Updated March 13, 2026

TL;DR: You can legally track emails under GDPR and CCPA if you manage tracking correctly. For GDPR, B2B sales teams typically rely on "Legitimate Interest" (Article 6(1)(f)) rather than seeking explicit consent. You must document a Legitimate Interest Assessment (LIA) and offer a clear opt-out. CCPA generally does not classify service-provider tracking as a "sale" if you hold a signed Data Processing Addendum (DPA). Use Instantly's Custom Tracking Domains to isolate your sender reputation and keep your outreach compliant and deliverable.

If you run B2B outreach, you already use email tracking. The rules changed. GDPR in Europe, CCPA in California, and Apple's Mail Privacy Protection all make the old "spy pixel" approach risky for both legal compliance and deliverability. This guide gives you the compliance framework for B2B sales, explains how each regulation applies to your stack, and shows you how to configure a tracking setup that is legal, ethical, and safe for your domain reputation.

Is email tracking legal? The short answer

Yes, you can legally track emails in most jurisdictions, but you must follow specific regulations. The critical distinction is between aggregate monitoring (how a campaign performs overall) and individual profiling (recording exactly when a specific person opened an email, from which IP address, on which device). Profiling is where legal risk concentrates.

If you run B2C marketing, you typically need explicit consent before tracking engagement data. B2B cold email sits in a more nuanced position: most EU and UK frameworks allow you to use "Legitimate Interest" as the legal basis for the underlying email send, though tracking technologies create additional obligations under the ePrivacy Directive that the GDPR section covers in detail.

Regulators have levied GDPR fines as high as €16.7 million for marketing violations, where improper data processing for promotional purposes triggered the penalty. The principle is consistent across jurisdictions: document your basis, offer a real opt-out, and minimize what you collect.

How email tracking technology works (and why it triggers privacy alarms)

Understanding the mechanics helps you audit your own stack and explain the risks to a legal or compliance team.

The invisible pixel

When you add a tracking pixel, you embed a 1x1 image in your email's HTML. When a recipient opens the email, their client attempts to load that image from the hosting server. That request logs the following data points:

• Time and date: Exact timestamp of the open event
• IP address: Qualifies as PII under GDPR and can be linked to a specific individual or organization
• Device and OS: Type of device and operating system used
• Email client: Browser or email application used to view the message
• Location: Approximate geographic location derived from the IP address

The IP address is the key legal trigger. Because it identifies a specific individual or organization, it meets the GDPR and CCPA definitions of personally identifiable information (PII). Any system that collects IP addresses from email opens is processing personal data and requires a lawful basis.

Link rewriting and its compliance implications

Click tracking works by rewriting every link in your email to pass through a redirect server. When a recipient clicks, the server logs the event before forwarding them to the intended destination. The domain used in that redirect URL is a critical compliance and deliverability variable. If you use a shared platform domain, your links display a third-party URL that does not match your sending domain, which both spam filters and legal auditors will flag. The setup section covers how to fix this.

GDPR compliance for sales teams: Consent vs. Legitimate Interest

GDPR does not ban cold email or tracking. It requires that you identify a lawful basis for processing personal data before you do it. For B2B sales teams, two bases come up most often.

Consent (Article 6(1)(a))

If you rely on consent, you need a clear, affirmative action from the individual before you track them. GDPR requires that consent be freely given, specific, informed, and unambiguous. In practice, obtaining prior consent for cold outreach tracking is nearly impossible because the recipient has not yet opted into any relationship with you. Consent is the right basis for newsletter subscribers, not cold prospects.

Legitimate Interest (Article 6(1)(f))

This is the standard route for B2B cold email tracking. GDPR Article 6(1)(f) states that processing is lawful where "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."

The ICO's guidance on Legitimate Interests requires you to pass and document a three-part test:

1. Purpose test: Identify a specific, lawful business interest such as qualifying prospect interest before follow-up. Vague interests like "understanding our leads" will not hold up under scrutiny.
2. Necessity test: The tracking must be proportionate to the goal. Logging open timestamps and click events may be necessary. Cross-referencing IP addresses with social profiles is not.
3. Balancing test: Weigh your business interest against the individual's reasonable expectation of privacy. The ICO notes that business contacts are "more likely to reasonably expect the processing of their personal data in a business context," which makes this test easier to pass in B2B than in B2C.

