[robinjfisher]

> "In the UK and the EU, the GDPR requires organisations to inform recipients of the pixels, and in most cases to obtain consent for them. It’s not enough to just have a privacy policy somewhere that details this."

No it doesn't and yes it is.

Nowhere in the GDPR or in the UK implementation does it say that recipients need to be informed of pixels in and of themselves.

What it does say is that when you obtain the recipients' personal details you must provide them with a privacy notice setting out what data you collect and what you do with it. The privacy notice needs to be provided on collection of their data (when directly collected) or within 30 days of collection if from a third party.

There is no reason to not obtain consent to tracking but to suggest it's the only lawful basis on which to process the data is not correct. Subject to completion of an impact assessment, one could make a case that it falls under legitimate interests depending on the degree of processing of the tracking data e.g. the more that such data is used to inform further targeting of the individual vs. say aggregation of data for improving engagement.

I agree with your underlying point though - I turned off tracking (I use Postmark for transactional emails) because I don't really care about open rate and click rate etc. If my customers want to ignore the emails from the service it's up to them.

[quonn]

„Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

[...]

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.“

An email address is always personal and tracking if the email was opened ties it to that personal data.

So yes, the user has to consent.

[DisjointedHunt]

The GDPR delegates the specifics of the requirements to the DPA of member countries.

The French CNIL, for example, has already fined Google and Amazon $100M+ for this very issue: https://www.huntonprivacyblog.com/2020/12/14/cnil-fines-goog...

GDPR is a nightmare and a case study in how regulations can terrorize entire industries or the abilities of individuals to innovate freely. Just read the chronology of events in that link above and try playing devils advocate that the CNIL did not amend those laws to specifically target these two companies. It's scary.

[alisonkisk]

They amended "rules", not "laws", which is what rulemakers do when they discover behaviors that violate the law (subject to interpretation, as intended) but not the rules.

[DisjointedHunt]

^Are you seriously making this argument? It seems you either have not read the linked story, or you don't understand that the CNIL issues guidelines that are the "law";

The decision to overrule an earlier revision by the Counseil D'etat alludes to the guidelines themselves as a measure of "Soft law".

Regardless, making an argument on the semantics of a word instead of the glaring arrogance on display where Government agencies or lawmakers can retroactively change the rules to seemingly target individual companies is ridiculous.