See mailshade.org

Are email tracking pixels legal?

Email tracking pixels sit in a grey area rather than being clearly legal or illegal, and the answer depends on where you and the sender are. Under the EU's GDPR and ePrivacy rules, storing or accessing information on a recipient's device — which an open-tracking pixel arguably does — generally requires informed consent, and several regulators have warned that covert open-tracking without disclosure is hard to justify. In the US there is no single federal rule against it, and CAN-SPAM does not prohibit pixels. The practical reality is that enforcement is inconsistent and most senders track by default. Rather than rely on the law to protect you, you can block the pixel yourself: Mailshade cancels known tracker requests at the network layer via declarativeNetRequest across six clients, so the open is never reported regardless of the sender's legal stance. This guide summarises the consent question and your direct option.

The consent question

GDPR and the ePrivacy Directive treat reading or writing data on a user's device as requiring consent. A tracking pixel that fires on open, profiling the recipient, is the kind of processing regulators have flagged when it happens without disclosure. Whether a given pixel is lawful turns on consent and transparency, which most marketing email lacks.

Regional differences

  • EU / UK: covert open-tracking without consent is legally risky for senders.
  • US: no specific federal ban; CAN-SPAM governs sending, not pixels.
  • Elsewhere: varies; many regimes follow the GDPR consent model.

Why blocking is the practical answer

Legality is contested and enforcement is patchy, so the dependable protection is to block the pixel on your side. Mailshade does this deterministically via DNR and keeps the record local in IndexedDB, with nothing sent to a server.

This is not legal advice

Rules change and depend on jurisdiction; treat the above as general background, not a legal opinion.

FAQ

Are tracking pixels illegal under GDPR?

Not automatically, but covert open-tracking without informed consent is legally risky under GDPR and ePrivacy rules, since loading the pixel can count as accessing data on the recipient's device. Lawfulness hinges on consent and disclosure.

Is email tracking legal in the United States?

There is no specific US federal law banning tracking pixels, and CAN-SPAM regulates sending practices rather than tracking. In practice they are widely used, which is why receiver-side blocking is the reliable protection.

Does blocking a tracking pixel break any law?

No. Choosing not to load a remote image in your own inbox is your decision. Mailshade simply cancels the request on your device; nothing about that is unlawful.

Can I prove a sender tracked me?

Mailshade records each blocked tracker event per sender in local IndexedDB, so you have a personal log of who attempted tracking, though that record is for your own reference rather than legal evidence.

How much does Mailshade cost?

Paid plans start at $3.99 per month or $19 one-time for the Founders Lifetime tier. The source is open under AGPL-3.0 at github.com/mailshade/mailshade.