Download this must-have guide to start your marketing automation journey.

Ressources
The 6 steps to apply CNIL’s new recommendation on email tracking with Webmecanik
6 min read

The 6 steps to apply CNIL’s new recommendation on email tracking with Webmecanik

Industry

Software Publishers

Team

Marketing

Company

Webmecanik

Category

RGPD Compliance Marketing Automation

I’m Marine, Head of Marketing at Webmecanik, and I’m sharing my experience of bringing our email marketing into compliance with CNIL’s new recommendations.

The context

When CNIL announced, on April 14, 2026, that explicit consent would now be required to track email opens and clicks in marketing emails, my first reaction was to ask: how can I continue to manage my campaigns effectively while staying compliant?

I have to admit that this announcement initially worried me. Like many marketing managers, I rely every day on engagement data to steer my campaigns and my marketing automation workflows. I therefore quickly asked myself what impact this change would have on our practices.

But after thinking it through, I realized that this change could also be an opportunity: to strengthen the transparency of our practices, give our users more control over their data, and turn a regulatory requirement into a genuine lever of trust.

Here is my experience and the different steps we followed to implement this CNIL recommendation.

Step 1: understand what would actually change

Before changing anything, I started by analyzing the concrete impact of this recommendation on our marketing activities. The first thing I realized was that this issue wasn’t only about emails. Behind this new consent requirement, there was actually a whole chain of processes to revisit: collecting consents, managing preferences, running campaigns, and some automated scenarios.

So I began by identifying every touchpoint where we collect data or use tracking: contact forms, marketing automation campaigns, and the different channels (email / SMS).

⚠️ At this stage, it was also important to check that our email marketing and marketing automation tool could meet these new regulatory requirements.

For my part, I didn’t have to look far. Webmecanik Automation, our marketing automation platform, was one of the first software solutions to include features specifically designed to address this evolution of CNIL’s recommendations.

Once the audit was done, I tackled the most obvious issue: collecting consent.
Until now, our forms were mainly used to obtain a prospect’s agreement to receive our communications (opt-in). With this new recommendation, explicit consent was now required to have permission to receive a message and to include tracking actions within it (opens and clicks).

So we updated our forms to integrate the new consents related to email and SMS tracking, with a new form field type « Consent ». With a single checkbox, it allows our prospects to simultaneously confirm (or not) both their subscription (opt-in) and their agreement to track their activities (tracking).

Consents can also be entered when importing contacts (a file from an event or another Excel file that was lying around) thanks to the column mapping dedicated to email and SMS tracking consent. They then remain editable manually from the contact record, in particular in case of a complaint or a specific request.

Beyond collecting consent, I needed to ensure I could retain proof of it. In the event of a CNIL inspection or a contact request, we must be able to quickly find when and how that consent was obtained.

So every consent-related change is recorded in the activity log of my contacts so I can retrieve:

The date of collection The date of collection
The source of consent The source of consent
The IP address The IP address
The type of consent concerned The type of consent concerned

This record-keeping allows me in particular to justify precisely when a DNC (Do Not Contact) or a DNT (Do Not Track) was collected. That way, I have reliable proof of the consent—or its withdrawal—according to the requirements of Article 7(1) of the GDPR regarding the conditions applicable to consent.

I also have access to new visual badges displayed directly on contact records and in their activity feed. They allow me to immediately see whether email or SMS tracking is enabled or disabled, without having to look for the information across several screens.

It’s a real time-saver every day, and above all assurance that I can easily justify the origin of consent when needed.

Step 4: update our preference center

Users must be able to keep control of their data and change their consents at any time. As with opt-in for communications, this is done through the preference center. So I updated our preference center to let them manage independently their four choices:

Accept communication by email Accept communication by email
Accept communication by SMS Accept communication by SMS
Consent to email tracking (clicks and opens) Consent to email tracking (clicks and opens)
Consent to SMS tracking (clicks) Consent to SMS tracking (clicks)

That way, everyone can fine-tune their preferences without having to give up all of our communications.

⚠️ During its last webinar, CNIL reiterated that a 3-month timeframe, i.e. until July 14, 2026, is granted to inform your contacts whose email address was collected before April 14, 2026 about the use of tracking pixels and to allow them to object.

So don’t forget that once your preference center has been updated, you must inform your database. This information can be communicated via a dedicated email or included in one of your usual emails in the form of a specific insert.

Step 5: adapt my automated scenarios for untrackable contacts

One of the topics that worried me the most concerned our automated campaigns.
In our automated campaigns, we regularly use conditions like “Has opened the email” or “Has clicked the link” to trigger nurturing or follow-up actions. With this new recommendation, a contact who refuses tracking will no longer be able to trigger these conditions positively, even if they received and read the message. They would still be considered as not-opened or not-clicked. At least for software that hasn’t anticipated for this.

To avoid systematically treating these contacts as not-openers or not-clickers, I enabled the new conditional branch dedicated to untrackable contacts in Webmecanik Automation. In addition to the “Yes” and “No” branches, I now have a third branch that lets me direct these contacts to a specific path.

Depending on my goals, I can, for example:

Direct them to alternative content Direct them to alternative content
Wait for another conversion action, such as submitting a form or registering for an event Wait for another conversion action, such as submitting a form or registering for an event
Take a more optimistic approach by considering the message as received and route them to the positive branch Take a more optimistic approach by considering the message as received and route them to the positive branch

This change allowed me to adapt my scenarios without penalizing contacts who simply chose not to be tracked, while still keeping the flexibility I need to reach my marketing objectives.

That way, everyone can fine-tune their preferences without having to give up all of our communications.

Step 6: adapt my interpretation of the statistics

After adapting our forms, consents, and automated scenarios, I had one last question: what would be the impact on our statistics?
Like many marketing managers, I rely on open rates and click-through rates to measure the performance of our campaigns. So I knew these indicators would evolve with the introduction of these new consents.

With Webmecanik Automation, open and click statistics are now calculated only from contacts who have accepted tracking. Interactions from contacts who did not provide consent are not included in these indicators.

This means a different way of reading performance: the rates observed now reflect exclusively the behavior of contacts who agreed to be tracked.

For me, the key was to have reliable, consistent indicators aligned with the consents collected and compliant with regulatory requirements.

Conclusion

Looking back, achieving compliance was much simpler than I had imagined when CNIL’s recommendation was announced. Most of the work consisted of adapting our consent collection, updating our preference center, verifying consent traceability, and adjusting our automated scenarios to account for untrackable contacts.

What made this particularly easier for me was being able to rely on Webmecanik Automation. The features needed to meet these new recommendations were already available in the platform, which allowed me to focus on my campaigns and processes rather than on the technical aspects.

In the end, this change does not call our marketing strategies into question. It simply leads us to consider our users’ preferences better and to include untrackable contacts in our journeys in an appropriate way.

If you’re asking yourself the same questions I did when this recommendation was announced, and you want to discover how to implement these changes in your own campaigns, don’t hesitate to request a demo of Webmecanik Automation or talk with our team.

➡️ Request to be contacted