Email Tracking Pixels, Employee Email Rights and GDPR Enforcement in Italy (2026): What Italian Businesses Must Do

Last reviewed: 16 May 2026

Email tracking in Italy entered a new regulatory era on 17 April 2026, when the Garante per la protezione dei dati personali, the Italian data protection authority, adopted binding guidelines on the use of tracking pixels in email communications. The Provvedimento del 17 aprile 2026 establishes that embedding invisible tracking pixels in emails is lawful only where recipients receive adequate prior information and, for most marketing contexts, give explicit consent. Separately, the Garante issued enforcement decisions in the same period that classified all communications held in individually assigned corporate email accounts as personal data, dramatically expanding employee email rights in Italy. Together with a headline €12.

5 million fine reported in April–May 2026, these actions create urgent compliance obligations for every Italian organisation that sends marketing emails, operates employee email systems, or uses third-party email-tracking tools.

Executive Summary: What Italian Businesses Must Know Right Now

The Garante’s April 2026 guidelines make the legal position on email tracking pixels unambiguous: their use without transparency and, in most cases, prior consent is unlawful under the GDPR as applied in Italy. The guidelines apply to all organisations, regardless of sector or size, that embed tracking technologies in email communications sent to recipients located in Italy.

At the same time, the Italian data protection authority has reinforced that employers cannot freely access, monitor, or process the contents of individually assigned corporate email accounts. These communications constitute the personal data of the account holder, and any processing by the employer requires a clear legal basis and transparent notice to the employee.

Industry observers expect these decisions to trigger a wave of compliance activity across Italian businesses in Q2 and Q3 2026. The five immediate actions every affected organisation should take are:

• Pause undisclosed pixel deployment. Suspend the embedding of tracking pixels in any email campaign where recipients have not been clearly informed and have not provided valid consent.
• Audit all email templates and tools. Map every email stream (marketing, transactional, internal) and identify where tracking pixels or equivalent technologies are present.
• Review and update consent mechanisms. Ensure opt-in flows for email marketing capture specific, informed consent to pixel tracking, not just consent to receive emails.
• Issue or update employee notices. Publish a clear notice explaining how corporate email accounts are managed, what data is processed, and the legal basis relied upon.
• Initiate or refresh a DPIA. Where email tracking involves large-scale profiling or combination with other personal data, a Data Protection Impact Assessment is mandatory.

Background: What Are Email Tracking Pixels and How They Work

An email tracking pixel is a tiny, typically invisible image, often just one pixel by one pixel and transparent, embedded in the HTML body of an email. When the recipient opens the email and their mail client loads remote images, the pixel fires a request back to the sender’s server. That server logs the event and captures associated metadata.

This mechanism is distinct from link tracking, which records when a recipient clicks a hyperlink within the email. Tracking pixels operate passively: the recipient does not need to take any deliberate action beyond opening the message. The data collected through this process carries significant privacy implications.

Because these pixels operate silently and without any visible interface element, most recipients are unaware that opening an email triggers data collection. This opacity is precisely what prompted the Garante to issue specific guidance on GDPR email tracking obligations.

The Garante’s April 2026 Guidance on Email Tracking in Italy: Key Legal Findings

On 17 April 2026, the Garante adopted its Provvedimento containing formal guidelines on the use of tracking pixels in email communications (docweb no. 10241943, published on the Garante’s official website). The guidelines represent the most detailed position any EU data protection authority has taken on this specific technology to date, and they establish several firm principles.

The Garante affirms that the use of tracking pixels is lawful only on the condition that the recipient is informed in advance and, where the processing goes beyond what is strictly necessary for technical delivery, valid consent is obtained. The guidelines emphasise that tracking pixels constitute a form of electronic tracking technology that stores or accesses information on a user’s terminal equipment, engaging both the GDPR and the ePrivacy framework (Directive 2002/58/EC as transposed into Italian law by Legislative Decree 196/2003).

