My e-mail client always tells me the sender wants a read receipt and also asks if I want to load external resources. If yours doesn't let you control this I strongly recommend to look for an alternative.
> "Thanks for opening this email. We’ve logged that you read it, we’ll log again next time you open the email. We know where you’re located, and what device you’re on. We’re using this information to tweak our emails to get you to open and read more of our emails in the future"
I think the paragraph after it kinda undermines their thesis though. There's nothing meaningfully different about an email and a website. They're both documents that you render locally on your client. The delivery mechanism doesn't really matter.
You would probably find it really weird that a NYT article archive HTML page you have on your machine still tracks you because you client runs the JS if it wasn't already the norm. But then why does downloading that same document on-demand change your expectation of being tracked? Or if we were in a alternate universe where web pages were hyperlinked PDFs I bet you would find it odd that opening one in Acrobat sends all your interactions to some server somewhere.
It's fine that by convention we have some places where it's not kosher to track people but we at least have to admit that the distinction is arbitrary and that being upset about email tracking but not website tracking is inherently inconsistent. Because sure you can name differences between emails and websites but nothing really fundamental.
It is fundamentally different because when I track and email I know who I'm tracking and I will look at the data on and individual basis. For instance "great, that client has opened my contract email 5 times. Means they are interested.I can adapt my negotiating position based on that".
For websites I would look as the data in aggregate. Sure that aggregation can be pretty precise but still it is not on the personal level. I suppose technically speaking you could checks the individual use of a website for logged in users but even Google Analytics is very explicit on hat not being OK for instance, and there is no UI for it in any tool that I know.
I am not using any html emails. People should send me text. If pics are important attach them.
External (embedded) pictures are deactivated per default, if you want to get at least a tiny chance I see your picture, attach it or gain my trust (and even then, attach it).
JS in mails is completely ignored, it has no business of being there.
It would be nice to live in a world where you could trust sizeable companies not to break the law (or my trust) with every other email they send. It would be nice to have html and css in a mail and not have people abuse it. But as things stand now, not using html is the way to go.
The sad thing is we already have a privacy friendlier alternative to spy pixels: Read Receipts, defined in RFC 2298. They are already user opt-in. Don’t most mail agents support them?
It's not like only advertisers would benefit from read recipes in email. It would be very useful to know when your friend opens your message, which I assume is why basically every mainstream messaging app has the feature.
> It would be very useful to know when your friend opens your message
Sure, it might be useful for them, but I'd still like to have to opt-in to it.
If my friend embedded a tracking pixel in my email because I didn't have read receipts and they wanted to know if I'd opened their email, I'd be having a real serious conversation about boundaries and privacy with that "friend".
Advertisers that do the same thing are being shitty people, in exactly the same way it'd be shitty if a friend did it.
To be clear, I'm not arguing against read receipts. I'm arguing against _working around_ opt-in read receipts.
In this context, we're talking about RFC 2298, which doesn't leak your IP address and is opt-in. It is completely unrelated to "remote content" settings.
At the risk of conflating Gmail and email - doesn't gmail download automatically and serve images in emails from a google-owned server? Seems like this would completely defeat this kind of tracking.
They do. So the big splash image which is the same for everyone gets cached and served from google. The tracking pixel has a unique url per recipient (that’s the point) so can’t be cached.
I'd expect that google has something significantly more advanced than simply fetching every linked image in an email and storing it separately. Additionally, I'd guess they're doing this ahead of time, before you open the email. But it's a guess.
Oh you mean they prefetch unconditionally, thereby removing any information about whether the recipient has read the email (it always appears as if they did) - not that they cache it to share between users and make it seem like they didn’t download the image. Agree - they do that.
They can’t make it seem like I didn’t download it but they can remove most of the usefulness of the information (it reveals whether the Gmail address is valid I suppose)
While I support projects like ohmysmtp.com, I don't like the misinformation the post contains.
There is not a single MUA that does not block, alert, warn user when hidden pixel is found, and also when any link in the message doesn't start with https...
Not sure why you're being downvoted - I can't remember coming across an email client that doesn't support this, and many seem to do it by default these days.
And even those who do are not warning you about the tracking part, only about loading resources. Most users will just think that they want to see the nice images and accept and have no idea that it means they are tracked.
Set your mailer to just use text/plain for displaying message bodies. No HTML == no tracking cookies. Any decent mailer will prompt you before sending a read confirmation.
Opting into receiving an email is not the same as opting into being tracked by the email. Burying this in T&Cs that no one reads doesn't let the user know this is happening, and continues to violate their privacy.
>if the user has opted-in to the email in the first place
A burner email address I gave out exactly once to a vendor at defcon 2 years ago has been "opting into" all sorts of new marketing campaigns from many different companies, and as recently as this February.
Explain to me how tracking pixels in those emails are consistent with GDPR's informed consent.
