Every month, Privacy Gazette takes a closer look at the issues shaping the global data protection ecosystem. Drawing on the expertise of Pascal Vautrin, Privacy Standards Expert at Axeptio, this new series examines some of the sector’s most complex developments and unpacks their regulatory, economic, geopolitical and social implications.
In this first edition, we look at the new French and Italian guidance on tracking pixels in emails; the latest developments around FISA; recent regulatory moves in the United States and Brazil; and a number of weak signals that nonetheless reveal the growing tensions between Big Tech, governments and artificial intelligence.
.png?width=1600&height=900&name=Slider%20Privacy%20Gazette%20(1).png)
Tracking Pixels in Emails: The End of a Grey Area?
After more than a year of waiting, the CNIL published its final recommendations on the use of tracking pixels in emails on 14 April. A few days later, the Italian data protection authority, the Garante per la protezione dei dati personali, issued its own guidelines, broadly aligned with the French recommendations.
Until now, this widespread marketing practice had operated in something of a regulatory grey area. The guidelines are now relatively straightforward:
- transactional emails do not require consent;
- metrics strictly related to deliverability may also be exempt;
- any use aimed at behavioural analysis, personalisation or marketing optimisation requires prior consent.
In practice, this creates an important distinction between two types of use.
An order confirmation email containing a pixel used to check whether the message has been properly delivered may be considered functional. By contrast, embedding a pixel in a promotional campaign to analyse open behaviour, adjust marketing pressure or enrich user profiles shifts the processing into the realm of targeting, and therefore consent.
Put simply, a sports retailer may send an email promoting tennis shoes to a customer who has previously bought a tennis racket without collecting consent, under the CNIL’s rules on commercial prospecting for similar products. However, if that same email includes a pixel designed to track the user’s interactions in detail in order to refine their marketing profile, consent becomes necessary.
Finally, the CNIL reiterates that information about the purposes of the tracking pixels used must be provided as soon as the email address is collected, and that withdrawing consent must remain simple.
Tracking pixels in emails, often seen as an essential tool for marketing measurement, are therefore gradually being brought into the same analytical framework as other tracking mechanisms that are already under close scrutiny.
FISA: The Question Still Haunting Data Transfers Between the European Union and the United States
Among the most sensitive issues in the global privacy landscape are the geopolitical tensions surrounding FISA.
FISA, the Foreign Intelligence Surveillance Act, allows US authorities to require companies subject to US law to disclose certain data relating to non-US persons.
Why does this law keep resurfacing in the news? Because it sits at the heart of the tensions between the European Union and the United States over international data transfers. It was one of the main sources of criticism that led to the Schrems II ruling and the invalidation of the Privacy Shield. The issue is that the law has to be renewed periodically. And its renewal is now politically bogged down in the United States.
Congress was due to take a decision in mid-April. Since then, however, the decision has been repeatedly postponed.
FISA is now being criticised on both sides of the Atlantic, but for different reasons: in Europe, because of its implications for international transfers of personal data; in the United States, because of the risks it poses in terms of surveillance of US citizens themselves.
As long as these debates remain unresolved, the legal foundations of transatlantic data transfers will remain fragile.
From Brazil to the United States: Privacy Tested by Power Politics
Another interesting trend is that several countries appear to be reshaping their approach to privacy, but according to very different philosophies.
In Brazil, the Senate recently strengthened the status of the national data protection authority, the ANPD, or Autoridade Nacional de Proteção de Dados, turning it into an independent federal authority with greater human and financial resources.
This development marks the formal establishment of an independent authority with more substantial resources, and therefore potentially a greater real-world capacity to enforce the rules.
In the United States, the situation is more complex than it may appear. At the state level, several states are gradually toughening their approach to data protection, with an increase in litigation and enforcement actions against certain practices or companies. This dynamic is unfolding in an already highly fragmented landscape, where each state may or may not apply its own privacy rules.
At the same time, the Republican Party has introduced a federal bill called the Secure Data Act, precisely in an attempt to harmonise this patchwork framework. However, while the text includes several principles familiar to European readers, such as access, deletion, rectification and data portability, a number of critical issues are already emerging. One of the most debated points is the absence of a direct right of action for individuals against companies in the event of a violation of their rights. In other words, rights are recognised, but individuals do not really have the tools to enforce them.
At its core, this contrast reflects a broader political tension. On the one hand, states appear to be multiplying oversight mechanisms and legal remedies in a logic of protecting individual rights, much like Europe and Brazil. On the other, the US federal level seems more inclined to limit the constraints placed on businesses. This is a battle that goes far beyond the legal sphere: it is a reminder that privacy rules are also the site of a political trade-off between the defence of individual rights, regulatory sovereignty and economic interests.
When Privacy Becomes a Question of Economic and Geopolitical Power
Two other developments from recent weeks illustrate just how much privacy issues have become a stage for economic and political tensions between governments, Big Tech, businesses and citizens.
The first example is the dispute between Grok, X’s artificial intelligence system, and the State of Colorado. Elon Musk’s company is challenging a law aimed in particular at regulating certain artificial intelligence systems that may produce algorithmic discrimination. The company argues that the law imposes an ideological direction on AI models and interferes with their design. The case once again highlights how far the legal framework is lagging behind the rapid growth of AI tools.
Another example comes from Australia, which wants to impose a levy on Big Tech companies in order to fund publishers and media organisations. The argument is that journalistic content creates value and feeds platforms, including generative AI solutions, and that its use should therefore give rise to some form of economic compensation. Technology giants are strongly contesting this approach. Here again, the debate goes far beyond privacy: beneath it lie fundamental questions about the distribution of value and broader ideological and societal risks.
And this is probably only the beginning.
The future of consent is being shaped in Europe.
Discover the European CMP Association, a new institution championing a European-led, interoperable and sustainable approach to consent.