Key Requirements from the Garante Guidance

• Transparency first. All data controllers using tracking pixels must inform recipients clearly, in their privacy policy or a dedicated notice, about the presence of pixels, the data collected, the purposes, the legal basis, and the data retention period.
• Consent for marketing pixels. Where tracking pixels are used in promotional or marketing emails, prior explicit consent is required. The Garante rejects the argument that consent to receive marketing emails automatically covers consent to be tracked via pixels.
• Granularity of consent. Consent to pixel tracking must be separate from consent to receive communications. Bundled consent does not satisfy GDPR requirements.
• DPIA obligation. Where tracking involves large-scale processing, systematic monitoring, or combination of pixel data with other profiling data, a Data Protection Impact Assessment under GDPR Article 35 is mandatory.
• Accountability documentation. Controllers must document the legal basis relied upon, the DPIA (where applicable), and the technical measures adopted to ensure compliance.

Timeline of April–May 2026 Enforcement Actions

The tracking pixel guidelines did not emerge in isolation. The Garante issued several significant decisions in the same period:

• 17 April 2026: Adoption of the Provvedimento on tracking pixels in email communications (docweb no. 10241943).
• April 2026: The Garante issued a decision expanding employee rights over individually assigned corporate email accounts, classifying all communications held within such accounts as personal data.
• April–May 2026: A €12.5 million fine was imposed in a major GDPR enforcement action. Industry reporting indicates the decision related to data protection violations involving email practices, underscoring the Garante’s willingness to impose substantial penalties.

The convergence of these actions sends a clear signal: email tracking in Italy is now a regulatory priority, and the Italian data protection authority is prepared to enforce aggressively.

Legal Analysis: GDPR Tests for Email Tracking in Italy

Understanding the Garante’s guidance requires a detailed examination of the applicable GDPR legal bases and how the Italian data protection authority interprets them in the context of email tracking pixels.

Consent: When Required and What Counts

Under GDPR Article 6(1)(a) and Article 7, consent must be freely given, specific, informed, and unambiguous. The Garante’s guidance makes clear that for marketing email tracking, consent is the only viable legal basis in most circumstances. Several conditions must be satisfied simultaneously:

• Specificity. Consent to receive marketing emails does not extend to consent for pixel tracking. These are separate processing activities with distinct purposes.
• Prior information. Before consent is collected, the recipient must be told what tracking technologies are embedded, what data they collect, and how that data will be used.
• Genuine choice. Consent must not be a precondition for receiving a service or communication unless tracking is genuinely necessary for that service.
• Withdrawability. Recipients must be able to withdraw consent to tracking at any time, without affecting their ability to continue receiving emails.

Legitimate Interest: Limited Applicability

Some organisations have historically relied on GDPR Article 6(1)(f), legitimate interest, to justify email tracking without explicit consent. The Garante’s guidance substantially limits this approach for marketing pixels. The authority’s reasoning is straightforward: because tracking pixels operate covertly and collect data that can reveal behavioural patterns, the intrusion into the data subject’s rights typically outweighs the controller’s commercial interest. Industry observers expect this position to align with anticipated EDPB guidance on similar issues.

Legitimate interest may remain defensible in narrow circumstances, for example, monitoring delivery rates for transactional emails where the data collected is limited to a delivery confirmation and no profiling occurs. Even in these cases, a legitimate interest assessment (balancing test) must be documented and recipients must still be informed.

Transparency and Information Obligations

GDPR Articles 13 and 14 require controllers to provide specific information about processing activities. In the context of email tracking, this means privacy policies and email-specific notices must disclose:

• The identity of the controller and, where applicable, the processor (e.g., the email platform provider)
• The specific tracking technologies used (pixels, link tracking, or both)
• The categories of data collected
• The purposes for which the data is processed
• The legal basis relied upon
• Data retention periods
• The recipient’s rights, including the right to withdraw consent and lodge a complaint with the Garante

DPIA: When Mandatory for Email Tracking

Under GDPR Article 35, a DPIA is required where processing is likely to result in a high risk to the rights and freedoms of natural persons. The Garante’s guidance identifies specific triggers relevant to email tracking:

• Large-scale processing (e.g., marketing emails sent to databases exceeding tens of thousands of recipients)
• Systematic monitoring of behaviour (e.g., tracking open rates over time to build engagement profiles)
• Combination of pixel data with other identifiers (e.g., merging tracking data with CRM profiles, purchase history, or website analytics)
• Use of innovative technologies or new applications of existing technologies

Practical Proof Points to Document

To demonstrate compliance, organisations should maintain documented evidence of the following: the legitimate interest assessment or consent record for each email stream; the DPIA (where required); the privacy notice provided to recipients; technical documentation of the tracking mechanisms deployed; and records of data retention and deletion in line with stated policies.