Write your Legitimate Interest Assessment (LIA) before you rely on this basis. An LIA is an internal document recording your three-part analysis. You do not submit it to a regulator, but it must exist on file if you face an audit or complaint. Operating without an LIA means you have no documented justification for the legal basis you are claiming.

How the ePrivacy Directive affects email tracking

The ePrivacy Directive (ePD) adds a complicating layer that you need to understand separately from GDPR. It requires consent or "strict necessity" for any technology that reads or stores information on an end-user device, which technically covers tracking pixels. Germany tightened this further: Section 25 of the TTDSG explicitly requires consent for tracking technologies regardless of whether personal data is involved.

The ICO acknowledges that where e-privacy laws do not require consent, Legitimate Interest is often appropriate for B2B direct marketing. However, the legal position on tracking specifically is not fully settled, particularly in Germany. The practical safeguard is to minimize what you collect, document your LIA, offer a genuine opt-out, and use Instantly's text-only send option for high-sensitivity EU segments where tracking removal is the cleanest approach.

CCPA and CPRA: What US-based sales leaders need to know

California's Consumer Privacy Act and its 2023 update (CPRA) created two concepts you need to understand for sales stack decisions: the "sale" of personal data and the "sharing" of personal data.

Does email tracking count as selling data?

Standard email tracking does not qualify as a sale, provided you have a proper contract in place. As TrueVault's CCPA analysis explains, disclosures to service providers under a compliant "business purposes" agreement are explicitly excluded from the definition of a sale. Under CPRA, "sharing" refers specifically to cross-context behavioral advertising, meaning prospect data fed into ad networks. Standard click and open tracking does not meet that threshold.

Service provider agreements and DPAs

The protection hinges on your vendor contract. If your email tool processes tracking data only for your business purposes, and you hold a signed DPA, CCPA's business purpose exclusion applies. Instantly's DPA formalizes this relationship, establishing Instantly as a data processor operating solely on your behalf. Review this document before running any campaign targeting California-based contacts.

The right to opt-out

CCPA grants California residents, including individual business contacts, the right to opt out of the sale or sharing of their data. For most B2B tracking setups, no "Do Not Sell or Share" link is required because the tracking does not meet the legal sale or share threshold. If your stack includes third-party pixels from ad networks, the obligation applies immediately.

CAN-SPAM: The US federal baseline

The FTC's CAN-SPAM Act applies to all commercial B2B emails sent to US recipients. It does not regulate tracking pixels directly, but its opt-out rules interact directly with your tracking setup:

• Your opt-out mechanism must remain functional for at least 30 days after a send.
• You must honor opt-out requests within 10 business days.
• You cannot charge a fee or require a login for unsubscribes.
• Each violating email carries a civil penalty of up to $53,088, as CookieYes's CAN-SPAM breakdown notes.

When a contact unsubscribes, you must stop tracking at that moment. Continuing to log opens or clicks on an opted-out contact is not just a process failure, it is a compliance gap with financial exposure.

GDPR vs. CCPA at a glance

Legal basis and consent

Opt-out and vendor requirements

5 steps to build a privacy-compliant email tracking system

These steps apply regardless of which platform you use and form the backbone of a defensible compliance process.