Why would you want to track whether an email is read? That's creepy and obnoxious. Part of the social contract with mail is that it shouldn't matter if you haven't read it yet or if you read it and decide to answer later. Mail is an asyncronous medium and you should respect that and not micromanage your customers IMHO.
Because if you send emails to people who don't read them, eventually they will flag you as spam (even if they signed up for the emails in the first place), and then you will start getting blocked as spam by Gmail.
Also it's generally useful to know if a particular email is read so you can test out different formats and whatnot.
> Because if you send emails to people who don't read them, eventually they will flag you as spam (even if they signed up for the emails in the first place), and then you will start getting blocked as spam by Gmail.
Probably because those email newsletters are spam sent to people who interacted with a form once.
> if you send emails to people who don't read them, eventually they will flag you as spam
That's because you're spamming them.
> even if they signed up for the emails in the first place
Users can change their mind. Clicking anything in an email leads to susceptibility of phishing. So they shouldn't need to click an unsubscribe link to do so. Reporting you for spam is the safest option from their perspective.
And I would argue that most users didn't sign up for the emails. They were conned into giving their email and usually for a completely different purpose.
> Also it's generally useful to know if a particular email is read so you can test out different formats and whatnot.
That's a very dubious assertion. Formats are in the content of the email. Different formats won't tell you why one email was opened while another was not.
That's a very dubious assertion. Formats are in the content of the email. Different formats won't tell you why one email was opened while another was not.
Formats can include different titles and descriptions, which can make a huge difference in how often users open your emails. Also just different kinds of emails you might want to send (maybe you send some users an email with a coupon, and some with a new product notification).
Maybe you don't see the value in having people know whether you read their email, which is fine, but there are clearly tonnes of legitimate use cases for having that kind of information. If I know a segment of users on my email list never open a particular type of email, it is better to just not send them that kind of email, both for the sender and recipient.
Regardless, I think Gmail killed tracking pixels by loading images through their servers anyways.
There are legitimate uses for knowing if someone read their email. Those use cases are the ones where the user consents to you knowing it and are covered by read receipts.
Google did not kill tracking personalized tracking pixels. All they blocked is the ability to determine the user's IP because you will get a connection from Google's proxy instead of directly from the user.
But the problem with relying on tracking pixels to flag whether a message is read is that not everyone loads them.
I've had my mail clients (and Gmail) set for years to not load external images, and occasionally get "we notice you haven't been reading our messages so we're going to stop sending them to you" emails from mailing lists that I do actually read.
> Why would you want to track whether an email is read? That's creepy and obnoxious.
Indeed it is! Yet messengers like WhatsApp and Telegram always mark the messages that have been read. And I really hate this. Given the fact the actual messengers still are pretty good and very useful, I would pay them a premium if they could hide when have I been online and what messages have I read.
I think most other messengers, iMessage, FB Messenger get this right that you can disable read receipts but then you won't get to see other people's either.
I really really enjoy having them. They make me feel less anxious about messages.
I refuse to use any service that reports on my active use of the service. The "seen" feature was created like a decade ago, and that took me from occasionally using Facebook, to never using Facebook.
But they are different to email. I actually enable seen notifications for people because it's very frustrating for real-time communication. Email is not meant to be that.
I mean I think you know the answer to this question. Because these emails aren't "communication" but marketing campaigns that companies want to track the effectiveness of. Your inbox is nothing to these companies but another vector to put their brand in front of your eyeballs.
Cost depends on the setup. Not everyone is taking the most cost effective approach.
Spam reduction is definitely a big consideration. However at the last place I worked we would get notifications when people marked the emails as spam, and so we could specifically remove those people from the email list. I don't even know how that part is done - we used one of the big emailer/newsletter websites.
Both hey.com[1] (from the Basecamp folks) and TMTP from the mnm project[2] (proposed successor to SMTP) disallow background downloading of remote URLs.
TMTP also specifies Markdown formatting (not HTML), fwiw.
Then you are welcome to opt into tracking. I think the EU's approach of default being "no tracking" is good - you can always decide to opt-in, but the default is safe.
The EU has absolutely zero authority to tell business located outside of the EU what to do. The fact that someone reading a blog post happens to be in Europe does not all of a sudden put the owner of that blog under EU jurisdiction.
It's well known that internet companies will fuck you in the ass if they're not strictly regulated. GDPR is a start, but honestly it doesnpt go far enough since companies have found ways to wriggle around it and/or it isn't enforced nearly enough. Sufficiently frustrated companies can just leave the EU market. What's needed is a worldwide framework like the WIPO with treaties to specify multilateral regulations and enforcement procedures.
Don't this website detect you are not in EU and don't bother you with any popup? From EU I see the reverse where the websites will detect I am EU and refuse to work.
Also you should be able to click on the GIANT button on the popup and never see it again.