Employee Email Rights in Italy: Garante Decisions on Corporate Email Access

The April 2026 Garante decisions on employee email rights represent a significant expansion of data protection obligations for Italian employers. The Italian data protection authority classified all communications held in an individually assigned email account as personal data of the account holder, regardless of whether the content is business-related or personal.

This means that an employer’s access to, monitoring of, or processing of emails in an employee’s individually assigned mailbox constitutes processing of personal data under the GDPR. The practical consequences are far-reaching for corporate email access in Italy.

Implications for Employer Access and Monitoring

• No blanket right of access. Employers cannot freely read, copy, or archive the contents of an employee’s assigned email account without a specific, documented legal basis.
• Monitoring restrictions. Automated monitoring tools that scan email content, track email activity within corporate accounts, or log metadata must comply with both GDPR and the Italian Workers’ Statute (Law 300/1970, Article 4), which restricts remote surveillance of employees.
• Post-employment retention. Retaining access to a former employee’s email account after termination requires careful legal justification and must be time-limited.
• Access request rights. Employees have the right under GDPR Article 15 to request access to any personal data the employer holds in their email account, and under Article 17 to request deletion where the legal basis for retention no longer applies.

How to Process Employee Access Requests

When an employee submits a data subject access request relating to their corporate email account, the employer must respond within 30 days (GDPR Article 12(3)). The response should include a copy of the personal data processed, along with information about the purposes, categories, recipients, and retention periods. Where the employer claims a legal basis for retaining access to certain communications (e.g., regulatory obligations, litigation holds), this must be specifically documented and communicated to the employee.

Template Employee Notice: Key Elements

Employers should issue or update an employee notice covering corporate email account management. The notice should address:

• The scope of employer access to the email account (what circumstances permit access, who can authorise it)
• Any monitoring tools deployed and their purposes
• The legal basis for each type of processing
• Retention periods for email data, including post-employment
• Employee rights under the GDPR, including access, rectification, erasure, and the right to lodge a complaint with the Garante

Enforcement, GDPR Fines in Italy and Litigation Risk

The April–May 2026 enforcement actions confirm that the Garante is willing to impose significant penalties for GDPR violations involving email practices. The €12.5 million fine reported during this period represents one of the largest penalties issued by the Italian data protection authority and serves as a benchmark for the scale of financial exposure organisations face.

The Garante considers several aggravating factors when determining the level of GDPR fines in Italy:

• Absence of a DPIA. Failure to conduct a required DPIA is treated as a standalone breach and an aggravating factor.
• Lack of valid consent. Processing personal data through tracking pixels without the required consent compounds the infringement.
• Insufficient transparency. Privacy notices that fail to mention tracking technologies or that bundle consent demonstrate systemic non-compliance.
• Duration and scale. Long-running tracking programmes affecting large numbers of data subjects attract higher penalties.
• Lack of cooperation. Failure to engage constructively with the Garante during an investigation can increase sanctions.

Risk Matrix for Italian Businesses

Beyond administrative fines, organisations face civil litigation risk. Data subjects who suffer damage from unlawful tracking may claim compensation under GDPR Article 82. Class actions and collective claims are also a growing risk in Italy, particularly following increased awareness of email tracking practices.

9-Step Remediation and Audit Playbook for Email Tracking in Italy

The following playbook provides a structured approach to achieving compliance with the Garante’s April 2026 guidance. Each step identifies the responsible function and a recommended timeline.

