CNIL Guidance: FAQ

What is the CNIL and what changed recently?

The CNIL is France’s data protection authority and the regulatory body responsible for enforcing privacy and data protection laws, including GDPR and ePrivacy rules. In April 2026, the CNIL published updated guidance that further clarifies its expectations around consent, transparency, and tracking in email communications. This guidance reinforces how organizations should lawfully collect and use data in marketing interactions with individuals in France.

Why is the CNIL issuing new guidance now?

The CNIL has increased its focus on ensuring that consent and tracking practices are implemented consistently and transparently. The updated guidance reflects evolving regulatory scrutiny and is intended to provide clearer expectations for companies operating marketing and messaging programs in France.

Who is impacted by this guidance?

Any organization that markets to individuals in France, or processes data related to digital communications sent to French recipients, may be impacted. This includes brands that rely on digital marketing platforms, messaging, analytics, or tracking technologies as part of their customer engagement strategies.

What are the main concerns the CNIL is addressing?

At a high level, the CNIL is focused on three core areas:

Clear and valid consent for tracking and data usage
Transparency into how data is collected and used
Demonstrable compliance, including the ability to honor user choices

These principles are designed to protect individual privacy while ensuring responsible data practices.

How is Cheetah Digital responding?

Cheetah Digital is closely aligned with the CNIL’s guidance and fully understands the concerns this regulation raises for our customers. We are actively delivering a compliant, practical solution that addresses the key regulatory requirements while minimizing disruption to existing workflows.

Will Cheetah Digital meet the CNIL requirements and timelines?

Cheetah Digital is actively working toward aligning with CNIL requirements within the expected timelines, with a strong focus on delivering a practical solution for compliance that minimizes disruption to your workflows. In the meantime, you can leverage existing tools within the platform to support your compliance efforts with our Do Not Track functionality, enabling to disable tracking when needed.

Will this impact how I run campaigns today?

Our goal is to ensure that compliance requirements can be met without unnecessary complexity or loss of usability. While some customers may need to adjust aspects of their workflows depending on use case, Cheetah Digital is focused on providing a solution that remains practical and scalable for marketers.

What should customers do now?

To help ensure compliance, we recommend taking the following key actions:

Audit your email campaigns to identify those that rely on open-tracking elements (e.g., send-to-openers/non-openers, active/inactive segments, etc.). New requirements may impact these use cases, and adjustments will likely be needed.

Update your privacy policy by working with your DPO to clearly disclose the use of tracking pixels for monitoring email opens.

Adapt your opt-in forms by adding an unchecked checkbox to obtain explicit consent for using these pixels to tailor communications based on user engagement.

Facilitate consent withdrawal by ensuring users can easily opt out of tracking pixels via a dedicated link in your emails and within your preference center.

Inform your existing contacts by preparing a dedicated communication outlining these practices, to be sent before mid-July 2026. Once Cheetah Digital supports storing this data, you will be able to set up an automated flow using the new system field.

We will continue to provide updates through our usual customer communication channels. If you have specific questions or concerns, your Zeta representative will be happy to assist.