Do tracking pixels in emails require explicit user consent under the Garante's 2026 guidance?

In most marketing contexts, yes. The Garante treats tracking pixels that enable profiling, audience segmentation or targeted advertising as requiring prior, informed consent under the GDPR. This requirement was formalised in Provision No. 284 (17 April 2026), published in Gazzetta Ufficiale No. 98 on 29 April 2026. Strictly necessary, non-profiling uses, such as verifying email delivery for technical troubleshooting, may rely on a legitimate-interest basis, but the controller must document a balancing test.

What must be included in privacy notices and marketing consent to cover tracking pixels?

Privacy notices must clearly identify the tracking technology used (e.g., invisible pixel image), state each purpose (analytics, profiling, ad targeting), list the categories of data collected (IP address, device type, open time), name third-party recipients, specify retention periods and explain how consent can be withdrawn. Consent must be captured through a separate, unticked checkbox with specific, plain-language wording, not bundled with general marketing consent.

Which organisations and email uses are affected, and what is the compliance deadline?

All private and public entities that embed tracking pixels in emails directed to recipients in Italy are affected, including B2C marketers, B2B senders, ESPs and public authorities. The scope covers marketing newsletters, DEM campaigns, and potentially transactional emails if pixels are used for profiling. The compliance deadline is 28 October 2026, six months after publication in the Gazzetta Ufficiale.

What technical and organisational measures should controllers implement?

Controllers should implement conditional pixel loading (suppressing pixels for non-consenting recipients), server-side aggregation of analytics, first-party pixel hosting, consent-token architecture, IP-address truncation, automated retention schedules, encryption and strict access controls. A DPIA should be completed where systematic, large-scale monitoring of email engagement occurs.

How should I update contracts with ESPs and third parties?

Review and amend data-processing agreements to include pixel-specific processing instructions, sub-processor lists covering all entities in the pixel data flow, audit rights over tracking configurations, data-transfer safeguards for non-EEA processing and liability clauses for non-compliance with Garante requirements.

Can I rely on soft opt-out or pre-ticked boxes?

No. The Garante requires consent to be unambiguous and freely given under Article 7 of the GDPR. Pre-ticked boxes, implied consent through continued email engagement or failure to opt out do not constitute valid consent for tracking pixels used for profiling purposes.

If my mailing list was collected before 17 April 2026, do I need to re-obtain consent?

Industry observers expect that re-permissioning will be necessary for any list whose original consent did not explicitly cover tracking-pixel profiling. Controllers should run a dedicated re-permission campaign before 28 October 2026, clearly explaining the tracking practices, providing an explicit opt-in button and disabling tracking for recipients who do not respond.

What are the penalties for non-compliance?

The Garante can impose the full range of GDPR corrective measures, including orders to cease processing, temporary or permanent bans on tracking-pixel use, and administrative fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher. The severity of any sanction will depend on factors such as the scale of processing, the degree of cooperation and whether the infringement was intentional or negligent.

Tracking Pixels In Emails Italy 2026

The rules governing tracking pixels in emails in Italy 2026 changed fundamentally on 17 April 2026, when the Garante per la Protezione dei Dati Personali adopted Provision No. 284, its first dedicated set of Linee guida on the use of invisible tracking technologies embedded in commercial and institutional email. Published in Gazzetta Ufficiale No. 98 on 29 April 2026, the guidance triggers a six-month compliance window that expires on 28 October 2026.

Every organisation that sends emails containing tracking pixels to recipients in Italy, whether a multinational retailer, a mid-size B2B supplier, an email service provider (ESP) or a local SME running a Mailchimp newsletter, must now decide how to modify consent flows, update privacy notices, renegotiate vendor contracts and, where necessary, disable pixel tracking entirely before the deadline.

Tracking Pixels Guidance from the Garante: Quick Regulatory Summary of Provision No. 284

Provision No. 284, accessible on the Garante’s Doc-Web portal (Doc-Web 10241977), establishes a clear legal framework for tracking pixels (also known as “web beacons” or “spy pixels”) that are loaded when a recipient opens an email. The Garante classifies these technologies as data-collection tools capable of processing personal data, including IP addresses, device identifiers, geolocation signals, time-of-open patterns and behavioural profiles, bringing them squarely within the scope of the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.