1. Inventory all email streams (Days 1–7 | Owner: Marketing + IT). Catalogue every type of email your organisation sends: marketing campaigns, newsletters, transactional notifications, internal communications, and automated workflows. Document which systems and platforms are used.
2. Map tracking technologies (Days 1–14 | Owner: IT + Legal). For each email stream, identify whether tracking pixels, link tracking, or other tracking technologies are embedded. Record the data each technology collects and where that data is stored.
3. Classify legal basis per email stream (Days 7–21 | Owner: Legal/DPO). For each stream, determine the appropriate legal basis: consent for marketing pixels, legitimate interest for limited transactional tracking, or employment-law basis for internal emails. Document the analysis.
4. Conduct or update DPIA (Days 14–30 | Owner: DPO + Legal). For any stream involving large-scale profiling, systematic monitoring, or data combination, complete a DPIA using the checklist template below.
5. Redesign consent flows (Days 14–45 | Owner: Marketing + Legal). Update sign-up forms, preference centres, and email footers to capture specific, granular consent for pixel tracking. Ensure consent is separate from email subscription consent.
6. Update privacy notices (Days 14–30 | Owner: Legal). Amend privacy policies and email-specific notices to disclose tracking technologies, data collected, purposes, legal basis, retention periods, and data subject rights.
7. Issue or update employee email notices (Days 14–30 | Owner: HR + Legal). Publish a clear internal notice explaining corporate email account management, monitoring practices, legal basis, and employee rights.
8. Review vendor and processor contracts (Days 30–60 | Owner: Legal + Procurement). Audit contracts with email platform providers and tracking tool vendors. Ensure GDPR-compliant data processing agreements are in place and that sub-processors are identified.
9. Implement ongoing monitoring and review (Day 60+ | Owner: DPO). Establish a quarterly review cycle covering consent rates, DPIA updates, Garante guidance developments, and vendor compliance. Document all reviews.

Comparison: Email Tracking Compliance by Use Case

Templates and Practical Content for Email Marketing Compliance

DPIA Checklist for Email Tracking

• Describe the email streams and tracking technologies deployed
• Identify the nature, scope, context, and purposes of tracking data processing
• Assess necessity and proportionality, is each pixel strictly necessary for the stated purpose?
• Identify risks to data subjects’ rights (covert profiling, geolocation inference, behavioural scoring)
• Document mitigating measures (consent mechanisms, data minimisation, retention limits, pseudonymisation)
• Evaluate residual risk after mitigation
• Record the DPO’s opinion and the controller’s decision
• Set a review date (recommended: every 12 months or after material changes)

Employee Email Access Notice: Core Elements

• Controller identity: [Organisation name, registered office, DPO contact details]
• Scope: This notice applies to all individually assigned corporate email accounts
• Purposes of processing: [Specify, e.g., business communication management, IT security, regulatory compliance]
• Legal basis: [Specify, e.g., legitimate interest for IT security; legal obligation for regulatory retention]
• Access rules: Employer access to email account contents is permitted only in documented circumstances (specify) and requires authorisation by [specify role]
• Retention: Email data is retained for [specify period]; post-employment accounts are deactivated within [specify period] and data deleted within [specify period]
• Employee rights: You have the right to access, rectification, erasure, restriction, portability, and to lodge a complaint with the Garante per la protezione dei dati personali

Marketing Email Consent Snippet

The following is sample consent language for integration into sign-up forms and preference centres:

“I consent to [Organisation name] using tracking technologies (including tracking pixels) in marketing emails sent to me, in order to monitor email opens, measure engagement, and improve communications. I understand that this tracking collects data including the time of opening, my IP address, and device information. I can withdraw this consent at any time by updating my preferences [link] or contacting [DPO email]. Full details are available in our privacy policy.”

Next Steps

The Garante’s April 2026 decisions on email tracking in Italy demand prompt action from every organisation that sends emails to Italian recipients or manages employee email accounts. The compliance window is narrow, and the enforcement climate has never been stricter.

Organisations that proactively audit their email practices, implement granular consent mechanisms, update employee notices, and complete the required DPIAs will be best positioned to avoid regulatory action and the significant fines now being imposed. Those that delay face escalating legal and financial risk.

For jurisdiction-specific advice on implementing these requirements, including tailored DPIAs, employee notices, and consent architectures, contact a qualified Italian data protection lawyer through the Global Law Experts network.

Sources

1. Garante per la protezione dei dati personali, Provvedimento del 17 aprile 2026
2. A&O Shearman, Tracking Pixels in Emails: Italy’s New GDPR Guidelines
3. InsidePrivacy, Italian DPA Publishes Guidelines on Email Tracking Pixels
4. Consentmo, €12.5M Fine and New Email Rules: What Italy’s April 2026 GDPR Decisions Mean
5. Altalex, Tracking pixel email: linee guida Garante privacy 2026
6. GamingTechLaw, Tracking Pixels: Garante and CNIL Guidelines in Comparison