Italy's Garante Published Provision No. 284 on April 17, 2026 Requiring Prior Consent for Email Tracking Pixels That Measure Open Rates—Senders Get Six Months From the April 29 Official Gazette Date to Comply, the Same Month Italy Issued a €12.5M GDPR Fine Against Poste Italiane

Key Takeaways

• Provision No. 284, published April 17, 2026 and printed in the Official Gazette on April 29, requires prior consent for email tracking pixels that measure open rates or run behavioral analysis for promotional campaigns.
• The Garante classifies a tracking pixel as access to the recipient's terminal device, the same legal treatment cookies receive, which is why consent and not merely legitimate interest becomes the standard.
• Three uses are exempt from consent: anonymized aggregate open counts using shared pixels, security and authentication confirmations such as account activation and password resets, and legally mandated institutional messages like banking notices.
• Recipients must be able to withdraw consent easily and selectively through a standardized icon or link, typically placed in the email footer, so they can keep receiving messages while switching off the tracking.
• The same month, on the broader GDPR front, Italy fined Poste Italiane and its subsidiary Postepay a combined €12.5 million for conditioning mobile banking access on invasive device scanning that affected 14.5 million Android users.

What Does Provision No. 284 Actually Require?

It requires senders to obtain prior consent before placing a tracking pixel in an email when that pixel is used to measure or improve the performance of a promotional campaign. The Garante's reasoning is the part worth reading carefully, because it reframes the pixel as something more invasive than a marketing metric.

A tracking pixel is a one by one transparent image embedded in an HTML email. When your mail client renders the message, it fetches that image from the sender's server, and the request itself reports back that the email was opened, often along with your IP address, the time, your client, and your approximate location. The Garante's Provision No. 284, summarized by Covington's Inside Privacy, treats that automatic fetch as the storing of, or gaining of access to, information on the recipient's device. That is the exact language the ePrivacy framework uses for cookies, so the pixel inherits the cookie consent standard.

Consent must be collected when the email address is gathered, after clear information is provided. The Garante permits a single combined request covering both promotional emails and tracking pixels, provided it is presented neutrally and is not coercive. The trigger for consent is purpose: where the pixel performs behavioral assessment or analysis aimed at measuring and improving campaign performance, consent is required.

Which Pixels Are Exempt From Consent?

Three categories may operate without prior consent, and they are narrow. The exemptions exist for functions that do not profile the individual recipient.

• Anonymized aggregate audience measurement. Standardized, non individualized pixels that produce open counts only, where technical data such as IP addresses and client information is anonymized. The moment a count becomes attributable to a person, the exemption falls away.
• Security and authentication. Pixels that assist user authentication, including account activation and password reset flows, where the message exists to confirm a security action rather than to sell.
• Legally mandated institutional communications. Messages a sender is required by law to deliver, such as banking notices and security incident alerts.

Notice what is missing from that list. Open rate analytics on a newsletter, click attribution on a sale, segment scoring based on who opened what and when—the entire toolkit of modern email marketing sits squarely inside the consent requirement, not the exemptions. The Consentmo analysis of Italy's April 2026 decisions spells out that the marketing pixel is the rule and the exempt pixel is the exception.

How Does the Withdrawal Mechanism Work?

Recipients must be able to withdraw consent at any time, easily, and selectively. The Garante's preferred implementation is a standardized icon or link, typically in the footer, that lets a recipient manage tracking preferences without unsubscribing from the email stream entirely.

That distinction matters. The regulator is explicit that switching off the pixel should not force the recipient to stop receiving messages. You should be able to keep the newsletter and lose the surveillance. According to Covington's Global Policy Watch, the six month transitional window applies to previously collected addresses counting from the April 29 Official Gazette date, provided recipients are informed at first interaction and the withdrawal mechanism is in place. New addresses collected after publication are subject to the rule immediately.

How Is This Different From France's CNIL Rule?