1. Update your privacy policy. Your policy must explicitly state that you use tracking pixels and tracked links, list the data collected (open events, click events, IP address, device info), identify your legal basis for EU contacts (Legitimate Interest under GDPR), and provide a clear opt-out path. This satisfies GDPR's transparency requirement and CCPA's right-to-know provision. Include the disclosure before you run your next campaign.
2. Implement a Custom Tracking Domain. By default, most email platforms route your links and pixels through a shared tracking URL used by other senders on the same platform. If any of those senders gets flagged or blacklisted, you expose your reputation to that fallout. A Custom Tracking Domain (e.g., track.yourdomain.com) isolates your sender reputation. As the Instantly blog on Custom Tracking Domains explains, it also ensures domain consistency so that Google and other providers see matching domains in your email headers and tracking links, rather than a mismatched third-party URL.
3. Offer a real opt-out that stops tracking immediately. If you remove a contact from future sends but continue logging their opens, you violate compliance requirements. When a contact opts out, suppress them from all sends and all tracking data collection at the same time. Your platform should automate this suppression without requiring manual intervention.
4. Purge old tracking data. Under GDPR's data minimization principle (Article 5(1)(c)), you must not retain personal-level tracking logs indefinitely. Delete individual-level data such as IP addresses and per-contact open logs after a defined retention period tied to your documented business purpose, and retain only aggregated, anonymized campaign metrics for trend analysis. Build this into your data retention policy.
5. Limit what you collect to what you actually use. If your sales process does not require device fingerprinting or location mapping, configure your platform to avoid collecting it. The Instantly Help Center on fingerprinting explains how fingerprinting affects inbox placement at volume, and the compliance logic runs parallel: collect less, expose less risk, and give yourself a cleaner data posture if you face a subject access request.

How to configure Instantly for maximum compliance and deliverability

Instantly gives you specific controls to reduce both legal exposure and deliverability risk within the same settings panel.

Setting up a Custom Tracking Domain

To configure a Custom Tracking Domain in Instantly, start by adding a CNAME record in your DNS settings that points to Instantly's tracking infrastructure. Then enable the custom domain inside your Email Accounts dashboard. The Instantly Help Center setup guide walks through the exact CNAME format and propagation verification steps. Once active, every tracked link and pixel in your campaigns uses your own subdomain, giving you compliance transparency and cleaner spam filter results simultaneously.

Using the text-only option for strict EU targets

For campaigns targeting contacts in Germany or other jurisdictions where consent requirements for tracking are most strictly interpreted, Instantly's Delivery Optimization Tool lets you send emails as plain text, which removes tracking pixels entirely. This is the safest configuration for high-sensitivity segments. Plain text also improves deliverability because spam filters skip HTML parsing entirely. The Instantly compliance onboarding guide covers Instantly's broader approach to legal compliance across its tracking features.

Managing opt-outs through Unibox

Instantly's Unibox consolidates replies across all your sending accounts into a single view. When a contact replies with "unsubscribe," "stop," or "remove me," your team sees it immediately without logging into multiple inboxes. This helps close the gap between receiving an opt-out reply and taking action, which is where compliance failures most often occur.

For a full walkthrough of campaign configuration including deliverability settings, the Instantly co-founder demo covers setup from scratch, and the Ultimate Guide to Cold Email Deliverability goes deeper on infrastructure decisions.

Compliance certifications and vendor posture

We maintain SOC 2 compliance and GDPR compliance through third-party security assessments, as confirmed by Instantly's security profile. The Instantly DPA references SOC 2 Type 2 audit reports and formalizes the service provider structure that both GDPR and CCPA require, meaning Instantly processes your data for your business purposes only, not for independent commercial use.

The future of open rates: Why engagement beats pixels

Before Apple MPP, open rates already gave you an imperfect signal. Now they actively mislead you. Apple accounts for nearly half of all email opens, and MPP pre-loads pixels on Apple's own servers. Post-rollout, your reported open rates inflate significantly without any increase in actual human engagement. According to Omeda's 6-month analysis of Apple MPP impact, both total and unique open rates nearly doubled after MPP launched, not because more people were reading emails, but because Apple's proxy servers were firing pixels automatically. Building a campaign strategy around that number means optimizing for a server, not a buyer.

You should measure reply rate instead. When someone replies, you get an intentional human action that no privacy filter can fake. It signals real interest, creates a natural conversation thread, and produces a CRM-ready outcome. Meetings booked follows as the second KPI: it maps directly to pipeline, survives CFO scrutiny, and ties your email program to closed revenue.

