GUIDE: Marketing email tracking and CNIL compliance (GDPR)

Marketing email tracking (opens and clicks) is at the heart of email marketing and marketing automation strategies. However, according to recent CNIL recommendations, practices must evolve and be better regulated to protect users’ personal data.

Between GDPR compliance requirements and the need to effectively manage marketing campaigns, one question arises: how can you continue to leverage marketing automation while respecting users’ privacy and avoiding legal risk?

This guide aims to help you understand the rules applicable to email tracking, adopt best practices to remain compliant, and fully leverage Webmecanik solutions to reconcile marketing performance with GDPR compliance.

Summary of the CNIL’s recommendations on email tracking

The CNIL (and more broadly the GDPR) considers that trackers in emails (open pixels, tracked links) allow the deduction of personal behaviors. As such:

• The principle: the placement of these trackers normally requires prior consent.
• The issue: without this consent, you should not be able to identify by name who opened or clicked.
• The controller: it is the data controller (you dear marketer / manager), not your software provider.
• Webmecanik’s response: we allow anonymization of this data to retain your aggregate statistics (open rate and click rate) while respecting the anonymity of those who refuse individual tracking.

B2B vs B2C distinction: what to remember

The rule differs depending on your target audience.

In B2B, the CNIL allows more flexibility in the name of “legitimate interest”, similar to the collection of email addresses with consent to send marketing messages.

In B2C, however, prior consent is required for collecting email addresses and sending marketing messages, as well as for associated tracking.

What you can continue to do without consent ✅

At first glance, these changes may seem restrictive. But in practice, they mainly regulate the most intrusive uses. Much of your marketing activity remains perfectly possible, provided you favor global rather than individual approaches.

• Continue running your marketing automation campaigns: your workflows (nurturing, onboarding, re-engagement, etc.) can still be used, but this will depend on your provider’s capabilities. Some platforms will significantly restrict these uses without consent.
  With Webmecanik, however, you can still move contacts through your workflows—even without consent—thanks to anonymized mechanisms.
• Analyze overall performance: you can track your campaign open rates as long as the data is aggregated and anonymized by your sending tool (👇🏻 Discover what Webmecanik offers).
• Monitor deliverability: it is possible to analyze opens, provided the volume is sufficient to avoid individual identification.
• Manage inactive contacts: you can exclude certain contacts or adjust marketing pressure based on their last interaction (such as a date of open or click).
• Security and authentication: tracking remains allowed to verify that a sensitive email (e.g., 2FA code, password reset) has been viewed.
• Legal obligations: you can use trackers to prove the proper transmission of regulatory information (contractual terms, price changes, etc.).
• Transactional emails: the inclusion of pixels is possible in emails related to a user-requested action (order confirmation, appointment reminder…), if their purpose remains compliant (security, deliverability, legal obligation).
• A/B tests: tests based on open rates remain feasible as long as they rely on aggregated and non-identifiable data. However, verify that your solution truly guarantees this anonymization.

What requires explicit consent ❌

• The restrictions mainly concern uses related to individual tracking and profiling:
• Precisely identifying who opens your emails
• Targeting your contacts based on their open behaviors
• Inferring their interests from this data
• Personalizing your content or marketing pressure on an individual basis

How Webmecanik Automation covers 100% of the recommendations

Unlike all other email marketing and marketing automation tools, Webmecanik gives you full control through two innovations and a strong commitment:

1. Ethical Tracking: if a contact refuses tracking, Webmecanik anonymizes the interaction. You know there was “an” open (for your reporting), but you do not know who.
2. The 3rd campaign branch: in your automation scenarios, we have created a branch dedicated to the “non-trackables.” You can decide how to treat them:
   • as openers/clickers,
   • as non-openers/non-clickers,
   • or isolate them for a specific journey.
3. Data sovereignty: as a French publisher, working exclusively with European personal data subprocessors, your consent data does not leave the European Union, guaranteeing maximum legal protection against the US Cloud Act.

Step-by-step implementation of this new recommendation

We offer three concrete approaches to make your marketing automation actions compliant with this new regulation.

Scenario A: you are B2B (information-based approach)

The objective is to inform the user that their interactions are being tracked to improve their experience, while giving them the freedom to object.

1. Add a dedicated profile field: a system field is associated with each contact “Email tracking consent” (consent_email_tracking) to centralize and easily manage their status.
2. Update your preferences center: add the checkbox: “I agree that my interactions are analyzed to receive more relevant content.” (Pre-checked by default in B2B, with clear mention) to offer an Opt-out option to your contacts.
3. Adapt your marketing automation scenarios: link the “Non-trackable” branch to your positive branch so as not to break your sales funnels.

Scenario B: you are B2C (strict consent approach)

Here, the rule is explicit Opt-in. Tracking should only be enabled if the user has taken an active step to accept it.

1. Modify the collection form: add a distinct new checkbox for Tracking Opt-in with the dedicated form field (which will populate the contact profile field automatically).
2. Update your preferences center: the contact must be able to uncheck tracking without unsubscribing from the newsletter.
3. Adapt your marketing automation scenarios:
   • Positive branch -> Continue the journey.
   • Negative branch -> Follow-up (those who said YES to tracking but did not interact).
   • “Non-trackable” branch -> Dedicated action (e.g., sending a generic email without scoring). You can also attach this branch to one of the two usual branches.

Scenario C: you are already a Webmecanik Automation user

1. Update your preferences center: enable the email tracking consent feature and add this new checkbox to your preferences center.

2. Transfer existing data from your custom opt-in field to the native consent fields: to simplify and secure your opt-in management, we recommend replacing your existing custom fields with the native preference center fields we added.
To do this, export your contacts and reimport the data (contact ID (email by default) and the column in your file containing the consent value).

3. Modify your collection forms: replace your existing marketing forms’ checkbox used to give consent, mapped to a custom opt-in field. Instead, use the new form field type dedicated to tracking consent which will enrich the contact’s preferences in their preferences center.

4. Adapt your marketing automation scenarios:

• Positive branch -> Continue the journey.
• Negative branch -> Follow-up (those who said YES to tracking but did not interact).
• “Non-trackable” branch -> Dedicated action (e.g., sending a generic email without scoring). You can also attach this branch to one of the two usual branches.

Questions? Feel free to contact us right here.