Major brands 'in breach of data law' with email tracking

Companies implementing “invisible” technology to track whether their email marketing campaigns have been opened, the device used and even users’ location have been warned they are potentially in breach of data protection laws as concern grows over so-called “spy pixels”.

A new investigation for the BBC, carried out by messaging service Hey, claims the practice is “endemic”, with major brands including British Airways, TalkTalk, Vodafone, Sainsbury’s, Tesco, HSBC, Marks & Spencer, Asos and Unilever adopting the technology.

Hey’s study revealed that two-thirds of emails sent to its users’ personal accounts contained a “spy pixel”, even after excluding spam, with this information being used to determine the performance of email marketing campaigns, as well as to create more detailed customer profiles.

Tracking pixels are a standard feature of automated email services used by large and small businesses, and in many cases the facility is difficult to turn off. The pixels are typically tiny GIF or PNG files that are embedded in the header, footer or body of an email and can be virtually impossible to spot with the naked eye. They are activated simply by opening the email.

Hey co-founder David Heinemeier Hansson told the BBC the pixels amount to a “grotesque invasion of privacy”, warning that “it’s not like there’s a flag saying ‘this email includes a spy pixel’ in most email software”.

He claims that, on average, every Hey customer receives 24 emails a day that attempt to spy on them, with the top 10% of users receiving more than 50.

Hansson added: “We’re processing over one million emails a day and we’re just a tiny service compared to the likes of Gmail, but that’s north of 600,000 spying attempts blocked every day.”

Under the Privacy & Electronic Communications Regulations (PECR) and GDPR, organisations must inform recipients of the pixels, and in most cases to obtain unambiguous consent.

But data protection consultant Pat Walshe of Privacy Matters told the Beeb: “Solely placing something in a privacy notice is not consent, and it is hardly transparent. The fact that tracking will take place and what that involves should be put in the user’s face and involve them opting in.

“The law is clear enough, what we need is regulatory enforcement. Just because this practice is widespread doesn’t mean it’s correct and acceptable.”

Even the Information Commissioner’s Office has used the technology to track email performance although it insists it is working with its provider to remove the pixels from future activity.

In response to the report, BA said: “We take customer data extremely seriously, and use a cross-industry standard approach that allows us to understand how effective our customer communications are.” Meanwhile, TalkTalk commented: “As is common across our industry and others, we track the performance of different types of communications to understand what our customers prefer. We do not share this data externally.”

At this stage, it seems enforcement action is unlikely, although the technology hardly fits in with marketers’ new found “moral crusade” and pursuit of data ethics.