Tracking pixels in emails and soft spam: obligations and liabilities

Operational compliance for banks and insurance companies in light of the Data Protection Authority’s ruling

This paper analyses the obligations and liabilities regarding tracking pixels in emails and soft spam arising from the Italian Data Protection Authority’s Provision No. 284 of 17 April 2026, focusing on operational compliance for banks and insurers.

1. Introduction: a provision that also affects credit and insurance institutions

Provision No. 284 adopted by the Italian Data Protection Authority on 17 April 2026 (“Provision”), setting out the Guidelines on the use of so-called “tracking pixels” in emails, is not a measure aimed exclusively at the world of e-commerce or general digital marketing. Its provisions have a significant impact on banks, financial intermediaries, insurance companies and, more generally, all supervised entities that make systematic use of email to communicate with their customers.

The reason is structural. The banking and insurance sectors are among the most intensive users of email, employing it both for promotional campaigns on investment products, life insurance policies, current accounts and mortgages, and for service notifications regarding transactions carried out, contractual changes and deadlines. Added to this are cross-selling and upselling initiatives targeting existing customers, as well as mandatory compliance requirements, such as MiFID disclosures, IVASS communications and anti-fraud alerts. In almost all these categories, tracking pixels are inserted (often unknowingly, via marketing automation platforms or SaaS providers) to track opens, devices, viewing times and the number of subsequent visits.

The Provision now requires a systematic review of these processing activities, introduces general information obligations, a structured consent framework and a granular right of withdrawal that allows the recipient to refuse tracking without having to unsubscribe from the communications themselves. The deadline for compliance is set at six months from the publication of the Provision in the Official Gazette, which took place with its publication in Official Gazette No. 98 of 29 April 2026, making it necessary to commence the compliance process without delay in order to ensure full compliance by 29 October 2026.

2. The applicable regulatory framework: Articles 122 and 130 of the Privacy Code, the e-Privacy Directive, the GDPR

2.1 The structure of the dual regulatory framework

The Provision operates across two distinct regulatory levels which, whilst partially overlapping, each retain their own independent scope of application.

The first is that of Article 122 of Legislative Decree 196/2003 (“Privacy Code”), which implements Article 5(3) of the e-Privacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC). The provision stipulates that, in order to store information on the user’s device, or to access information already present on it, the informed consent of the data subject is required, subject to specific exceptions. The Data Protection Authority has classified tracking pixels under both scenarios governed by the provision.

The second provision is Article 130 of the Privacy Code, which governs the sending of promotional communications via email and other automated means. Paragraph 1 of the provision establishes, without prejudice to the provisions of Articles 8 and 21 of Legislative Decree 70/2003, the rule of prior consent for the use of automated calling or communication systems without the intervention of an operator for the sending of advertising or direct sales material or for the conduct of market research or commercial communication; in paragraph 2, it extends the same prior consent regime to communications made for the same purposes via email, fax, SMS, MMS or other means; in paragraph 4, the exemption for so-called ‘soft spam‘ for communications to customers with an existing contractual relationship; and in paragraph 5, the absolute prohibition on communications where the sender’s identity is concealed.

Although the two frameworks overlap in part, they do not coincide. It may be the case that a communication is lawful under Article 130, because sent as ‘soft spam’ to an existing customer, yet unlawful under Article 122, because it contains an individualised tracking pixel inserted without separate consent.

2.2 Regulation (EU) 2016/679 (“GDPR”) as the general framework and the exclusion of legitimate interest

The GDPR constitutes the regulatory framework of reference for all processing of personal data, but gives way when the e-Privacy Directive — and the related national transposition rules contained in the Privacy Code — intervene with more specific provisions. In such cases, the provisions of the Privacy Code prevail as lex specialis. The practical consequence is that, to identify the legal basis for processing falling within the scope of the e-Privacy Directive, one cannot freely draw upon the list in Article 6 of the GDPR: one must first look to the provisions of the Privacy Code, and only as a last resort to the Regulation.

