Open and click tracking without the privacy landmines
Email open tracking privacy is usually discussed as a marketing problem, but transactional senders inherit it too, often without deciding to. Most email APIs switch tracking on by default, so the day you send your first password reset, you're also setting a tracking pixel and rewriting links, whether or not anyone thought about the GDPR implications. This post covers how the mechanics work, what the law actually requires, and the defaults worth demanding from your provider.
How the mechanics work
Open tracking embeds a one-pixel image with a unique URL per recipient; when the mail client loads it, the provider records an open with a timestamp, and typically an IP address and user agent. Click tracking rewrites every link in the message to pass through the provider's redirect domain, which records the click before forwarding to the real destination. Both produce per-recipient behavioural data tied to an email address. Under GDPR, that's personal data, full stop, and collecting it needs a legal basis just like any other processing.
What the law actually asks
For transactional email, the honest analysis is uncomfortable for tracking-by-default. Delivering a receipt or a reset link is necessary to perform your contract with the user; knowing whether they opened it is not. That pushes open tracking onto legitimate interest at best, which requires a balancing test you can write down, and disclosure in your privacy policy. Behavioural tracking that feeds marketing decisions leans further, toward consent. The practical rule: track when you can state the purpose in one sentence, and don't track because the checkbox came pre-ticked.
There's also a technical honesty problem: open data has been unreliable since Apple Mail Privacy Protection began pre-fetching pixels in 2021, inflating opens for a large share of consumer inboxes. So the default-on pixel collects personal data of degraded analytical value. That combination, higher obligation, lower signal, is exactly what you should decline by default.
Click tracking has a second cost: your links stop being yours
Rewritten links point at the provider's tracking domain, not yours. That interacts badly with security-sensitive transactional email: a password reset link that resolves through a third-party redirect domain looks more like phishing, not less, and it trains your users to click links that don't match your domain. If you rewrite links at all, the tracking domain should be a subdomain of your own sending domain, and security-critical flows (resets, magic links, 2FA) are better left untracked entirely.
The defaults worth demanding
- Tracking is a choice, not a surprise: off unless you turn it on, and controllable per sending domain, so your marketing domain can track while auth emails stay clean.
- Data minimisation in the event itself: the open or click event needs a timestamp and a message reference, not a stored IP address and full device fingerprint.
- Tracking data lives under the same retention window as your other event logs, and gets deleted on the same schedule, not hoarded separately for analytics.
- Disclosure you can copy: the provider documents how tracking works so you can describe it accurately in your own privacy policy.
This is the posture Envello builds toward: tracking as a per-domain toggle with privacy-respecting defaults, event data under your configured retention window of 7 to 365 days, and delivery events (delivered, bounced, complained) as the primary signal, since those arrive without tracking anyone. For transactional email, delivery data answers the question that matters, "did the reset email arrive?", without collecting behavioural data you'd have to justify later.