On April 17, 2026, the Italian data protection authority (the “Garante”) published Provision No. 284 setting out guidelines on the use of “tracking pixels” in emails (the “Guidelines”). This publication closely follows the recommendation issued by the French data protection authority on the same topic, which is discussed in a separate blog post available here.

Tracking pixels are commonly used to measure email open rates and to enable marketing automation tools. Under Italian law, the use of tracking pixels generally requires the recipient’s prior consent, unless a specific exemption applies. In its Guidelines, the Garante provides practical examples to help organizations assess when consent is (and is not) required and clarifies the compliance obligations applicable to businesses relying on these technologies in email communications. This post summarizes the key takeaways.

1. Transparency as a condition of lawfulness

As a starting point, the Garante recalls that the use of tracking pixels is lawful only where recipients are adequately informed in advance. As with cookies and similar tracking technologies, such information may be provided using a layered approach and delivered through different communication channels, including pop-up notices, chatbots, or virtual assistants.

2. When is consent required?

Under Article 122 of the Italian Privacy Code, pixels may be used only with the recipient’s prior consent, unless they are strictly necessary to (i) provide or facilitate the email communication or (ii) deliver a service expressly requested by the recipient.

The Garante considers that consent is typically required where pixels are used to carry out behavioral assessments or analyses aimed at measuring and improving the performance of promotional campaigns.

By contrast, the authority suggests that pixels used exclusively for the following purposes may not require consent:

  • Perform audience measurement activities aimed at improving email deliverability and combating spam. In this respect, the Garante specifies that only standardized (i.e., non-individualized) tracking pixels should be used and that related technical data (such as IP addresses or client information) must be anonymized;
  • Help secure user authentication;
  • Send messages that the data controller is legally required to send, such as mandatory banking communications or notifications related to security incidents.

3. Practical conditions for a valid consent

The Guidelines further specify how valid consent should be obtained for the use of tracking pixels in emails. In particular, the Garante acknowledges that, where consent to receive promotional communications and consent to the use of tracking pixels are closely connected, it may be acceptable to combine these into a single request, provided that the request is formulated in a neutral, clear, and non-coercive manner.

The Garante additionally recommends that organizations using pixels:

  • Obtain consent at the time the email address is collected, after having provided clear and complete information on the use and purpose of tracking pixels;
  • Allow recipients to withdraw their consent easily and at any time, including on a layered basis, either by revoking consent entirely – thereby ceasing the receipt of future email communications – or by withdrawing consent solely in relation to tracking pixels, while continuing to receive emails without such tracking. This should be facilitated, for example, by including in each email a standardized icon or link (typically in the footer) directing recipients to a dedicated interface enabling them to manage their preferences.

4. Implementation timeline

For email addresses collected before the Guidelines were published, the Garante provides for a six-month transitional period starting from publication in the Official Gazette (April 29, 2026), provided that:

  • recipients are informed of such use at the first available opportunity or during the first meaningful interaction with the data subject; and
  • a mechanism allowing the withdrawal of consent is implemented and made available to users.

In all other cases, the Garante states that organizations should comply with the recommendations immediately.

*          *          *

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging data protection and compliance issues in the EU, UK and other key markets. If you have any questions about the topics discussed in this article, please do not hesitate to contact us.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Virginie de France

Virginie de France is an associate in the Data Privacy and Cybersecurity Practice Group. She advises clients on the full range of EU technology, data protection, and digital regulatory matters. Virginie supports clients with data protection compliance projects, assisting with investigations led by…

Virginie de France is an associate in the Data Privacy and Cybersecurity Practice Group. She advises clients on the full range of EU technology, data protection, and digital regulatory matters. Virginie supports clients with data protection compliance projects, assisting with investigations led by national authorities, and acting in litigation. She also has substantial experience helping organizations meet European and national cybersecurity obligations.

Read more about Virginie de FranceEmail
Show more Show less