This update highlights key privacy and data protection developments across the EU, Israel, and the US. It covers new EU guidance on tracking pixels in emails, multi-million-euro GDPR fines for improper data reuse and inadequate anonymization, a Belgian court ruling on consent for data resale, draft Israeli PPA guidelines on privacy in online age assurance, and a wave of new US state privacy laws alongside a significant California court ruling narrowing CIPA claims over website tracking tools.
EU:
CNIL and Italian Garante Issue Guidance on Tracking Pixels in Emails
Both the French data protection authority (CNIL) and the Italian DPA (Garante) published recommendations on the use of tracking pixels in emails. Tracking pixels are invisible images embedded in emails that enable the sender to track whether and when the email is opened and may also collect related technical data. The CNIL’s recommendation clarifies that some pixel use-cases do not require the recipient’s prior consent while others do. For example, pixels used solely for security authentication or to identify inactive recipients and update mailing lists do not require consent because they are necessary to facilitate digital communication. Other uses, such as measuring the rates at which emails are opened, creating recipient profiles for cross-channel targeting, and/or detecting suspected fraud do require prior consent. The recommendation also sets out practical recommendations for lawfully collecting consent in this context. The Italian Garante also adopted guidelines on the same topic, broadly aligned with the CNIL but diverging on several points. While the CNIL does not require consent for individual open-rate tracking when necessary for deliverability, the Garante only allows pixel use without consent when anonymized pixels are used, such as to generate aggregated statistics. The DPAs also differed on what consent mechanisms were acceptable.
AEPD Fines Amadeus €14.4 Million for Reusing Travelers’ Reservation Data
Spain’s data protection authority (AEPD) fined Amadeus IT Group €14.4 million after finding that the company reused travelers’ reservation data to test a new product without a valid legal basis or adequate notice to the data subjects. Amadeus operated a B2B Global Distribution System and repurposed Passenger Name Record data, originally collected for bookings, for a pilot project. The AEPD found breaches of Article 14 GDPR, taking the view that a general website privacy notice was not enough to inform travelers with whom Amadeus had no direct relationship, and of Article 6 GDPR, considering that legitimate interest could not apply where travelers had no reasonable expectation that their data would be reused by an entity to which they had no relationship, years after collection.
CNIL Fines Pharmaceutical Consulting Firm €5 Million for Inadequate Anonymization of Health Data
France’s data protection authority (CNIL) has fined pharmaceutical consulting firm IQVIA Operations France €5 million after finding that it breached Articles 14 and 25 of the GDPR. IQVIA had built two health-data warehouses, one from pharmacy medication sales, the other from doctors’ consultation records, which warehouse contained pseudonymized data. Data subjects purchasing medication were not informed of the inclusion of their personal data in the data warehouses and the subsequent research performed with that data. Furthermore, CNIL found that all patient data was sent through the hashing process even though the applicable pharmacy did not choose to include all such data in the data warehouse. This practice was considered to lack sufficient technical and organizational security measures to ensure personal data is protected by design and by default.
Belgian Court Reaffirms Consent Rules for Data Resale
The Brussels Court of Appeal upheld the Belgian DPA’s finding that data broker INFOBEL S.A. had unlawfully processed and resold a subscriber’s personal data for direct marketing, in breach of Articles 5(1)(a), 6(1), and 24 GDPR. In doing so, the court confirmed that a controller cannot discharge its obligation to prove a legal basis, in this case consent, by relying on contractual arrangements with other parties. This ruling serves as a cautionary tale to independent controllers processing data they did not obtain directly from the data subjects from relying on contractual guarantees to legitimize their own processing. Where possible, evidence for such consent should be obtained.
Israel:
PPA Issues Draft Guidelines on Privacy in Online Age Assurance
The PPA published draft guidelines for public comments addressing privacy risks associated with the use of age assurance mechanisms in online services. While age assurance is an important online tool, which can prevent processing the data of minors, the PPA recognizes that such tools might pose privacy risks by themselves. Under the PPA’s approach, high-privacy-impact age assurance measures (such as real-time biometric processing and extensive behavioral profiling) should be employed only where required by law or where a tangible and significant risk to minors justifies the infringement, and organizations should otherwise default to lower-impact methods proportionate to the nature of their service and any associated risks. The guidelines note that non-compliance with the applicable legal requirements may result in administrative fines and civil liability under the Privacy Protection Law.
US:
US Privacy Laws Continue to Proliferate and Evolve
Multiple US states have enacted or revised privacy laws in recent months. Connecticut’s governor signed Senate Bill 4, which amends the Connecticut Data Privacy Act by requiring data-broker registration from January 1, 2027, banning geolocation-data sales, and adding provisions for facial recognition technology. Louisiana became the 22nd state to enact a comprehensive consumer privacy law with the passing of the Louisiana Data Privacy Act on 29 May 2026; the law mirrors similar US frameworks with thresholds for applicability tied to revenue, data volume, or reliance on data sales. The law, which takes effect on January 1, 2027 also grants consumers standard rights to access, correct, delete, and port their data, as well as to opt out of targeted advertising, data sales, and profiling. Delaware is poised to follow: on June 16, 2026, the Legislature passed House Bill No. 380, amending the Delaware Personal Data Privacy Act, now pending the Governor’s signature. The amendments broaden the law’s scope to cover businesses handling the personal data of at least 10,000 consumers (down from 35,000), bring third parties who acquire personal data from controllers within scope, expand the definition of sensitive data to include neural data, financial account credentials, and government-issued ID numbers, require controllers to enter binding third-party contracts and conduct due diligence on data recipients, impose adverse-action notice and human-review obligations when profiling is used for consequential decisions, and lower the threshold for data protection assessments from 100,000 to 50,000 consumers. Once signed, these obligations take effect on January 1, 2027.
California Ruling Curbs CIPA Claims Over Website Tracking Tools
On May 27, 2026, a Los Angeles Superior Court judge ruled that the California Invasion of Privacy Act’s (CIPA) pen register and trap and trace provisions (which regulate devices that record outgoing and incoming telephone call information) apply only to telephone communications and not to tracking software on commercial websites. The ruling arose from a lawsuit against NetScout Systems over a data collection software development kit (SDK) embedded on its website. The plaintiffs had argued that such website tracking tools functioned like pen registers and trap and trace devices, and that their use without prior consent violated CIPA. The court dismissed the claims with prejudice, reasoning that if the Legislature had intended these provisions to cover commercial websites, it would have made that clear when it enacted the relevant statutory package in 2015. The decision is significant because CIPA has been increasingly invoked in lawsuits challenging the use of cookies and other online tracking technologies, and this ruling provides businesses with a defense against such claims.
The above content is a summary provided for informational purposes only and does not constitute legal advice. It should not be relied upon without obtaining further professional legal counsel.