For banking and insurance practice, this regulatory hierarchy has a significant consequence: the legitimate interest referred to in Article 6(1)(f) of the GDPR cannot be invoked as the basis for either email marketing or pixel tracking. Article 130(2) of the Privacy Code does not include it among the grounds for lawfulness, and the same applies to Article 122. The exclusion is absolute and does not allow for any balancing of interests. This does not mean, however, that every promotional communication via email requires consent: Article 130(4) provides for the mechanism of so-called ‘soft spam’ (see below, § 4), which allows sending without consent where five cumulative conditions are met. Soft spam is not based on the legitimate interest under the GDPR, but constitutes an autonomous and specific derogation provided for by the e-Privacy Regulation, which operates on its own terms. As for tracking pixels, even when sending is lawful under the soft spam regime, the individualised pixel requires an independent legal basis pursuant to Article 122, identified by the Data Protection Authority as specific consent or the fulfilment of one of the three exceptions specified in the provision (see below, § 4.4).

The implications of this exclusion for the correct indication of the legal basis in privacy notices — an aspect that is frequently disregarded in banking and insurance practice — are examined below (see below, § 4.3).

2.3 The constitutional classification of correspondence and its significance for the sector

The Data Protection Authority has attributed independent significance to the nature of the communication channel, classifying the email service as inherently intended to convey private content, also in view of the constitutionally significant right to the confidentiality and inviolability of correspondence, with reference to Article 15 of the Constitution and Article 8 of the ECHR.

For banks and insurance companies, this means that the level of protection required for the email channel is structurally higher than that applicable to tracking tools on websites. The enforcement principles regarding cookies cannot be transposed to email, which enjoys enhanced protection rooted in the fundamental right to the secrecy of correspondence.

3. The technical mechanism of the pixel and its legal classification

3.1 How tracking pixels work in banking and insurance emails

Tracking pixels inserted into email messages are images, often transparent and very small in size, which are not directly contained within the email but hosted on remote servers. Each time the recipient opens the message, an HTML code embedded in the body of the email automatically triggers a request to the sender’s server; in response, the image is downloaded by the email client and stored in the user’s device memory.

This process allows the sender to detect whether the email has been opened, the recipient’s IP address, the type of device used, the time of viewing and the number of subsequent openings. In the marketing automation platforms used in the banking sector (Salesforce Marketing Cloud, Adobe Campaign, HubSpot, Mailchimp and similar), tracking pixels are almost always enabled by default to calculate open rates, click-through rates and feed behavioural scoring engines.

In any case, the Data Protection Authority has noted that there is no standardisation of tracking pixel names, nor is there a universally agreed coding or syntax. It follows that identifying pixels in email templates requires a detailed technical analysis of the HTML code, and demonstrating compliance necessitates a systematic technical audit process.

3.2 Data collected by the pixel: relevance for banking and insurance profiling

A single tracking pixel is capable of collecting a wide range of information: the unique identifier associated with the recipient, the IP address, the type of email client used (webmail, mobile app or desktop client), the operating system, the date and time of opening, as well as the number of subsequent re-openings. When this data is cross-referenced with information already held by the bank or insurance company — such as the customer’s personal details, the portfolio of products held and transaction history — it can feed into behavioural profiling models with significant implications for commercial offers, pricing and retention strategies.

It is precisely this profiling aspect that lies at the heart of the rationale behind the provision. Tracking pixels, in fact, are particularly invasive markers due to their hidden nature, and their installation — unbeknownst to the data subject — constitutes a breach of the principle of fairness enshrined in Article 5(1)(a) of the GDPR.

4. Soft spam in the banking and insurance sectors: conditions, limits and intersection with tracking

4.1 The soft spam exemption and its relevance in the sector

Article 130(4) of the Privacy Code provides that the data controller may use the email address provided by the data subject in the context of the sale of a product or service for the direct marketing of its own similar products or services, without obtaining new consent, provided that the data subject, having been adequately informed, does not object to such use, either initially or in subsequent communications.

For banks and insurance companies, this provision is of paramount practical importance, as it represents the legal instrument through which it is possible to offer a current account holder a mortgage, or a customer who has taken out a motor insurance policy the purchase of life insurance. As already clarified (see above, § 2.2), soft spam does not derive its basis from the legitimate interest provided for by the GDPR, but rather constitutes an autonomous and self-sufficient exemption, rooted directly in Article 130(4) of the Privacy Code. The conditions governing its applicability are cumulative in nature and must be interpreted restrictively.