When you shift to reply-based measurement, you resolve much of the compliance tension around tracking. Measuring replies and meetings rather than pixel loads reduces the volume of PII you collect, lowers your exposure under GDPR's data minimization principle, and delivers a materially better prospect experience.

"The built-in warmup features and safety checks also ensure that I don't risk burning my domains." - Verified user on G2

For context on where cold email is heading in 2026 and why infrastructure choices now outweigh tactical variations, the future of cold email video cover the shift in practical terms.

Compliance is a system, not a one-time setting

You can make tracking privacy compliance a repeatable process: document your LIA, configure compliant infrastructure, maintain opt-out hygiene, purge old data on schedule, and review vendor contracts annually. When you follow this process, you protect two things at once: your legal standing and your sender reputation.

When you use a Custom Tracking Domain to isolate your reputation, you invest in both compliance and deliverability. Plain-text options for sensitive audiences reduce pixel risk and improve primary inbox placement simultaneously. Prioritizing replies over open rates reduces PII exposure and produces better pipeline data.

Ready to build a tracking setup that keeps you compliant and keeps your emails in the primary inbox? Start your free trial with Instantly and configure your Custom Tracking Domain in minutes.

FAQs

Is it illegal to track email opens in Germany?
Legal experts contest this question. Germany's TTDSG (Section 25) requires consent for tracking technologies on end-user devices, which technically covers email tracking pixels. For B2B cold email targeting German recipients, the safest configuration is Instantly's text-only send option, which removes the tracking pixel entirely and sidesteps the consent question.

Do I need a cookie banner for email tracking?
Cookie banners apply only to websites, not to email tracking. For email, the equivalent compliance step is a clear tracking disclosure in your privacy policy combined with a working unsubscribe link. The ePrivacy Directive analysis confirms the Directive applies to email pixels but does not prescribe the banner format used on websites.

What is the fine for violating GDPR with email marketing?
Documented enforcement actions for marketing violations have ranged from €3.3 million (Sky Italia, 2021) to €16.7 million (Wind Tre, 2020), per GDPR fines and penalties guidance. Maximum GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher.

Does Instantly comply with SOC 2 and GDPR?
We maintain SOC 2 compliance and GDPR compliance through third-party security assessments, with a formal Data Processing Addendum that establishes the service provider relationship required under both GDPR and CCPA. Contact Instantly directly to request the current audit reports.

Does CAN-SPAM cover email tracking pixels?
CAN-SPAM does not regulate tracking pixels directly, but you must follow its opt-out rules for all commercial B2B emails sent to US recipients. Under the FTC's CAN-SPAM compliance guide, you must honor opt-out requests within 10 business days, and each violating email can trigger a penalty of up to $53,088.

Key terms glossary

PII (Personally Identifiable Information): Data that can identify a specific individual, including email address and IP address. Under GDPR, IP addresses logged by tracking pixels qualify as PII and require a lawful basis for processing.

LIA (Legitimate Interest Assessment): An internal document that records the three-part test (purpose, necessity, balancing) required to use Legitimate Interest as a GDPR legal basis for data processing. It must exist on file before you rely on this basis.

Custom Tracking Domain: A subdomain you own (e.g., track.yourdomain.com) used in place of a shared platform tracking URL. It isolates your sender reputation from other users of the same platform and ensures domain consistency in your emails.

Apple MPP (Mail Privacy Protection): A feature that pre-loads email content, including tracking pixels, on Apple's proxy servers before a human sees the email. With Apple representing nearly half of all email opens, this makes open rate an unreliable engagement metric.

DPA (Data Processing Addendum): A contractual agreement between you and your email vendor that defines how personal data is processed and restricts the vendor to processing data only for your business purposes. Required under GDPR and commonly used under CCPA to establish service provider relationships and maintain exclusions from "sale" definitions.

ePrivacy Directive (ePD): An EU regulation governing electronic communications privacy, including the use of tracking technologies on end-user devices. It operates alongside GDPR and applies to email pixels as well as website cookies, creating additional consent obligations beyond what GDPR's Legitimate Interest basis covers.