France's CNIL reached the same destination by a slightly different road, and Italy's provision now makes the two countries the clearest pair of national regulators treating the email pixel as a consent object rather than a marketing footnote.

The CNIL issued its own recommendation on email tracking pixels with its own deadline, which we covered in our piece on the CNIL email tracking pixel recommendation and its July deadline. Both authorities anchor the pixel in the ePrivacy concept of access to terminal equipment, both require consent for analytics pixels, and both carve out narrow exemptions for genuinely anonymous measurement. The practical difference is timing and packaging: Italy bundled its guidance into a numbered formal provision with a six month transition tied to an Official Gazette date, while CNIL framed its position as a recommendation with its own compliance horizon. For a sender operating across the European Union, the lesson is convergence. The pixel is becoming a consent gated technology continent wide, not a one country curiosity.

What Was the €12.5M Fine About?

The fine was a separate GDPR matter, but it lands in the same month and tells you how seriously the Garante is treating consent right now. Italy fined Poste Italiane €6,624,000 and its subsidiary Postepay €5,877,000, a combined €12.5 million.

The companies' BancoPosta and Postepay mobile banking apps required users to authorize smartphone scanning as a condition of accessing the service. A third party software development kit then collected installed applications, device fingerprints, hardware and advertising identifiers, VPN indicators, IP addresses, mobile network identifiers, and geolocation data, affecting 14.5 million Android users. The companies argued fraud prevention and PSD2 compliance justified the collection. The Garante rejected that defense, finding less invasive alternatives were available. The thread connecting the fine to the pixel rule is the regulator's refusal to accept bundled or coerced consent as a substitute for genuine, granular choice. That is the same principle behind requiring an easy, selective pixel withdrawal mechanism.

Why Can't You Rely on Consent Banners Alone?

Because consent governs the sender, not your inbox, and the pixel still loads on your device the moment you open the email unless something on your side blocks the request. Provision No. 284 is a rule for the companies sending mail. It does nothing to the technical reality that an unblocked tracking pixel fires a network request from your mail client to a remote server the instant the message renders.

There are three gaps that a consent banner cannot close. First, enforcement is uneven and slow, and many senders will quietly carry on, especially those outside Italy's jurisdiction who mail Italian recipients anyway. Second, consent fatigue is real: a combined request presented at signup is easy to click through, and most people do. Third, the rule only addresses promotional pixels, while plenty of tracking rides inside transactional and one to one email that no banner ever covered. The same enforcement gap shows up across the litigation landscape, from the hospital tracking pixel settlements topping $100M in patient data claims to the Forbes CIPA pen register $10M pixel settlement. Regulators and courts move after the tracking has already happened. The pixel fired long before any penalty.

How Do You Block Tracking Pixels Yourself?

You stop the pixel at the point it tries to load, on your own device, which is the one place a consent regime cannot reach but a browser extension can. This is exactly what Gblock does inside Gmail. It is a Chrome extension that identifies and blocks email tracking pixels before they fire, so the sender never learns whether, when, or how many times you opened their message—and your IP address and location are never reported back.

The advantage of a client side defense is that it does not depend on the sender's compliance, jurisdiction, or honesty. Whether the sender obtained consent, ignored the Garante entirely, or operates from a country that has never heard of Provision No. 284, the result on your end is identical: the spy pixel does not load, and the open is never recorded. To block email tracking pixels and stop spy pixels in Gmail, you install the extension once and it works on every message, including the transactional and one to one mail that no European consent rule was ever written to cover. For the technical background on how these pixels evade Gmail's own image proxy, see our explainer on email tracking pixels and the 2026 Gmail proxy.

Regulation and self defense are complementary, not competing. Provision No. 284 raises the cost of tracking for honest senders and gives Italian recipients a withdrawal right worth using. Blocking the pixel yourself closes the gap for everyone else. The Garante can tell a company to ask permission. Only a tool running in your inbox can guarantee the answer is no.