4.2 The five cumulative conditions and their implications for banks and insurance companies

1. Previous contractual relationship for consideration. The Court of Cassation has clarified that the concept of ‘sale’ must be interpreted strictly, as the exemption may only apply where a contract for consideration has already been concluded (see Court of Cassation, First Civil Section, 15 March 2023, No. 7555). In light of this approach, the following fall outside the scope: a customer who has requested a quote without signing any contract; a lead acquired via a web form without the relationship being finalised; and a customer in the onboarding phase that has not yet been completed;
2. Identity of the data controller. The exemption cannot be invoked by any party other than the original data controller. Networks of agents, financial advisors and insurance brokers may not independently make use of this mechanism for their own promotional campaigns. By way of example, a data processor who reuses data without specific instructions from the data controller is processing data without authorisation; in this regard, see the Data Protection Authority’s ruling of 12 February 2026 (web doc. no. 10227039) concerning Bressanelli Galli Gelpi Porta & C. S.r.l., in which an insurance intermediary had reused data collected in its capacity as a data processor for its own marketing purposes;
3. Product similarity. The products covered by the promotion must be similar to those in the original contract. The assessment must be conducted strictly and on a case-by-case basis: for institutions with a diversified offering (bancassurance, asset management, consumer credit, mortgages), similarity cannot be presumed merely because the products fall within the same group scope;
4. Contextual and ongoing information. The data subject must be given the opportunity to object both at the time the address is collected and on the occasion of any subsequent communication. Initial refusal may also be expressed by accessing one’s personal account after signing the contract. It follows that pre-contractual and contractual disclosures, the so-called KIDs (Key Information Documents) and the MiFID/IVASS information packs must contain an explicit and clear reference to the right to object to soft spam, without relegating it to footnotes; and
5. A genuine, unconditional opt-out. The mere availability of an opt-out link does not retrospectively remedy an unlawful sending: it is the sending of the email itself that is deemed to be without foundation if the conditions of lawfulness are not met from the outset (see the Data Protection Authority’s ruling of 11 September 2025, web doc. no. 10224441, concerning ISV Group S.r.l.s. and Ismax S.r.l.s.). In other words, the opt-out must prevent the sending of the email, not merely interrupt it.

At an operational level, the five cumulative conditions described above require credit institutions and insurance companies to make a series of structural adjustments affecting both business processes and information systems. Firstly, the restrictive interpretation of the requirement for a contract for consideration excludes from the scope of soft spam entire categories of contacts who, in banking practice, are frequently recipients of promotional communications. This necessitates the rigorous segmentation of the customer database, distinguishing between contractual relationships that have been finalised and those that have merely been initiated or are in the preliminary stage.

Furthermore, the requirement for product similarity obliges banking and insurance operators with a diversified offering to prepare product-by-product correspondence matrices, without automatically assuming similarity between heterogeneous product categories, such as, for example, between a current account and a life insurance policy. On the procedural side, the obligation to ensure an effective and unconditional opt-out mechanism requires that CRM systems be equipped with real-time opt-out functionality, so as to prevent the sending of further communications from the very moment the opt-out is recorded, without any technical or organisational delays. Finally, since soft spam legitimises only the sending of the communication and not the tracking of the recipient via individualised pixels, banks are required to decouple these two aspects when configuring marketing automation platforms. Emails sent under the soft spam regime must therefore be free of individualised pixels or contain only statistical and anonymised pixels.

4.3 The issue of the privacy notice as a legal basis: the error to be corrected

As already highlighted (see above, § 2.2), the indication of legitimate interest as the legal basis for email marketing is incorrect. The privacy notice must refer, as appropriate, to consent pursuant to Article 130(1) and (2) of the Privacy Code for promotional communications based on that ground, or to the derogation pursuant to Article 130(4) for those sent under the soft spam regime. Article 6(1)(f) of the GDPR cannot under any circumstances be cited as the legal basis for such processing.