The key legal principles established by the tracking pixels guidance from the Garante can be summarised as follows:

Classification as personal data processing. A tracking pixel that records an individual’s IP address, device type, or engagement behaviour constitutes processing of personal data under Article 4(2) of the GDPR. Aggregated open-rate statistics alone may fall below the threshold, but the Garante makes clear that most commercial implementations go further.
Lawful basis, consent for profiling use. Where tracking pixels are used to build recipient profiles, segment audiences, trigger automated follow-up emails or feed behavioural-advertising platforms, the Garante requires the data controller to obtain prior, informed, freely given and unambiguous consent under Articles 6(1)(a) and 7 of the GDPR.
Transparency and information duties. Controllers must provide clear and complete information, before any pixel fires, about the technology used, the specific purposes, the categories of data collected, any third-party recipients, retention periods and the right to withdraw consent. This obligation flows from Articles 12 and 13 of the GDPR.
Data Protection Impact Assessment (DPIA). The Garante flags that systematic, large-scale monitoring of email engagement through tracking pixels is likely to result in a high risk to individuals’ rights and freedoms, triggering the Article 35 GDPR obligation to carry out a DPIA before processing begins.
Exceptions. Strictly necessary, non-profiling use, for example, a pixel that verifies email delivery to diagnose a technical fault, may be permissible under a legitimate-interest basis, provided the controller documents a balancing test and limits data collection to the minimum necessary.
Six-month compliance window. Organisations have until 28 October 2026 to bring existing practices into line with the guidance.

Scope: Which Emails and Organisations Are Affected by Email Tracking Compliance in Italy 2026

The Garante’s guidance does not limit its application to a single type of sender or message. Any entity, private or public, that embeds a tracking pixel in an email directed to recipients located in Italy falls within scope. However, the practical obligations differ depending on the nature of the communication and the purposes behind the pixel. The table below illustrates the three principal categories.

Entity / Email Type	Is Tracking Pixel Consent Required?	Typical Controls Required
B2C marketing newsletters and DEM (direct email marketing)	Yes, explicit opt-in consent is required when the pixel is used for profiling, audience segmentation or targeted advertising. Even basic open-rate tracking should be accompanied by prior information; the safest approach is to collect explicit consent.	Consent capture at signup with a separate, unticked checkbox; opt-out link in every message; no third-party pixel loading until consent is recorded; proof-of-consent token stored and auditable.
Transactional / operational emails (invoices, shipping confirmations, password resets)	Potentially exempt if the pixel is strictly necessary for service delivery or security monitoring and no profiling occurs. If the pixel also feeds analytics or marketing platforms, consent is required.	Limit collection to technically necessary metrics; document the legal basis (legitimate interest with balancing test); implement granular vendor controls; conduct a DPIA if profiling is possible.
Public authorities / institutional notifications	Different regime applies. Consent may not be the appropriate legal basis for public-interest processing, but tracking pixels for profiling purposes remain problematic. Legal counsel should be consulted on a case-by-case basis.	Legal basis analysis aligned with public-interest provisions; transparency notice; strict retention limits; security measures; no third-party data sharing without a documented basis.

Borderline cases deserve particular attention. A service confirmation email that embeds a pixel feeding data back to a marketing-automation platform for re-targeting crosses the line from operational to profiling use, and triggers the consent requirement. Industry observers expect the Garante to take a strict view of such hybrid deployments.

