No To Spy Pixels

Many of the emails we receive from organisations contain tiny images that relay information back to the sender. These are called tracking or spy pixels.

The emails we receive can often tell the sender:

In many cases, if we unsubscribe from a mailing list and revisit an email, that data will continue to be collected. After all, unsubscribing doesn’t delete the spy pixel or the unique URLs that identify links you click.

This tracking isn’t limited to emails from commercial senders, some personal email providers embed these spy pixels, too.

Recipients aren’t informed about this tracking or given the option to opt-out. A lot of email software gives users the chance to block these pixels, but blocking trackers isn’t the same as opting-out.

Are they allowed?

The use of tracking pixels is widespread, but that doesn’t justify their use. Many people are completely unaware that this tracking goes on at all.

Organisations are allowed to use tracking pixels if users know about them and are given options. From the ICO:

PECR does not prohibit using cookies and similar technologies. However, PECR does require you to tell people about them and give them the choice as to whether or not this information is stored on their devices in this way.

In other words: they’re allowed if users consent. Hiding their use in a privacy policy doesn’t cut it.

What can we do?

In this Telegraph article, the ICO recommends:

If anyone is concerned about how their data is being handled, they should contact the organisations first. If not satisfied, they can make a complaint to the ICO.

So, let’s do it.

Step 1

You’ll need to make a complaint to the company using spy pixels.

If you use HEY, it’s easy to identify the company as they highlight spy pixels in the interface. If you don’t, there are tools to help:

  • MailTrackerBlocker for the default macOS mail app blocks and labels trackers.

  • Big Mail is app that integrates with lots of mail providers. It blocks and labels trackers.

  • Simplify highlights (and blocks) trackers for Gmail users.

  • Scary Senders lets users forward emails to check if they contain spy pixels.

  • Browser extensions like Ugly Email for Gmail (available on Chrome and Firefox) will identify blockers.

As ever, read reviews and check privacy policies...

Many email apps let you block remote images. This doesn’t necessarily mean that email contains a tracking pixel, but there’s a good chance it might: ask the sender if you’re unsure.

Here’s a complaint template you can tweak:

Hello,

The emails I receive from you contain tracking pixels. These track when I open emails, where I am when I open them and the device on which they were opened.

Under data protection laws, I should have explicitly opted-in to these tracking pixels, but I have not been given that option.

For more information, please see this information from the ICO:

https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/what-are-cookies-and-similar-technologies/#cookies5

Please stop tracking the emails you send to me.

[Your name]

Step 2

In the event the organisation won’t turn tracking pixels off for you, you can then take it to the ICO. The ICO’s complaint form is straightforward but requires copies of the correspondence.

The form is available here:

https://ico.org.uk/make-a-complaint/your-personal-information-concerns/personal-information-concerns/

Step 3

Spread the word: share on social media and tell your friends, especially if they’re unlikely to know about these.

Consider adding a note to your personal email and/or mailing lists:

This email doesn’t track you.

The more awareness that can be raised about spy pixel, the more likely it is there will be a positive result.

This is true even if you don’t live in the UK: signal boosting has a network effect and sharing the site spreads awareness of spy pixels.

In real-life, tell family members about spy pixels and what they can do to block them or raise a complaint.

A note on compliance and companies

Ultimately, the goal is for organisations to take user’s privacy more seriously. That might happen through seeing that users care about this enough to complain or by action from the regulator.

This stuff is quite technically complex and switching/turning off tracking will depend on the underlying services and context. For instance, mailing list providers don’t always allow users to turn off tracking and transactional email tracking might be controlled by a lower-level service.

For those reasons, please consider only submitting complaints to larger companies that have the capacity to deal with this. Many small companies are having a tough time at the moment.

Through increased awareness and the widespread implications of any regulatory action, we can hope that users are given more control over whether they accept these pixels.

July 2021: An update

It turns out this process works, here are a couple of anecdotes:

I noticed that my bank were including spy pixels in their statement emails. I sent them the complaint email and, after some back and forth, I was called by their complaints manager.

They told me they’d never seen a complaint about spy pixels before and they’d checked it with the bank’s data protection officer (DPO). According to the DPO – whose job it is to literally know about this – the bank were compliant as they mention cookies in their privacy policy.

For the record: cookies aren’t tracking pixels, but they are considered to be a similar technology by the ICO.

The bank sent me their full and final response as a PDF, which I submitted to the ICO. Three months later(!), I was contacted by an ICO case officer to say they would be looking into it and talking to the bank about their use of spy pixels.

A few weeks later, I received my latest bank statement by email. No tracking pixel!

I used the template to complain to my energy company about their use of spy pixels. I had a response from their CTO (Chief Technology Officer) to say they hadn’t considered this and that they wanted to be on the right side of the debate.

They’re looking into solutions and – in the meantime – switched me to plain-text emails so my emails aren’t tracked.

In many cases, it seems the first response will be that their privacy and/or cookie policies mention this, but that’s not a basis for consent. According to the ICO, organisations need to:

...tell people about them and give them the choice as to whether or not this information is stored on their devices in this way.

If you get a similar response, push back: the ICO makes it crystal clear that putting this in a policy isn’t sufficient.

Had success?

If you’ve complained about spy pixels, I’d love to hear how you got on. Either email me or get in touch through Twitter.

Further reading