I bet you also complain that thx to some other bureaucrats now all your marketing emails must include an Unsubscribe link.
I, as an American, am extremely thankful for the latest version of cookie banners.
Yes, the first version of cookie banners was awful and pointless. This latest iteration (of compliant banners) is wonderful, though.
They actually give me functionality that I _really want_. I click the "manage preferences" option on every single one for every site that offers it. I opt out of everything except for strictly necessary cookies for site functionality.
I am genuinely thankful for the GDPR era of cookie banners.
No, it's thanks to targeted advertising. GDPR banners are completely unnecessary if you don't stalk your users. Stick to traditional advertising, and you don't need to remove user privacy, and therefore don't need to have any banner.
The spirit of it is good, the enforcement has been significantly lacking and the regulators who are supposed to enforce it appear incompetent or unwilling to do so.
That link gets posted all the time, often as a rebuttal to the "no enforcement" claim but the web being littered by non-compliant tracking consent flows clearly shows there is not enough enforcement.
> Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
> Keep your consent requests separate from other terms and conditions.
> Make it easy for people to withdraw consent and tell them how.
> Avoid making consent to processing a precondition of a service.
The majority of consent flows out there don't comply with at least one of these points, so the fact they're still out there 3 years after the regulation went into effect suggests enforcement is indeed lacking.
Not perfect but much much better than before. I can give you two personal examples of how even small stuff that used to be ignored now demand attention:
I installed a game that had a bug (opt-in to tracking wasn't working so tracking was always on). Lots and lots of users complained in the game developers forum but nothing happened. Not even a reply. I and a few others wrote emails to the support mail and nothing. Then I threatened with GDPR months later and two days later support was on my case and my data was deleted from both their system and the third party they used for tracking.
Here in Denmark businesses aren't allowed to receive updates from the CPR registry (like SSN) if you aren't a customer anymore. It's used for stuff like banks automatically getting your new address if you move. Historically sending mails to those that didn't remove you from their updates didn't do anything. Now they run quickly as soon as they read "GDPR".
There are big businesses that get away with things they shouldn't but by far the most problems can now be resolved, even small stuff that big businesses before didn't lift a finger to fix where the little man had no chance in hell. Now they (we!) do.
> "In the UK and the EU, the GDPR requires organisations to inform recipients of the pixels, and in most cases to obtain consent for them. It’s not enough to just have a privacy policy somewhere that details this."
No it doesn't and yes it is.
Nowhere in the GDPR or in the UK implementation does it say that recipients need to be informed of pixels in and of themselves.
What it does say is that when you obtain the recipients' personal details you must provide them with a privacy notice setting out what data you collect and what you do with it. The privacy notice needs to be provided on collection of their data (when directly collected) or within 30 days of collection if from a third party.
There is no reason to not obtain consent to tracking but to suggest it's the only lawful basis on which to process the data is not correct. Subject to completion of an impact assessment, one could make a case that it falls under legitimate interests depending on the degree of processing of the tracking data e.g. the more that such data is used to inform further targeting of the individual vs. say aggregation of data for improving engagement.
I agree with your underlying point though - I turned off tracking (I use Postmark for transactional emails) because I don't really care about open rate and click rate etc. If my customers want to ignore the emails from the service it's up to them.
„Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
[...]
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.“
An email address is always personal and tracking if the email was opened ties it to that personal data.
GDPR is a nightmare and a case study in how regulations can terrorize entire industries or the abilities of individuals to innovate freely. Just read the chronology of events in that link above and try playing devils advocate that the CNIL did not amend those laws to specifically target these two companies. It's scary.
They amended "rules", not "laws", which is what rulemakers do when they discover behaviors that violate the law (subject to interpretation, as intended) but not the rules.
^Are you seriously making this argument? It seems you either have not read the linked story, or you don't understand that the CNIL issues guidelines that are the "law";
The decision to overrule an earlier revision by the Counseil D'etat alludes to the guidelines themselves as a measure of "Soft law".
Regardless, making an argument on the semantics of a word instead of the glaring arrogance on display where Government agencies or lawmakers can retroactively change the rules to seemingly target individual companies is ridiculous.
Like most of the problems EU has tried (and failed) to solve with legislation, like cookie laws, this is an issue that is already entirely solved by the client. If you don't like having external images in your emails, most clients these days support turning it off.
Whether it's a header image or a "spy pixel", both of these things can be used to track you. Therefore the solution is to disable it entirely if you do not like being tracked.
> this is an issue that is already entirely solved by the client
No it isn't.
What if I want to see the images in an email newsletter, but don't want to be tracked? The client can't give me a button "open images except tracking pixels" because it doesn't have enough information to know the difference.
>What if I want to see the images in an email newsletter, but don't want to be tracked?
That would be nice, but as I already wrote, it's not possible. The only way to have images (or any form of remote resource) in emails, and at the same time avoid tracking, is attaching them.
