The Vantage View | HubSpot

Email Tracking Consent Rules in France & Italy: What to Do

Written by David Cockrum | Jul 18, 2026 12:00:00 PM

New guidance from French and Italian data protection regulators changes how marketing and sales teams can track email opens and clicks for recipients in those countries. If you send tracked emails — marketing sends, one-to-one sales emails, or automated workflows — into France or Italy, you need to review your tracking settings and consent practices now, ahead of compliance dates in July and October 2026.

This is not a minor technical footnote. Regulators in both countries have confirmed that a tracking pixel is treated like a cookie: loading it counts as accessing a recipient's device, which triggers consent requirements under EU ePrivacy rules. That reclassification affects any team using HubSpot, or any other CRM/ESP, to measure opens and clicks.

Quick Answer

What it is: France's CNIL and Italy's Garante have each issued guidance treating email tracking pixels (open/click tracking) as requiring recipient consent, separate from consent to receive the email itself.

Who it matters for: Any marketing, sales, or RevOps team sending tracked emails — marketing sends or one-to-one/sales emails — to contacts in France or Italy, including HubSpot users relying on default open/click tracking.

What decision it supports: Whether your current email programs need updated consent language, revised sign-up forms, a tracking opt-out mechanism, and updated privacy disclosures before the applicable dates.

Why Vantage Point is relevant: Vantage Point helps HubSpot and Salesforce teams configure consent-aware tracking, subscription types, and workflow logic so compliance changes don't break marketing operations.

TL;DR

  • What it is: France (CNIL) and Italy (Garante) now require consent for email open/click tracking pixels, treating them like cookies under EU ePrivacy rules.
  • Why it matters: Email tracking consent failures create regulatory exposure in two major EU markets and may require changes to sign-up forms, privacy policies, and tracking configuration.
  • Best for: Any organization sending tracked marketing or sales emails to contacts in France or Italy, regardless of industry.
  • Decision point: Audit which of your tracked email types already rest on valid consent, and where you need a new opt-out or consent capture step.
  • How Vantage Point helps: Vantage Point's compliance and security solutions work supports CRM teams building consent-aware tracking and data governance into HubSpot and Salesforce.

What Changed

Two separate regulatory actions, at different levels of legal force, both point in the same direction: email tracking pixels now require recipient consent in France and Italy.

  • France — CNIL Deliberation 2026-042: The Commission Nationale de l'Informatique et des Libertés (CNIL) adopted a recommendation on email tracking pixels on March 12, 2026, published April 14, 2026 as Deliberation 2026-042. This is soft law — a recommendation, not a binding regulation — but CNIL has stated it intends to begin enforcement from mid-July 2026.
  • Italy — Garante Provision 284: Italy's data protection authority (Garante) adopted Provision 284 on April 17, 2026, published in the official gazette on April 29, 2026. This carries more formal legal weight than France's recommendation. Most guidance points to a compliance date roughly six months from the gazette date — commentary varies between October 28 and October 29, 2026, so treat mid-October 2026 as the practical deadline to be safe.
  • Shared legal foundation: Both actions build on the EDPB's Guidelines 2/2023 (finalized October 2024), which confirmed that loading a tracking pixel counts as gaining access to a recipient's terminal device under Article 5(3) of the ePrivacy Directive — the same legal basis that governs cookies. This is a distinct issue from the EDPB's 2026 Coordinated Enforcement Framework (launched March 19, 2026), a broader multi-country sweep of privacy-notice transparency across GDPR Articles 12–14. The two are unrelated: the CEF sweep is not pixel-specific, and the France/Italy guidance is not part of the CEF.

The practical effect: pixel-based tracking used to measure opens and clicks for campaign performance, build engagement profiles, or support fraud/bot detection now needs its own consent basis — separate from any consent or legal basis you rely on to send the email itself.