The erroneous identification of the legal basis in the privacy notice constitutes, in itself, a breach of the principle of transparency under Article 5(1)(a) of the GDPR and of the requirements of Articles 13–14 of the GDPR, with the potential for separate penalties. Privacy notices containing such discrepancies must therefore be rectified within six months of the publication of the Provision in the Official Gazette.

4.4 The intersection between soft spam and tracking pixels: the dual burden

The key point is that soft spam and tracking via pixels operate under distinct and separate regulatory frameworks. The fact that an email is lawfully sent under the soft spam regime does not imply that the pixel embedded in that same email is also lawful.

Soft spam, based on Article 130(4), allows emails to be sent without consent, but tracking pixels fall under Article 122, which requires a separate legal basis. A soft spam email containing an individualised pixel is lawful as regards sending but unlawful as regards tracking, unless one of the three exceptions specified by the Data Protection Authority applies or specific consent has been obtained. The data controller therefore has two options: to obtain separate consent for the pixel, or to use only anonymised statistical pixels.

The three exceptions to the consent requirement for pixels are:

• anonymised aggregate statistics, with unique pixels identical for all recipients and anonymisation of the related technical data;
• security measures relating to the user authentication process, such as verifying the actual receipt of an OTP code or an identity confirmation link;
• institutional or service messages which the data controller is legally obliged to send and for which it verifies that the recipient has actually taken note of them.

For the banking and insurance sectors, the third exemption is of particular relevance: communications regarding contractual changes, security incidents, mandatory IVASS communications and anti-fraud alerts may benefit from the exemption, provided that tracking serves to verify acknowledgement and is not used for profiling.

5. Practical implications for banks and insurers: a breakdown by type of communication

5.1 Promotional emails and DEM (Direct Email Marketing)

DEM campaigns constitute the category of communication most at risk from a compliance perspective. The reason lies in the need for a two-fold condition of lawfulness: on the one hand, sending promotional communications requires the prior consent of the data subject pursuant to Article 130, paragraphs 1 and 2, of the Privacy Code; on the other hand, the inclusion of an individualised tracking pixel in the email requires separate consent pursuant to Article 122. It follows that no DEM containing an individualised (i.e. tracking) pixel may be lawfully sent in the absence of both consents. Where the recipient is a customer with an existing contractual relationship and the promoted product is similar to the one already subscribed to, the email may be sent under the soft spam regime without marketing consent; however, even in this case, the pixel continues to require a separate legal basis and cannot benefit from the same exemption.

The dual requirement for lawfulness does not, however, necessarily entail the collection of two separate expressions of consent. The Data Protection Authority does, in fact, allow for the possibility of a single consent: consent to tracking via pixels may be included in the same expression of consent by which the data subject agrees to receive promotional communications, without the need for a separate request, provided that the wording is neutral, free from coercion and contains a clear and explicit reference to the presence of the tracking pixel and the related tracking purposes. Marketing consent forms must therefore be updated to include this information, so that the data subject is in a position to understand that, by giving consent, they authorise not only the receipt of communications but also the monitoring of their interaction with them.

5.2 Statutory communications

Communications which the data controller is legally obliged to send (e.g. MiFID II disclosures, PRIIPs KIDs, IVASS communications pursuant to Article 185 of the Insurance Code, notices pursuant to Article 118 of the Consolidated Banking Act, and notifications of personal data breaches to the data subject pursuant to Article 34 of the GDPR) fall under the third exception, which excludes the need for pixel consent for institutional messages where actual acknowledgement is required.

The critical point is that the exemption applies only when tracking serves to verify acknowledgement and cannot be used to derive profiling information. The pixel in a communication pursuant to Article 118 of the Consolidated Banking Act may detect whether the customer has opened the email; it cannot be linked to a profiling engine.

5.3 Newsletters and editorial communications

For newsletters (market updates, financial analyses, institutional press releases), the Data Protection Authority requires consent both for sending (Article 130, paragraphs 1 and 2) and for individualised tracking (Article 122). Soft spam does not apply because the newsletter does not constitute direct sales of similar products.

