No To Spy Pixels

Many of the emails we receive from organisations contain tiny images that relay information back to the sender. These are called tracking or spy pixels.

Typically, these can tell the sender:

In many cases, if we unsubscribe from a mailing list and revisit an email, that data will continue to be collected. After all, unsubscribing doesn’t delete the spy pixel.

This tracking isn’t limited to emails from commercial senders, some personal email providers embed these spy pixels, too.

Recipients aren’t informed about this tracking or given the option to opt-out. A lot of email software gives users the chance to block these pixels, but blocking trackers isn’t the same as opting-out.

Are they allowed?

The use of tracking pixels is widespread, but that doesn’t justify their use. Many people are completely unaware that this tracking goes on at all.

Organisations are allowed to use tracking pixels if users know about them and are given options. From the ICO:

PECR does not prohibit using cookies and similar technologies. However, PECR does require you to tell people about them and give them the choice as to whether or not this information is stored on their devices in this way.

In other words: they’re allowed if users consent. Hiding their use in a privacy policy doesn’t cut it.

What can we do?

In this Telegraph article, the ICO recommends:

If anyone is concerned about how their data is being handled, they should contact the organisations first. If not satisfied, they can make a complaint to the ICO.

So, let’s do it.

Step 1

You’ll need to make a complaint to the company using spy pixels.

If you use HEY, it’s easy to identify the company as they highlight spy pixels in the interface. If you don’t, there are tools to help:

  • MailTrackerBlocker for the default macOS mail app blocks and labels trackers.

  • Browser extensions like Ugly Email for Gmail (available on Chrome and Firefox) will identify blockers.

As ever, read reviews and check privacy policies to check your data isn’t exposed.

Many email apps let you block remote images. This doesn’t necessarily mean that email contains a tracking pixel, but there’s a good chance it might: ask the sender if you’re unsure.

Here’s a complaint template you can tweak:

Hello,

The emails I receive from you contain tracking pixels. These track when I open emails, where I am when I open them and the device on which they were opened.

Under data protection laws, I should have explicitly opted-in to these tracking pixels, but I have not been given that option.

For more information, please see this information from the ICO:

https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/what-are-cookies-and-similar-technologies/#cookies5

Please stop tracking the emails you send to me.

[Your name]

Step 2

In the event the organisation won’t turn tracking pixels off for you, you can then take it to the ICO. The ICO’s complaint form is straightforward but requires copies of the correspondence.

The form is available here:

https://ico.org.uk/make-a-complaint/your-personal-information-concerns/personal-information-concerns/

Step 3

Spread the word: share on social media and tell your friends, especially if they’re unlikely to know about these.

Consider adding a note to your personal email and/or mailing lists:

This email doesn’t track you.

The more awareness that can be raised about spy pixel, the more likely it is there will be a positive result.

This is true even if you don’t live in the UK: signal boosting has a network effect and sharing the site spreads awareness of spy pixels.

In real-life, tell family members about spy pixels and what they can do to block them or raise a complaint.

A note on compliance and companies

Ultimately, the goal is for organisations to take user’s privacy more seriously. That might happen through seeing that users care about this enough to complain or by action from the regulator.

This stuff is quite technically complex and switching/turning off tracking will depend on the underlying services and context. For instance, mailing list providers don’t always allow users to turn off tracking and transactional email tracking might be controlled by a lower-level service.

For those reasons, please consider only submitting complaints to larger companies that have the capacity to deal with this. Many small companies are having a tough time at the moment.

Through increased awareness and the widespread implications of any regulatory action, we can hope that users are given more control over whether they accept these pixels.

Further reading