Jul 06, 2026 · 7 min read
EFF Just Started Tracking Email Opens—Here's Why
The Electronic Frontier Foundation quietly updated its privacy policy on May 18, 2026 to add opt in tracking of email opens and clicks in its newsletters — a rare real world example of what consensual tracking actually looks like next to the covert kind almost everyone else uses.
For twenty years, the Electronic Frontier Foundation has been the organization telling everyone else to stop tracking people without asking. So when EFF quietly updated its privacy policy on May 18, 2026 to introduce opt in tracking of email opens and link clicks in its own newsletters, it was the kind of move that deserved more scrutiny than it got. The update slipped by with little coverage at the time, but two months later it's still one of the more instructive privacy policy changes of the year, not because EFF started tracking, but because of exactly how it chose to do it.
Key Takeaways
- EFF updated its privacy policy on May 18, 2026 to add voluntary, opt in tracking of email open and click rates in its newsletters, a practice it had not used before.
- The policy requires explicit consent before any tracking occurs, lets recipients decline or ignore the request with zero effect on their membership, and allows withdrawal at any time via an opt out link or by emailing membership@eff.org.
- EFF states it will not build behavioral profiles, collect demographic data, or share or sell any tracking data it collects.
- EFF's own framing, that "asking isn't the norm" in email tracking, is a direct rebuke of how HubSpot, Mailtrack, Streak, and Yesware and most commercial email tools operate by default.
- The same May 2026 update removed persistent ID cookies from eff.org, added a formal GDPR deletion request process, and clarified data retention timelines.
What Did EFF Actually Change?
EFF added a mechanism for subscribers to explicitly consent to having their email opens and link clicks measured, something the organization had never done before in its newsletter operations. According to EFF's own Deeplinks post announcing the change, the tracking only activates if a recipient affirmatively says yes. There is no pre checked box and no penalty for saying no. Decline or simply ignore the request, and your EFF membership, mailing list subscription, and every other interaction with the organization continues exactly as before.
That last part matters more than it sounds. A huge share of "consent" mechanisms in commercial software are structured so that declining costs you something, whether that's a degraded feature, a repeated nag screen, or quiet exclusion from a benefit. EFF's version isn't structured that way. It's opt in with no strings attached, and it can be reversed at any time through an opt out link in future emails or by writing to membership@eff.org.
Why Does Opt In Consent Matter Here?
Opt in consent matters because it is the single mechanism that separates disclosed tracking from covert surveillance, and EFF says so explicitly. In its own words, requiring permission first is "the key distinction between a sneaky strategy and an aboveboard relationship" with the people on the other end of the email. The post goes further, noting plainly that "asking isn't the norm" in the email tracking industry, a pointed acknowledgment that the vast majority of senders never present the choice at all.
This isn't a throwaway line. It lines up with EFF's long standing policy position that meaningful privacy law "must require real opt in consent before data is collected," a standard the organization has pushed lawmakers to adopt for years. Under the EU's GDPR framework, consent is only valid if it is freely given, specific, informed, and unambiguous, and regulators have increasingly gone after dark patterns that bury opt outs behind secondary clicks or default to agreement. EFF choosing to hold its own newsletter operations to that same bar, rather than exempting itself as a nonprofit with a sympathetic mission, is the part of this story worth sitting with.
How Does This Compare to Ordinary Email Tracking?
Ordinary email tracking works nothing like this, and that gap is the entire point of the comparison. The dominant method across commercial email is a 1x1 pixel: a transparent image embedded in the body of an email that silently loads from a remote server the instant you open the message, reporting your IP address, approximate location, device type, and the exact time you read it. No consent screen appears. No opt out exists at the moment of opening. The email simply fires the pixel the second your client renders images, which for most inboxes is the default behavior.
This is the version of tracking Gblock exists to stop, and it is not a niche practice. It's the default architecture behind tools our own coverage has documented in detail, including how HubSpot, Mailtrack, Streak, and Yesware handle read receipts and open tracking inside Gmail. None of those tools ask permission before the first pixel fires. Regulatory guidance under the EU's ePrivacy framework treats this kind of pixel tracking as functionally equivalent to a tracking cookie, subject to the same consent requirements, yet enforcement has lagged the technology by years.
EFF's approach inverts every part of that default. Tracking is off unless a person turns it on. The data collected is limited to opens and clicks, with no demographic layer and no profile building. And critically, EFF states the data will not be shared or sold to any third party, which closes off the secondary market that makes covert tracking commercially valuable to begin with: advertising networks, data brokers, and lead scoring platforms that quietly resell open and click signals as behavioral data.
Why Email Users Should Care
This distinction isn't academic for anyone who reads email, because the two models produce completely different risk profiles for the exact same underlying action of opening a message. When a marketing platform tracks your open without asking, that signal can feed a profile that determines what ads you see, what price you're quoted, or how aggressively a sales team follows up, all built from an action you never knew was being measured, let alone agreed to. EFF's model produces none of that, because the entire premise depends on the recipient choosing in.
For everyday Gmail users, the practical reality is that almost every newsletter, sales email, and recruiter message you receive today more closely resembles the old EFF, tracking without asking, than the new one. Browser extensions like Gblock exist specifically to close that gap by blocking tracking pixels before they load, restoring the choice that most senders never offered in the first place. If EFF's opt in model became the industry norm, tools built to block covert tracking would have far less to do. That gap between what should be normal and what actually is normal is exactly why this story matters more than a routine policy update.
Looking Ahead
EFF's policy update is a small operational change dressed up as a minor legal document, but it functions as a public demonstration of what compliant, ethical email measurement actually looks like when an organization has no commercial incentive to cut corners. The other changes bundled into the same update, killing persistent ID cookies on eff.org, adding a formal GDPR deletion process, clarifying retention schedules, reinforce that this wasn't a one off gesture but a broader tightening of how the organization handles data across its own properties.
The more interesting question is whether this kind of disclosure becomes a template regulators point to when writing the next generation of consent requirements, or whether it remains a footnote next to an email tracking industry that has shown little appetite for asking first. Either way, the contrast is now on the public record, in EFF's own words: asking isn't the norm. Until it is, the burden falls on individual users to block what senders won't disclose.