5.4 Upselling and cross-selling campaigns via distribution networks

Banks and insurance companies frequently make use of external distribution networks that send commercial communications to end customers. The distinction between the data controller and the data processor is often unclear, and the use of soft spam by entities with no direct contractual relationship with the customer is systematically at risk.

The Bressanelli Galli Gelpi Porta case (see above, § 4.2) is a prime example of this risk; indeed, the unauthorised reuse of data by the intermediary also exposes the principal data controller to reputational consequences and the need to revise contractual standards for the entire network.

6. Liability profiles: the data controller, SaaS providers, distribution networks

The banks’ email marketing ecosystem typically comprises a variety of entities, ranging from the marketing automation platform to the email delivery provider, from the creative agency to third-party data providers, each of which may assume an independent role in terms of data protection. The Data Protection Authority is aware of this and, in the Provision, identifies five distinct entities (sender, SaaS provider, list provider, tracking technology provider and content creator), without, however, rigidly categorising their roles: classification is left to a case-by-case assessment, also in light of Article 26 of the Regulation concerning joint controllership. It follows that every organisation is required to prepare a documented mapping of its email supply chain, accurately reconstructing the data flows and the responsibilities of each party involved.

The importance of this exercise is confirmed by sanctioning practice, since in the decision of 11 September 2025 (web doc. no. 10224441) against ISV Group S.r.l.s. and Ismax S.r.l.s., the Data Protection Authority established that the data controller is liable for violations committed by the supplier whenever it has failed to adopt adequate control measures, both in selecting and in supervising the supplier. The same principle extends to the management of external distribution networks: banks and companies that make use of them are required to establish contractually the scope and limits of processing, including the prohibition on agents’ independent use of soft spam, the prohibition on inserting unauthorised pixels and the procedures for managing objections, given that the absence of adequate contractual instructions does not exempt the data controller from liability for infringements committed by intermediaries, thereby imposing accountability through concrete and documented precautions. Finally, the entire system is governed by Article 130(6) of the Privacy Code, which grants the Data Protection Authority a further corrective power: in the event of repeated breaches of the provisions on unsolicited communications, the Authority may order electronic communications service providers to activate filtering procedures on the email addresses from which the unlawful messages were sent. This is a particularly significant measure for credit institutions, as filtering may result in the operational blocking of email channels used for customer communications, with consequences extending far beyond financial penalties. This possibility makes it all the more urgent for banks and insurance companies to rigorously oversee the entire chain of responsibility.

7. Operational adjustments: CRM, internal processes, contracts with third parties, training

7.1 Redesign of the consent architecture in the CRM

To comply with the Provision, the banking CRM system must be capable of managing at least four distinct statuses for each customer contact, integrating them into the sending logic in a consistent and automated manner.

The first status concerns consent to promotional communications pursuant to Article 130, paragraphs 1 and 2, of the Privacy Code. The second relates to eligibility for soft spam under Article 130, paragraph 4, and requires automatic verification of the existence of a concluded contract for consideration, product similarity, and the absence of objection by the data subject. The third status records any specific objection to soft spam, whilst the fourth tracks consent to tracking pixels, distinguishing between individualised, statistical or denied tracking.

Why is this integrated architecture so important? Because a CRM that manages marketing consent and soft spam as separate silos, lacking mutual interoperability, is structurally non-compliant. This is demonstrated by the Data Protection Authority’s ruling of 17 July 2024 (web doc. no. 10084158) against Iliad Italia S.p.A., which was fined €50,000 for circumventing the data subject’s wish not to receive promotional communications by sending them via the soft spam channel anyway.

In operational terms, the resulting sending rule can be summarised as follows: a contact receives a promotional email with individualised tracking only if they have given both marketing consent and pixel consent; they receive communications via soft spam — but without individualised tracking — only if they are eligible, have not expressed objection and the pixel is configured in anonymised statistical mode; finally, they receive no communications at all if they have expressed their objection in any form.

7.2 The right to granular withdrawal: technical and communication impacts

Among the changes with the greatest practical impact introduced by the Provision, the right to granular withdrawal stands out. Essentially, the user is no longer forced to choose between ‘all or nothing’: they can withdraw consent entirely, stopping the receipt of any messages, or partially, refusing only tracking via pixels and continuing to receive communications without such markers.

In practical terms, this means that every email must contain a link to a preferences management page where the customer can easily choose between unsubscribing entirely and opting out of tracking only. For banks, the most effective solution is to integrate this page into the customer’s personal area, making it accessible via a direct link as well.

7.3 Updating privacy notices and communicating with existing customers

The principle is clear: all data controllers already using tracking pixels are required to inform data subjects appropriately; otherwise, data collected via pixels becomes unusable. Compliance involves three areas: revising pre-contractual and contractual notices, updating the privacy section of the corporate website, and sending a targeted communication to customers who have already received emails containing pixels.

For processing operations already underway, the Data Protection Authority has provided a pragmatic solution: the data controller may use the next available opportunity — that is, the first point of interruption in the relationship with the customer — to address the information gap, without having to issue a separate notification.

7.4 The structure of the notice for consent to tracking via pixels

The notice regarding tracking via pixels must meet specific requirements, both in terms of content and form, in addition to those already set out in Articles 13 and 14 of the GDPR. As regards content, the notice must clearly indicate: (a) the presence of tracking pixels in emails sent by the data controller; (b) the nature of the data collected, such as IP address, device type, operating system, date and time of opening, and number of subsequent re-openings; (c) the purposes of tracking, distinguishing between aggregated statistics and individualised profiling; (d) the legal basis, which, as already clarified (see above, § 4.3), must be identified as consent pursuant to Article 122 of the Privacy Code or, where applicable, in one of the three exceptions set out in the Provision, and never in the legitimate interest pursuant to Article 6(1)(f) of the GDPR; and (e) the procedures for exercising the right to granular withdrawal, specifying that it is possible to refuse tracking alone without opting out of receiving communications.

Formally speaking, the notice must be clearly distinguishable and cannot be ‘hidden’ within generic clauses or in residual sections of the privacy policy. For banks and insurance companies, this means including a section dedicated to pixel tracking within the pre-contractual and contractual notices, with appropriate visual prominence. Consent to tracking, where required, must be obtained through a positive and unambiguous action by the data subject. As already stated (see above, § 5.1), the Data Protection Authority accepts the possibility of a single consent covering both the receipt of promotional communications and tracking via pixels, without the need for two separate expressions of will, provided that the request is formulated in a neutral manner, without coercion, and contains an explicit reference to the presence and purposes of the pixel. Consent to tracking must in any case remain distinct from acceptance of the general terms and conditions of contract. It remains understood that refusal to consent to tracking may not affect either the provision of the service or the receipt of service communications or those required by law.

7.5 Review of contracts with email supply chain providers

Data Processing Agreements entered into with email supply chain providers must undergo a targeted review, covering at least four key aspects: the provider’s obligation to declare all pixels embedded by default in their platforms; the technical possibility of sending emails without any tracking pixels; real-time updating of the suppression list; and the recognition of the data controller’s right to audit the supplier’s compliance with the Provision.

With regard to contracts with list providers and distribution networks, it is of central importance to include a declaration and warranty certifying that all email addresses have been collected on the basis of valid consent, accompanied by an obligation on the supplier to pay compensation in the event that a penalty is attributable to data supplied by them.

As for contracts with creative agencies and content creators, it must be stipulated that every HTML template delivered is free of undeclared third-party pixels and that any subsequent modification introducing new pixels is subject to the prior approval of the data controller or the DPO.

7.6 Staff training and handling of objections

Staff training is not merely a formal requirement: the Data Protection Authority has expressly highlighted it as a mitigating corrective measure in determining the level of penalties, which also makes it a strategic investment from a defensive perspective. Training programmes must be tailored to the professional profile of the recipients.

For marketing teams, training must ensure a full understanding of the dual regulatory framework under Articles 122 and 130 of the Privacy Code, the ability to identify pixels present in delivery platforms, mastery of procedures for configuring tracking in anonymised statistical mode, and the timely management of opt-outs, with the suppression list updated within 24–48 hours. It should also be reiterated that, in the absence of consent, it is not possible to send promotional communications even when using data taken from public registers or certified email addresses extracted from the national index.

