Tracked by spy pixels in E-Mails

March 3, 2021

tracked by spy pixels

Tracking technologies have become a major part of our daily interaction online. Most of the time we are aware that a company is observing and tracking us and often we assume that with a few clicks in the cookie settings we are somehow on the safe side. The privacy window, in which I can make the settings myself, even suggests a certain self-determination. So much for one side of tracking, the one we are more or less familiar with and accept – perhaps with some grudging acceptance.

Self-determination is not possible

The other side of tracking is much more subtle and happens entirely without our consent: through spy pixels in emails that not only show whether we have opened an email, but can control much more of our user behaviour.

In response to a request from the BBC, the US email service Hey from the company Basecamp recently analysed its traffic and found spy pixels in two-thirds of all emails (already spam-cleaned). According to Hey, the use of “invisible” tracking technologies in emails is now common and is intended to serve marketing purposes.

Online shopping has increased enormously since the beginning of the Corona pandemic and almost every online purchase requires an email address for verification – often even before the actual purchase. In terms of consumer protection, companies should – for all their understandable marketing interest – become more responsible and, above all, more transparent. In the BBC analysis, several companies stated the use of such technology in their general privacy policies. However, it is questionable whether such a reference is actually sufficient. Incidentally, the data collectors are not the big tech corporations like Google, Facebook and Co., but numerous other well-known companies, such as British Airways, Vodafone or Unilever.

Tracked by “invisible” spy pixels

The tracking pixels are usually a .GIF or .PNG file, 1×1 pixel in size, and are inserted into the header, footer or body text of an email. They are often transparent so that they cannot be recognised by the recipient. The recipient does not even have to click on a link to activate them, they are already automatically active when the email is opened.

Email pixels can be used to log

  • whether and when an email is opened,
  • how often it is opened,
  • which device or devices are involved,
  • the approximate physical location of users, derived from the internet protocol (IP) address.

It is also conceivable to merge this with information from the browser, which would allow usage patterns to be attributed to an email address, as well as linking it to other data sets. The co-founder of Hey, David Heinemeier Hansson, calls it

“a grotesque invasion of privacy”.

A study by Princeton University showed that the data collected is sometimes linked to users’ cookies. This means that a person’s email address can be linked to their other surfing habits, even if they switch from one device to another. “The resulting links between identities and web history profiles mask claims of ‘anonymous’ web tracking,” the study warned. In addition, “invisible beacons” can also be used for personalised follow-up campaigns.

Switch off tracking – is that possible?

It’s actually not that easy to switch off spy pixels. The email service Hey offers a paid subscription for this. (Free) plug-ins can be installed for other e-mail programmes. Another possibility is to set the email client to block all images by default or to display emails as plain text only. Unfortunately, none of these options offers a guarantee that all trackers will actually be recorded.

Data protection laws

In Europe, the General Data Protection Regulation (GDPR) of 2016 basically regulates the use of tracking pixels (in the UK: Privacy and Electronic Communications Regulations – Pecr – of 2003). These require companies to inform recipients about the pixels and obtain their consent. The Court of Justice of the European Union (CJEU) ruled that such consent must be “explicit” and “a clear affirmative act”.

A simple mention in a website’s privacy notice would therefore appear to lack this “clear affirmative act”. Pat Walshe of Privacy Matters puts it this way:

“Merely placing something in a privacy notice is not consent, and it is hardly transparent. The fact that tracking will take place and what that entails should be put in front of the user and assume consent. The law is clear enough, what we need is regulatory enforcement. Just because this practice is widespread doesn’t mean it’s correct and acceptable.”

Digital sovereignty

“Invisible” tracking is diametrically opposed to digital sovereignty and deliberately prevents user self-determination. In terms of a sustainable digitalisation of processes and workflows as well as an appreciative and responsible approach to potential customers, this has to change.


Supplementary external articles: