FAQ – Spy pixels and data processing in emails

This FAQ includes information related to the Danish data protection authority’s decision on spy pixels and further information on which personal data is processed in emails.  

Tracking open events is done by including a unique image, called a “Spy pixel”, in the email. This is not part of the email standard, but the market standard. By logging downloads of the image, Engage will know who downloaded the image (in other words, who opened the email). The decision clarifies that you need consent for the use of spy pixels and that a data controller’s use of such must be clearly disclosed in the privacy policy statement.   

What legislation applies? 

The use of spy pixels is governed by two different legislations. Firstly, the law on electronic communication (2022:482), (“LEK”) applies. This legislation states that to use technology that collects information from an individual's device—which is usually the case if using cookies or pixels, you need consent from the individual.  

Secondly, the GDPR applies, to process the personal data you retrieve, you need a legal base. GDPR offers several legal bases, consent being one of them. However, most people interpret the legislation in the manner that if you need consent according to LEK, the only available legal base under the GDPR is consent as well. 

How can consent for spy pixels be collected? 

The decision from the Danish data protection authority does not provide specific guidance on the forms for consent collection, but most companies use a checkbox and link to the privacy policy when collecting consent from a data subject (an individual). Make sure that the checkbox is not pre-filled, consent according to LEK has the same requirements as the requirements in the GDPR. 

Exactly what personal information is processed by Voyado Engage from emails?  

The personal information processed by Voyado Engage in general is stated in the Data Protection Agreement between us, see specifically Schedule A, your version of the DPA is available in your license agreement. The latest version of the DPA is available here.

For emails specifically, information is processed by the use of two different techniques, where only one uses pixels.

By use of pixels
Information about when an email has been opened by a specific contact. An image (pixel) with a unique URL will be included in emails to track opens. 

By use of link decoration 
Information about when a contact clicks on a specific link in a specific email and which link and which email was clicked. Email links are decorated with a unique ID and traffic passes through Engage to track clicks made by contacts. When contacts are redirected to the link destination, new link decoration with information from Engage is added, such as UTM-tags*, soft-login string* (encrypted email address, contact ID, discovery-key, email sent time), and site-tracking-id*.  

*Link decoration information depends on Engage environment configuration.

Besides pixel and link decoration all internet HTTP traffic carries headers that include user device data such as IP number and operating systems. Information on the processing activities needs to be included in your privacy policy. 

What are the consequences of processing this data without consent and disclosure?

As a data controller, you are responsible for having a legal base for the processing you perform and always collecting consent for the use of cookies, pixels, and other technology that collects information from user devices. Breaching this legislation could result in fines and damages being awarded to affected individuals. It is also a requirement in our agreement that you adhere to all applicable legislation. 

Is it possible to turn off the spy pixel functionality in Voyado Engage for specific contacts and keep it on for the users who have consented? 

No, unfortunately, this functionality can only be turned off for the entire Engage environment. And that would mean that opening statistics will not be tracked, that includes segmentations based on email opens, automations based on email opens, and CTOR (click to open rate) for example.  

 

Legal disclaimer: Please note that Voyado is not a legal professional adviser and that the information in this FAQ is only provided as guidance and that Voyado does not accept responsibility for any interpretations and actions based on the information.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.