Tracking Pixel Consent Requirements Under the Garante’s 2026 Guidance

The consent standard for tracking pixel consent in Italy mirrors the GDPR’s general framework but is applied by the Garante with specific rigour in the email context. To be valid, consent must be:

Freely given, the recipient must have a genuine choice. Bundling pixel consent with the overall newsletter subscription (a “take it or leave it” approach) is unlikely to meet this standard.
Specific, consent for tracking-pixel processing must be granular and separate from consent for receiving the email itself.
Informed, the controller must explain, in plain language, what a tracking pixel does, what data it collects and how that data will be used.
Unambiguous, affirmative action is required. Pre-ticked boxes, silence or inactivity do not constitute valid consent under Article 7 of the GDPR, and the Garante explicitly rejects these methods in the context of email tracking.

Model Consent Checkbox Language

The following sample wording can be adapted for newsletter signup forms. Both an Italian and an English version are provided.

Italian: ☐ Acconsento all’uso di tecnologie di tracciamento (pixel di tracciamento) nelle email inviatemi, al fine di analizzare le mie interazioni con i messaggi e personalizzare le comunicazioni future. Posso revocare il consenso in qualsiasi momento tramite il link presente in ogni email o contattando [indirizzo email del DPO].

English: ☐ I consent to the use of tracking technologies (tracking pixels) in the emails sent to me, for the purpose of analysing my interactions with messages and personalising future communications. I may withdraw consent at any time via the link in each email or by contacting [DPO email address].

Withdrawal of Consent

Under Article 7(3) of the GDPR, it must be as easy to withdraw consent as it was to give it. In practice, this means every email containing a tracking pixel should include a clearly visible mechanism, such as a one-click “disable tracking” link or a preference-centre page, that immediately suppresses pixel loading for that recipient. The controller must process withdrawal requests without undue delay and log the timestamp and method of withdrawal for audit purposes.

Privacy Notice Tracking Pixels: Required Disclosures and Sample Wording

Provision No. 284 reinforces the obligations under Articles 12 and 13 of the GDPR: data subjects must receive clear information about tracking-pixel processing before the pixel fires for the first time. The privacy notice must address the following elements at a minimum:

Identity of the tracking technology. Name the type of technology used (e.g., “invisible 1×1 pixel image” or “web beacon”) and state where it is embedded (in the email body or via a linked image hosted on a third-party server).
Purposes of processing. Specify each purpose clearly, open-rate analytics, click-through measurement, recipient profiling, audience segmentation, automated campaign triggering, behavioural advertising.
Categories of personal data collected. List the data elements: IP address, device type, operating system, email client, geolocation data, date and time of email opening, frequency of opens.
Recipients and third-party processors. Identify any ESPs, CDNs, analytics platforms or advertising networks that receive data from the pixel.
Retention period. State how long individual-level data derived from tracking pixels will be kept before deletion or anonymisation.
Right to withdraw consent and complaint rights. Explain how the recipient can withdraw consent and how to lodge a complaint with the Garante.

Sample Privacy-Policy Clause

“We embed tracking pixels (invisible 1×1 pixel images) in our marketing emails. When you open an email, the pixel transmits your IP address, device type, email client and the date and time of opening to [ESP name], our email service provider acting as data processor. We use this data to measure open rates, segment our audience and personalise future communications. This processing is based on your explicit consent, which you may withdraw at any time by clicking the ‘Manage Tracking Preferences’ link in any email or by contacting our DPO at [email]. Individual-level tracking data is retained for [X] months and then anonymised.”

Re-Permission Campaign Wording

For existing mailing lists collected before the guidance took effect, organisations will need to run a re-permission campaign. A concise re-consent email should explain the change, describe the tracking-pixel use in plain terms, include an explicit opt-in button and state that tracking will be disabled for anyone who does not actively consent. Industry observers expect that lists which were originally collected without granular pixel-tracking disclosures will require full re-permissioning before 28 October 2026.

Technical and Organisational Measures for Email Tracking Compliance Italy 2026

Complying with the Garante’s tracking pixels guidance is not only a legal exercise, it demands concrete technical changes to how emails are built, sent and analysed. The measures below align with the accountability principle under Article 5(2) of the GDPR and the security-by-design requirement in Article 32.

