configure yourself.
  2. Implement separate consent for pixel tracking - distinct from marketing email consent. CNIL's double-consent model is the direction of travel.
  3. Document your lawful basis for each tracking mechanism under both ePrivacy and GDPR.
  4. Offer clear withdrawal with immediate effect - including for pixels in previously delivered emails.
  5. Consider abandoning open tracking entirely - shift to engagement metrics that don't require device access.
  6. Verify your contact data so you're not sending into the void when you can't measure opens.
Six-step GDPR email tracking compliance checklist for 2026
Six-step GDPR email tracking compliance checklist for 2026

Skip steps 2-4 if you're dropping open tracking altogether. That's the simpler path, and frankly, the one we'd recommend for most outbound teams. The compliance overhead of maintaining consent for a metric that's already unreliable just isn't worth it. If you're also fighting deliverability issues, start with an email deliverability audit and fix the basics first.

Prospeo

GDPR-compliant outbound starts before you hit send. Prospeo gives you 143M+ verified emails refreshed every 7 days - not 6 weeks - so you're never emailing stale, risky contacts. No pixels needed when your data connects you to real buyers.

Skip the tracking pixel. Send to people you know are real.

FAQ

Can I use legitimate interest for email tracking?

No. ePrivacy Art. 5(3) requires consent for accessing information on a user's device, regardless of your GDPR lawful basis. Legitimate interest applies to GDPR data processing, but the device-access layer demands consent specifically. These are two separate legal instruments, and one doesn't override the other.

Does GDPR apply to B2B email tracking?

Yes. The UK ICO confirms that business email addresses identifying individuals (e.g., john.smith@company.com) are personal data. ePrivacy Art. 5(3) applies to all terminal equipment access - B2B or B2C makes no difference at the device layer. B2B senders face the same two-layer consent requirement.

Is email tracking illegal under GDPR?

Not inherently - but it requires informed consent under ePrivacy rules for the device-access layer. Without that consent, tracking pixels are unlawful. Given Apple MPP makes open data unreliable anyway, many teams are shifting to click and reply metrics paired with pre-send email verification so they're not flying blind.

What's the safest alternative to open tracking?

Reply-rate and click-through-rate tracking, combined with pre-send email verification. Reply metrics require zero device access and no consent under ePrivacy. Verifying your list before sending gives you a reliable deliverability signal even without pixel data - you know the address is real, the mailbox exists, and it isn't a spam trap.

B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email