Who's Affected

  • Marketing teams sending tracked campaign emails to contacts in France or Italy.
  • Sales teams using one-to-one email tracking (open/click notifications) in HubSpot or similar tools for contacts in those countries.
  • B2B teams relying on legitimate-interest or opt-out models for cold outreach — this guidance does not eliminate the ability to send a cold B2B email under existing opt-out rules, but it does mean the tracking pixel attached to that email needs its own consent, even if the email itself doesn't.
  • Any organization whose privacy policy uses vague "trusted third-party partners" language without naming the tools (HubSpot, Mailchimp, Klaviyo, etc.) that process tracking data for their own purposes — vendors acting as joint controllers under GDPR Article 26 should be identified.

What You Need to Do

Use this checklist to prioritize your response:

  1. Audit every tracked email type. List every email send — marketing sends, sales one-to-one emails, automated workflows — and flag which ones already fire a tracking pixel.
  2. Identify your consent gaps. For each email type, confirm whether you already have valid, separate consent for tracking, not just consent (or opt-out coverage) to send the email.
  3. Fix sign-up forms first. New contacts collected going forward need consent captured at the point of collection — under France's guidance, silence counts as refusal, so pre-checked boxes or implied consent will not hold up.
  4. Add a genuine tracking opt-out. Recipients need a way to turn off tracking that is separate from the unsubscribe link — especially important for Italy, which requires granular withdrawal (a recipient can keep receiving emails while opting out of tracking specifically).
  5. Update your privacy policy. Disclose what the pixel collects, the legal basis, retention period, and which vendors are involved. Generic "third-party partners" language is no longer defensible.
  6. Keep individual-level proof of consent. A general assurance from your email service provider that it "handles consent" on your behalf will not necessarily satisfy a regulator on its own — you need your own consent records per contact.
  7. Review your narrow exemptions carefully. France allows a pixel confirming a login-code email was opened on a known device without new consent, and permits list-hygiene pixels (suppressing inactive addresses, adjusting send frequency) without consent only if strictly necessary and retention is minimal. Fraud/bot-detection pixels are not exempt under the French guidance. Italy separately permits an anonymized aggregate-statistics exemption that France does not offer.

France vs. Italy: Key Differences

Requirement France (CNIL) Italy (Garante)
Legal status Soft law / recommendation Formal provision, published in official gazette
Source Deliberation 2026-042 (Mar 12, 2026 adopted; Apr 14, 2026 published) Provision 284 (Apr 17, 2026 adopted; Apr 29, 2026 published)
Enforcement start Mid-July 2026 (stated intent) ~Six months from gazette date (aim for mid-October 2026 to be safe)
Existing contacts Can continue being tracked if given clear notice + opt-out before July 14, 2026 Governed by the six-month transition window
Consent bundling Pixel consent must be separate from consent to receive the email Pixel consent can be bundled with general marketing consent if wording is neutral
Aggregate-stats exemption Not granted Permitted for anonymized aggregate statistics
Withdrawal granularity Opt-out required before enforcement date Granular withdrawal required (tracking off, emails still received)
Fraud/bot detection pixels Not exempt (narrow login-code exception only) Not specifically addressed; treat as requiring consent

Timeline

  • March 12, 2026: CNIL adopts its email tracking pixel recommendation (France).
  • April 14, 2026: CNIL Deliberation 2026-042 published.
  • April 17, 2026: Garante adopts Provision 284 (Italy).
  • April 29, 2026: Provision 284 published in the official gazette.
  • July 14, 2026: Deadline for existing French contacts to receive clear notice and an opt-out before CNIL enforcement begins.
  • Mid-July 2026: CNIL's stated intent to begin enforcement.
  • Mid-October 2026 (practical target): Italy's ~six-month compliance window closes; treat this as your working deadline rather than relying on exact date interpretations.

How Tracking Settings Work in HubSpot

HubSpot separates tracking into two areas that need different handling:

  • Marketing email tracking: Controlled at the portal level via data privacy and consent settings.
  • One-to-one (sales) email tracking: A separate setting governing open/click tracking on individual sales emails.