Vendor and ESP Technical Controls

Conditional pixel loading. Configure your ESP to suppress tracking-pixel insertion for any recipient who has not provided valid consent. Most major platforms (Mailchimp, Brevo, HubSpot, ActiveCampaign) offer list-segment-level tracking toggles or per-contact tracking flags.
Server-side aggregation. Where possible, replace client-side pixel tracking with server-side analytics that record only aggregated, anonymised open rates rather than individual-level data. This reduces the volume of personal data processed and may lower the DPIA threshold.
First-party pixel hosting. If tracking is retained with consent, host the pixel image on your own domain rather than a third-party analytics server. This limits the exposure of recipient IP addresses to external processors.
Consent-token architecture. Generate and store a unique consent token for each recipient at the point of opt-in. Pass this token as a parameter in the pixel URL so that your analytics platform can verify, in real time, that the tracking event is authorised.
Automated opt-out processing. Implement a real-time suppression workflow: when a recipient withdraws consent, the next email must be sent without a tracking pixel, not merely flagged for future removal.
IP-address truncation. Where individual-level tracking is permitted, truncate the last octet of IPv4 addresses (or the last 80 bits of IPv6 addresses) before storage to minimise identifiability.
Retention schedules. Define and enforce automated deletion or anonymisation of individual tracking records after a fixed period proportionate to the stated purpose, typically no longer than 12 months for marketing analytics.
Encryption and access controls. Tracking data at rest and in transit must be encrypted. Access should be restricted to authorised marketing and analytics personnel on a need-to-know basis, with access logs maintained.

DPIA Triggers and Checklist

A Data Protection Impact Assessment is required under Article 35 of the GDPR whenever email tracking compliance in Italy 2026 involves:

Systematic monitoring of recipient behaviour across multiple campaigns or channels.
Large-scale processing, defined by the Garante as email lists exceeding a substantial number of Italian recipients or covering a significant proportion of a market segment.
Automated decision-making that produces legal or similarly significant effects (e.g., automated lead scoring that determines pricing or service access).
Combination of tracking-pixel data with other datasets (CRM records, website analytics, purchase history) to build comprehensive behavioural profiles.

The DPIA must be completed before processing begins, or, for legacy systems, before the 28 October 2026 deadline, and should be reviewed whenever the processing materially changes.

Contracts and Vendor Management: ESPs, CDNs and Tag Managers

Under Article 28 of the GDPR, the relationship between a data controller and its ESP, CDN or tag-management vendor must be governed by a written data-processing agreement (DPA). Following the Garante’s guidance, existing DPAs should be reviewed and, where necessary, amended to include the following provisions:

Pixel-specific processing instructions. The processor must be instructed to insert tracking pixels only where valid consent exists and to suppress pixel loading for all other recipients.
Sub-processor transparency. The processor must maintain and disclose an up-to-date list of all sub-processors involved in tracking-pixel data flows (e.g., image-hosting CDNs, analytics engines, third-party advertising APIs).
Audit rights. The controller must have the contractual right to audit the processor’s technical implementation of conditional pixel loading, consent-token verification and data-retention schedules.
Data localisation and transfer safeguards. Where tracking-pixel data is processed outside the EEA, the DPA must specify the applicable transfer mechanism (Standard Contractual Clauses, adequacy decision or derogation).
Liability and indemnification. Allocate liability for Garante fines or corrective measures resulting from the processor’s failure to comply with pixel-specific instructions.

A model clause addressing pixel-specific obligations might read: “The Processor shall not embed, load or activate any tracking pixel, web beacon or equivalent technology in emails sent on behalf of the Controller unless the Controller has confirmed, via the consent-management API or written instruction, that the relevant data subject has provided valid consent for such processing.”

DPO Checklist for Tracking Pixels: Audit Steps and Remediation Plan

The following twelve-point DPO checklist for tracking pixels provides a structured path from current-state assessment to full compliance by 28 October 2026. Prioritise items in order.

