New guidance from French and Italian data protection regulators changes how marketing and sales teams can track email opens and clicks for recipients in those countries. If you send tracked emails — marketing sends, one-to-one sales emails, or automated workflows — into France or Italy, you need to review your tracking settings and consent practices now, ahead of compliance dates in July and October 2026.
This is not a minor technical footnote. Regulators in both countries have confirmed that a tracking pixel is treated like a cookie: loading it counts as accessing a recipient's device, which triggers consent requirements under EU ePrivacy rules. That reclassification affects any team using HubSpot, or any other CRM/ESP, to measure opens and clicks.
What it is: France's CNIL and Italy's Garante have each issued guidance treating email tracking pixels (open/click tracking) as requiring recipient consent, separate from consent to receive the email itself.
Who it matters for: Any marketing, sales, or RevOps team sending tracked emails — marketing sends or one-to-one/sales emails — to contacts in France or Italy, including HubSpot users relying on default open/click tracking.
What decision it supports: Whether your current email programs need updated consent language, revised sign-up forms, a tracking opt-out mechanism, and updated privacy disclosures before the applicable dates.
Why Vantage Point is relevant: Vantage Point helps HubSpot and Salesforce teams configure consent-aware tracking, subscription types, and workflow logic so compliance changes don't break marketing operations.
Two separate regulatory actions, at different levels of legal force, both point in the same direction: email tracking pixels now require recipient consent in France and Italy.
The practical effect: pixel-based tracking used to measure opens and clicks for campaign performance, build engagement profiles, or support fraud/bot detection now needs its own consent basis — separate from any consent or legal basis you rely on to send the email itself.
Use this checklist to prioritize your response:
| Requirement | France (CNIL) | Italy (Garante) |
|---|---|---|
| Legal status | Soft law / recommendation | Formal provision, published in official gazette |
| Source | Deliberation 2026-042 (Mar 12, 2026 adopted; Apr 14, 2026 published) | Provision 284 (Apr 17, 2026 adopted; Apr 29, 2026 published) |
| Enforcement start | Mid-July 2026 (stated intent) | ~Six months from gazette date (aim for mid-October 2026 to be safe) |
| Existing contacts | Can continue being tracked if given clear notice + opt-out before July 14, 2026 | Governed by the six-month transition window |
| Consent bundling | Pixel consent must be separate from consent to receive the email | Pixel consent can be bundled with general marketing consent if wording is neutral |
| Aggregate-stats exemption | Not granted | Permitted for anonymized aggregate statistics |
| Withdrawal granularity | Opt-out required before enforcement date | Granular withdrawal required (tracking off, emails still received) |
| Fraud/bot detection pixels | Not exempt (narrow login-code exception only) | Not specifically addressed; treat as requiring consent |
HubSpot separates tracking into two areas that need different handling:
Per HubSpot's own documentation and community guidance, marketing email tracking can only be toggled on or off portal-wide — there is no native per-contact tracking toggle. That means consent-based segmentation has to be built using workflows, subscription types, or a legal-basis property on the contact record, not a single tracking switch. Review HubSpot's guidance on turning on GDPR functionality and understanding opt-in consent for email for the underlying settings, then plan the workflow logic needed to respect country-specific tracking consent.
Vantage Point helps HubSpot and Salesforce teams translate regulatory changes like this into working CRM configuration — segmentation logic, subscription types, consent properties, and workflow branching — instead of a portal-wide setting that breaks reporting for the rest of the business. This work typically connects to Vantage Point's compliance and security solutions and HubSpot services, and for teams running both platforms, to HubSpot and Salesforce integration work to keep consent status consistent across systems.
If your team is evaluating how these consent changes apply to your HubSpot tracking setup, sign-up forms, or privacy policy language, Vantage Point can help assess the right next step and build a practical implementation plan. For related background on structuring HubSpot for regulatory requirements, see our guide to marketing compliance in HubSpot covering GDPR and CAN-SPAM.
Does this mean I can no longer send cold B2B emails to France or Italy? No. This guidance does not eliminate the ability to send a cold B2B email under existing opt-out-based rules. What changes is that the tracking pixel attached to that email now needs its own consent basis, separate from whatever basis lets you send the email itself.
Is the French CNIL guidance legally binding? Not directly — it is a recommendation (soft law), not a binding regulation. However, CNIL has stated its intent to begin enforcing this guidance from mid-July 2026, so treat it as a practical compliance deadline even though it isn't a formal law.
Is the Italian Garante rule stronger than the French one? Yes. Provision 284 was published in Italy's official gazette, giving it more formal legal force than France's recommendation-based approach, even though both point to the same underlying consent requirement for tracking pixels.
Can I bundle tracking consent with my general marketing consent? It depends on the jurisdiction. Italy permits bundling pixel consent with general marketing consent if the wording is neutral. France requires tracking consent to be captured separately from consent to receive the email.
Does HubSpot let me turn off tracking for just French or Italian contacts? Not natively. HubSpot's marketing email tracking setting is portal-wide only — there's no built-in per-contact toggle. Teams need to build consent-based segmentation using workflows, subscription types, or a legal-basis property instead of relying on the tracking setting alone.
Are pixels used only for list hygiene exempt from consent? Under French guidance, list-hygiene pixels (suppressing inactive addresses, adjusting send frequency) may continue without new consent, but only if they are strictly necessary and retained data is minimal. This exemption does not extend to pixels used for campaign performance measurement, profiling, or fraud/bot detection.
Do I need to name HubSpot or my other email tools by name in my privacy policy? There is no blanket legal requirement to name every vendor, but vague "trusted third-party partners" language is increasingly indefensible. Any vendor processing tracking pixel data for its own purposes — which can make it a joint controller under GDPR Article 26 — should be identified.
What's the difference between this guidance and the EDPB's 2026 Coordinated Enforcement Framework? They are unrelated. The EDPB's Coordinated Enforcement Framework, launched March 19, 2026, is a broader transparency sweep across GDPR Articles 12–14 involving 25 data protection authorities, focused on privacy notices generally. The France and Italy email tracking guidance is a separate, pixel-specific set of rules and should not be conflated with the CEF sweep.
This article summarizes publicly available regulatory guidance as of July 2026 and is not legal advice. Consult your privacy counsel to confirm how these requirements apply to your organization.