Per HubSpot's own documentation and community guidance, marketing email tracking can only be toggled on or off portal-wide — there is no native per-contact tracking toggle. That means consent-based segmentation has to be built using workflows, subscription types, or a legal-basis property on the contact record, not a single tracking switch. Review HubSpot's guidance on turning on GDPR functionality and understanding opt-in consent for email for the underlying settings, then plan the workflow logic needed to respect country-specific tracking consent.

What Businesses Should Do Next

  • Segment French and Italian contacts so tracking-consent logic can be applied specifically to them, rather than changing tracking portal-wide.
  • Build a legal-basis or consent-status property to drive workflow branching, since HubSpot's native tracking toggle is all-or-nothing.
  • Coordinate with legal/privacy counsel on wording for consent capture and the new opt-out mechanism — this guidance is evolving and jurisdiction-specific.
  • Revisit vendor disclosures across every ESP or marketing tool in use, not just HubSpot.

How Vantage Point Helps

Vantage Point helps HubSpot and Salesforce teams translate regulatory changes like this into working CRM configuration — segmentation logic, subscription types, consent properties, and workflow branching — instead of a portal-wide setting that breaks reporting for the rest of the business. This work typically connects to Vantage Point's compliance and security solutions and HubSpot services, and for teams running both platforms, to HubSpot and Salesforce integration work to keep consent status consistent across systems.

If your team is evaluating how these consent changes apply to your HubSpot tracking setup, sign-up forms, or privacy policy language, Vantage Point can help assess the right next step and build a practical implementation plan. For related background on structuring HubSpot for regulatory requirements, see our guide to marketing compliance in HubSpot covering GDPR and CAN-SPAM.

FAQ

Does this mean I can no longer send cold B2B emails to France or Italy? No. This guidance does not eliminate the ability to send a cold B2B email under existing opt-out-based rules. What changes is that the tracking pixel attached to that email now needs its own consent basis, separate from whatever basis lets you send the email itself.

Is the French CNIL guidance legally binding? Not directly — it is a recommendation (soft law), not a binding regulation. However, CNIL has stated its intent to begin enforcing this guidance from mid-July 2026, so treat it as a practical compliance deadline even though it isn't a formal law.

Is the Italian Garante rule stronger than the French one? Yes. Provision 284 was published in Italy's official gazette, giving it more formal legal force than France's recommendation-based approach, even though both point to the same underlying consent requirement for tracking pixels.

Can I bundle tracking consent with my general marketing consent? It depends on the jurisdiction. Italy permits bundling pixel consent with general marketing consent if the wording is neutral. France requires tracking consent to be captured separately from consent to receive the email.

Does HubSpot let me turn off tracking for just French or Italian contacts? Not natively. HubSpot's marketing email tracking setting is portal-wide only — there's no built-in per-contact toggle. Teams need to build consent-based segmentation using workflows, subscription types, or a legal-basis property instead of relying on the tracking setting alone.

Are pixels used only for list hygiene exempt from consent? Under French guidance, list-hygiene pixels (suppressing inactive addresses, adjusting send frequency) may continue without new consent, but only if they are strictly necessary and retained data is minimal. This exemption does not extend to pixels used for campaign performance measurement, profiling, or fraud/bot detection.

Do I need to name HubSpot or my other email tools by name in my privacy policy? There is no blanket legal requirement to name every vendor, but vague "trusted third-party partners" language is increasingly indefensible. Any vendor processing tracking pixel data for its own purposes — which can make it a joint controller under GDPR Article 26 — should be identified.

What's the difference between this guidance and the EDPB's 2026 Coordinated Enforcement Framework? They are unrelated. The EDPB's Coordinated Enforcement Framework, launched March 19, 2026, is a broader transparency sweep across GDPR Articles 12–14 involving 25 data protection authorities, focused on privacy notices generally. The France and Italy email tracking guidance is a separate, pixel-specific set of rules and should not be conflated with the CEF sweep.

This article summarizes publicly available regulatory guidance as of July 2026 and is not legal advice. Consult your privacy counsel to confirm how these requirements apply to your organization.