Pixel inventory. Catalogue every tracking pixel embedded in marketing, transactional and operational emails. Record the pixel type, hosting location, data collected, purpose, ESP or vendor responsible and the legal basis currently relied upon.
Legal-basis assessment. For each pixel, determine whether consent has been validly obtained. Flag any pixel that relies on legitimate interest for profiling purposes, these will almost certainly need to be migrated to a consent basis.
DPIA screening. Assess whether any email tracking program triggers a DPIA under the criteria described above. Commission or update the DPIA where required.
Privacy-notice update. Revise the organisation’s privacy policy and any email-specific privacy notices to include the tracking-pixel disclosures outlined in Provision No. 284.
Consent-flow redesign. Redesign newsletter signup forms, preference centres and in-email consent mechanisms to include a separate, unticked checkbox for tracking-pixel consent with clear explanatory microcopy.
ESP configuration. Work with each ESP to activate conditional pixel loading, configure consent-token parameters and suppress tracking for non-consenting recipients.
Contract review. Audit and amend data-processing agreements with ESPs, CDNs, tag managers and any third-party analytics or advertising vendors.
Re-permission campaign. Design and schedule a re-permission email for legacy lists whose original consent did not explicitly cover tracking-pixel profiling. Set a clear deadline for responses and disable tracking for non-responders.
Withdrawal mechanism testing. Test the one-click opt-out and preference-centre withdrawal flows end to end. Confirm that pixel suppression takes effect immediately upon withdrawal.
Proof-of-consent logging. Implement or verify a consent-management system that records the timestamp, method, version of the consent text and IP address for every opt-in and withdrawal event.
Staff training. Brief marketing teams, CRM administrators and customer-service staff on the new requirements, including how to handle withdrawal requests and how to verify consent status before launching campaigns.
Monitoring and reporting. Establish a quarterly review cycle for tracking-pixel compliance. Include consent rates, withdrawal rates, DPIA review dates and vendor-audit results in the DPO’s regular report to the board.

Timeline: Step-by-Step Remediation Plan to Meet 28 October 2026

With the Garante’s guidance published in Gazzetta Ufficiale No. 98 on 29 April 2026, organisations have exactly six months. The following phased timetable balances urgency with thoroughness.

Phase	Timeframe	Key Actions
Phase 1, Assessment	Weeks 1–4 (May 2026)	Complete pixel inventory; perform legal-basis assessment; screen for DPIA triggers; identify legacy lists requiring re-permission.
Phase 2, Design	Weeks 5–10 (June–early July 2026)	Redesign consent flows and preference centres; draft updated privacy notices and consent wording; prepare re-permission campaign content; begin DPIA where required.
Phase 3, Implementation	Weeks 11–18 (mid-July–mid-September 2026)	Configure ESP conditional pixel loading; deploy updated signup forms; amend vendor contracts; launch re-permission campaign; implement consent-token logging.
Phase 4, Testing and Training	Weeks 19–22 (late September–mid-October 2026)	End-to-end testing of consent and withdrawal flows; staff training; internal audit of all changes; resolve any residual gaps.
Phase 5, Go-Live and Monitoring	Weeks 23–26 (mid-October–28 October 2026)	Switch to compliant-only pixel deployment; disable tracking for non-consenting recipients; file DPIA with DPO records; begin quarterly monitoring cycle.

Minimum viable compliance for SMEs: At the very least, organisations that cannot complete the full programme should disable all tracking pixels in marketing emails by 28 October 2026 and re-enable them only after compliant consent has been collected. This “pixel-off-first” approach eliminates the highest-risk exposure while the full programme is completed.

Conclusion: Tracking Pixels in Emails Italy 2026, Act Now

Provision No. 284 leaves no ambiguity: tracking pixels in emails in Italy 2026 are subject to strict consent, transparency and security obligations. Organisations that fail to comply by 28 October 2026 face administrative fines under the GDPR and corrective measures from the Garante. The practical path forward is clear, inventory your pixels, obtain valid consent, update your notices, secure your vendor contracts and test your flows. Early action reduces risk and protects the email channel that remains central to customer engagement.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Susanna Greggio at GTA Studio Legale, a member of the Global Law Experts network.