With regard to training for sales teams and staff working in distribution networks, the training content must make it clear that soft spam is not permissible in the absence of an actually concluded contract and that a mere attempt to purchase by the customer does not constitute an exemption. It is also essential that staff are able to distinguish between an individual follow-up and a structured email campaign, and that informal requests for unsubscription, however received, are promptly channelled into the formal opt-out management system, within predefined and documented timeframes.

8. The transitional regime and deadlines

The Authority sets a six-month deadline from the publication of the Provision in the Official Gazette to comply with the requirements contained therein. For banks and insurance companies, this deadline, expiring on 29 October 2026 (see above, § 1), must be treated as a project deadline to which a structured compliance plan must be attached. With regard to processing operations already in progress, the data controller, having fulfilled the information obligations, is required to implement a mechanism for the withdrawal of consent, including on a granular basis; this is a transitional regime, intended to be phased out progressively as relationships are brought back under the ordinary regime.

For future processing operations, such as new campaigns, new contracts and new customers, the rule of prior consent at the pixel level applies immediately, without the possibility of availing oneself of the transitional regime. Taking into account the deadlines set by the Data Protection Authority and the complexity of the adjustments required for large organisations, the recommended sequence for banks and insurance companies is divided into four successive phases.

In the first phase, a technical audit of the customer database must be carried out to classify records by legal basis (marketing consent, soft spam, tracking pixel exemption), identify all tracking pixels present in email templates through HTML code analysis, verify the CRM architecture for the introduction of the so-called ‘pixel_consent’ field, and update privacy notices with explicit reference to tracking pixels. In the second phase, it is necessary to configure the dynamic footer with granular links to preferences, review the DPAs with email platform providers, update the contractual clauses with the distribution network, and launch training programmes for the teams involved.

In the third phase, re-permission automation for inactive contacts is implemented, the first information notice regarding pixels is sent to customers under the current soft spam regime, and verification is carried out to ensure that platforms are configured to comply with pixel_consent at the individual contact level. In the final phase, the update of the Record of Processing Activities must be completed, training programmes concluded with documented records, and all internal procedures for managing consents and objections adapted accordingly.

9. Operational conclusions: a roadmap for the sector

Provision No. 284/2026 is not a niche measure. For banks and insurance companies, which communicate with millions of customers via email, use platforms with tracking enabled by default and rely on complex distribution networks, the intervention has systemic implications.

The key points emerging from a coordinated reading of the provision alongside sanctioning practice are as follows.

• Legitimate interest is not a legal basis that can be used for either email marketing or tracking pixels. The special provisions of the Privacy Code prevail as lex specialis, and incorrect privacy notices must be corrected within the compliance deadline.
• Soft spam is legitimate but strictly limited: it is based on Article 130(4) of the Privacy Code and not on legitimate interest. It only works where a contract for consideration has been concluded, the sender’s identity is known, there is a product similarity, an adequate privacy notice is provided, and a functioning opt-out mechanism is in place. Above all, it legitimises the sending of messages but not tracking: individualised tracking pixels require separate consent or must be replaced with anonymised statistical pixels.
• Tracking pixels must be managed separately from the legal basis for sending the messages. The three exceptions to consent have a strict and non-extendable scope; outside of these, specific consent is the sole prerequisite for lawfulness.
• The CRM must be redesigned to manage the four contact statuses (marketing consent, soft spam eligibility, soft spam objection, pixel consent) in an integrated manner, with sending logic that correctly reflects the customer’s wishes without causing confusion.
• Third-party suppliers, such as SaaS platforms, creative agencies, list providers and distribution networks, must be contractually bound by specific clauses regarding pixels, suppression lists, audits and compliance guarantees. A lack of due diligence in selection and supervision exposes the data controller to joint and several liability for partners’ breaches.
• Documentation is the primary defence: every mailing must be tracked with reference to the legal basis used; every opt-out must be recorded and updated in real time; training programmes must be documented with dates, content and participants.

Compliance with the provision is not an operational cost: it is the necessary condition for a sustainable email marketing programme in the medium to long term, protected from the risk of database deletion orders, the most devastating consequence of enforcement, far more costly than any financial penalty.