Italy Tightens Rules on Email Tracking Pixels, Mandates Consent & Greater Transparency

Key Takeaways

• Mandatory Consent Requirement: Tracking pixels in emails will generally require prior, free, specific, and informed user consent under Article 122 of Italy’s Privacy Code.
• Transparency Obligations: Organizations must clearly inform users about tracking practices and provide simple, accessible ways to withdraw consent, including selectively.
• Limited Exceptions Apply: Use without consent is only permitted in narrow cases such as security, strictly necessary technical functions, or certain institutional and service communications, subject to proportionality and data minimization.
• Privacy by Design Emphasis: Entities are expected to implement safeguards by design and by default to reduce identifiability risks and limit the spread of personal data.

Deep Dive

The Italian Data Protection Authority is aiming at one of the more opaque tools in digital communications, issuing new guidelines that reshape how organizations can use tracking pixels in emails.

Often invisible to recipients, these tiny embedded images allow senders to detect when an email is opened and gather insights into user behavior. The regulator did not mince words in its assessment, describing the technology as particularly invasive, especially when deployed without the recipient’s full awareness.

The newly published guidance seeks to shift that dynamic. At the center of the framework is a clear expectation that organizations must obtain prior, informed consent before using tracking pixels in most cases. The Authority confirmed that such tools fall under Article 122 of Italy’s Privacy Code, which governs technologies that access information on a user’s device or monitor online activity. In practical terms, that places tracking pixels in the same regulatory category as other forms of user-tracking technologies, with consent serving as the primary legal basis.

The move reflects a broader push to bring transparency to practices that have long operated in the background of everyday digital interactions. Under the guidelines, organizations are required to clearly inform users about how tracking pixels are used and to provide straightforward ways for individuals to withdraw consent—down to the ability to do so selectively.

That said, the Authority stopped short of imposing an outright ban. Limited exceptions remain in place, including for security-related uses, strictly necessary technical functions, and certain institutional or service communications. Even in those cases, however, organizations must adhere to core principles such as proportionality and data minimization.

The guidance also underscores the growing importance of building privacy protections into systems from the outset. Organizations are expected to adopt “privacy by design and by default” measures, with a focus on reducing the risk that individuals can be identified and limiting the broader circulation of personal data.

The scope of the rules is wide. They apply not only to email providers and operators of mass mailing platforms, but to any entity using tracking pixels in its communications, including information society service providers and organizations offering publicly accessible online services.

Companies now have a defined runway to adapt. The Authority has given organizations six months from the publication of the guidelines in the Official Journal to bring their practices into line.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.