In the Working Party 29 Opinion 2/2006, Chairman Peter Schaar outlines services that track email opens:
This kind of service allows anybody subscribing to it, to know if an email sent by the subscriber
(a) has been read by the addressee(s),
(b) when it was read,
(c) how many times it has been read (or at least opened),
(d) if it has been transferred to others and
(e) to which email server, including its location.
Finally, it also allows knowing which type of web navigator and operating system the recipient of the email uses.
This more powerful and revealing form of email tracking is therefore materially different from the possibly familiar “delivery receipt” or “read receipt” offered by Exchange or Outlook services: the latter is permissions based and requires the recipient to opt-in before a read confirmation is delivered to the sender. Further, the confirmation would be limited to the email open, and not carry any of the additional data outlined above.
Email tracking, on the other hand, utilizes hidden tracking pixels (also referred to as “web bugs,” “web beacons,” “pixel tags,” “clear GIFs” and other monikers) to collect significantly more personal data from email recipients. One service, ReadNotify, made headlines when it was found that HP had attempted to use it to unmask the identify of a board member that was leaking information to the press.
These services have only proliferated since. In the enterprise space alone, G2Crowd scores 50+ such services on their market presence and customer satisfaction grid (and this does not even cover dozens of email marketing / bulk mailing tools such as MailChimp and Constant Contact, which also provide email tracking).
Many of these services offer simple-to-use browser plugins or mobile apps that allow any individual employee to send a tracked email to any desired recipient. In fact, many such apps offer free service tiers that will bypass typical corporate purchasing approval and compliance processes.
Very few email recipients are aware of, let alone protected from, such secret tracking attempts. From an technology perspective, protecting against email tracking can be disruptive to expected user experience because it requires a return to plain text emails which eliminates all of the formatting, pictures, and hyperlinks that users now expect and rely on in their emails. Company email administrators would therefore need to decide among a) retaining HTML functionality and exposing users to tracking, b) enforcing plain-text only emails to stop tracking, or c) adopt enterprise anti-tracking (also known as anti-spymail) protection.
In its current prevailing form, we expect email tracking to be categorically prohibited under the GDPR without express user consent. Note the following excerpt from the same WP29 opinion:
The Working Party 29 expresses the strongest opposition to this processing because personal data about addressees’ behaviour are recorded and transmitted without an unambiguous consent of a relevant addressee. This processing, performed secretly, is contradictory to the data protection principles requiring loyalty and transparency in the collection of personal data, provided by Article 10 of the Data Protection Directive.
In order to carry out the data processing activity consisting in retrieving from the recipient of an email, whether the recipient has read it and when and whether it has forwarded it to third parties, unambiguous consent from the recipient of the email is necessary. No other legal grounds justify this processing. Therefore, the data processing that is performed secretly is contradictory to the data protection principles requiring unambiguously given consent, laid down by Article 7 of the Data Protection Directive.
Given this WP29 opinion predates the GDPR, we reached out to several EU member state Data Protection Authorities (DPAs) to get their latest interpretation. On May 11, 2017, Dr. Sonja Branskat of Germany’s Federal Commissioner for Data Protection and Information Freedom cited the Working Party 29 Opinion 2/2006, and stated that:
“[A user of email tracking] will have to get consent according to article 6, 7 and maybe 8, if children are concerned, of the GDPR.”
Once the GDPR goes live, companies whose employees send tracked emails will need to be able to prove that recipients of such emails unambiguously consented to the monitoring of their behavior through the use of embedded tracking pixels.
This represents a significant departure from current practices. In our quick survey of enterprises that send tracked emails, we found none that currently collect clear, affirmative consent for such behavior monitoring. Some bury references to email tracking in their full privacy policies, but this would be insufficient specificity once the GDPR goes live.
Given the ease with which any user can employ email tracking without any assistance from the I.T. or compliance departments, it’s likely that most corporate compliance departments are unaware that email tracking is causing their employer to collect such protected personal data.
Businesses therefore must take steps to bring themselves back in compliance before May 2018. We suggest the following steps:
Adhering to the GDPR’s strict consent requirements will undoubtedly face some resistance from internal stakeholders who have previously used email tracking to substantial benefit (e.g., in terms of higher sales, increased leverage in negotiation, etc.). Ensuring proper compliance will therefore require a combination of technology solutions, process changes, and employee education.