Businesses everywhere have been using email open and click tracking primarily to gain actionable data on recipient engagement. You must know how people are engaging with your business. It helps realign marketing, sales, and content strategies.
Email open and click tracking offer a host of actionable data on engagement rates. For successful campaigns, you need to know key metrics such as open and click rates. Businesses target users by embedding invisible tracking pixels (always a 1×1 pixel image) in marketing emails. It is also known as a “web beacon,” or “clear GIF”.
Most businesses use Marketing Automation Platforms (like HubSpot, Mailchimp, or Klaviyo) to manage email marketing and track performance. The platform injects code into the HTML body of the marketing email to enable this tracking.
Embedded invisibly, whenever a user clicks to open an email, the image loads, sends a request to the sending server, and all the information, such as the opening of the email, the time at which it was opened, the IP address, and even the device type, is recorded.
This bunch of information is a gold mine for marketing and sales teams. And businesses in the hospitality industry run massive email campaigns to boost direct bookings.
What’s changing and where?
The rules of engagement, privacy and consent are changing. It seems these invisible tracking pixels are suddenly more visible than ever to data protection authorities. France’s CNIL (Commission Nationale de l’Informatique et des Libertés) and Italy’s Garante have rolled out new compliance rules.
While these bodies work to ensure GDPR compliance, they have now expanded the scope of privacy by bringing tracking pixels in emails under the same scope as cookies on websites. Under the new regulatory lens, both bodies treat the loading of a tracking pixel as an operation that “reads from or writes to” a user’s terminal device (similar to how website cookies function).
Businesses targeting users in these regions, will now need to obtain recipients’ consent before using email open and click tracking pixels. The mandate is simple. No matter where you’re located, if your sender list includes recipients in these regions, obtain consent first.
Businesses pivoting to meet new compliance rules
As a result, many organisations are currently updating their sign-up forms, privacy policies, and email templates, and one-to-one email tracking settings to ensure they remain compliant.
CNIL’s recommendation is aligned with the ePrivacy Directive, which is the EU law for protecting electronic communications privacy.
The difference between the two compliance requirements
CNIL recommended these rules on April 14, 2026, and set the compliance date as July 14, 2026. Just 3 days later, Italy’s Garante followed in its footsteps and published its own. However, it has chosen a longer deadline-October 28, 2026.
There’s a difference in how they expect compliance.
CNIL makes it clear that consent for email receipt must not be treated as consent for tracking. Both are separate.
Garante, on the other hand, adopts a more relaxed definition and allows for a single, bundled consent request for both email marketing and tracking, the caveat being the language is neutral and clear.
CultBooking– A booking engine with compliance built in
In the wake of regulatory changes in France and Italy, what does this mean for businesses using the CultBooking engine?
The answer lies in CultBooking’s unique positioning as a privacy-friendly booking engine. It is privacy-first by design. We explain it further.
CultBooking is entirely cookie-free and GDPR-compliant. So, unlike other platforms, there’s nothing built into the booking engine to drop, read, or store persistent tracking cookies on a guest’s device (smartphone, tablet, or computer) when they are making reservations or bookings.
It doesn’t track guests from one browsing session to another. Guests can be absolutely sure that no long-term behavioural profile is being secretly built, or their private info is being collected in the background for cross-site retargeting and third-party advertising. Guests get a cleaner, faster user experience.

Brand reputation is everything in hospitality and drives loyalty. Imagine a hotel that frequently caters to high-net-worth individual bookings from guests who are very specific about privacy.
Having a booking engine that ensures your clients can book confidently, without worrying about the privacy of their personal details, is a deal-breaker. CultBooking checks all the right boxes.
Why CultBooking’s cookie-free design is the future of guest privacy
As a guest, it can be frustrating when you can’t get what you want directly on your platform. Instead of a simple, clutter-free “book now” option, when guests are shown banners prompting them to accept/reject, they perceive them as disruptive and invasive.
The visual frustration is enough to bounce them off. All you get is abandoned bookings.
By getting rid of cookies, we actually solved a major conversion friction point in hospitality.
We didn’t want clients using our booking engine to have such an experience. In its current form, CultBooking functions as a dedicated hotel booking engine that integrates easily with the property’s websites to securely process direct bookings.
Not only do we help our clients capture commission-free bookings directly from their website, social media, or ads, but we also ensure that nothing else that’s private is captured.
With the new compliance measures just announced, CultBooking is compliant by default.
Click here to learn how to check if your booking engine is actually cookie-free.
The takeaway for businesses using CultBooking
Hotels and accommodation providers using the CultBooking engine do not need to worry. In fact, we save you from much of the compliance headaches.
Let’s take the example of a business that currently uses CultBooking on their website. Since the business uses CultBooking and CultBooking doesn’t use cookies, which are a focus area under privacy laws, your business is automatically compliant with strict regulations such as GDPR (Europe), CCPA (California), and the ePrivacy Directive. These websites do not require a cookie consent pop-up under privacy laws.
That’s not all. There’s more to it when you’re using a 100% cookie-free hotel booking engine.
- Your business brand perception is intrinsically tied to how you view privacy. Today it’s a major selling point. CultBooking with its cookie-free positioning clearly sets your brand as an ethical alternative.
- Compliance is a serious issue. Deviations usually result in hefty fines. A privacy-compliant booking engine saves you costly errors that could have resulted from logging, pre-ticked tracking boxes, or illegal data tracking.
- By default, your system with CultBooking integrated doesn’t track any of your guests’ personal browsing habits. This takes away the liability of managing, storing, and securing sensitive tracking histories off your shoulders. Zero worry.
But what about the analytics that businesses would still need? Are we sacrificing key data and metrics capital for compliance? Not really.
Using Google Analytics within CultBooking and cookie consent
CultBooking is inherently cookie-free, ensuring a seamless, no-banner booking experience by default. However, we recognise that hotels often need deep marketing data. There’s an optional Google Analytics opt-in which fulfils these requirements.
If a hotel wants to use Google Analytics (or another analytics solution) within the CultBooking booking engine, then Analytics cookies require prior consent under GDPR/ePrivacy rules.
Why would this be required? We explain it. Google Analytics (GA) is a third-party service. When you “turn on” GA inside CultBooking, you are effectively introducing a third-party tracker. The legal requirement kicks in.
This feature can be enabled in the booking engine configuration. If the hotel has a consent management platform (CMP) or cookie banner on its main website, then the visitor has already given consent there. That consent can be passed to CultBooking. As a result, the booking engine respects the existing consent and must not ask again. In a way, the CultBooking engine honours the consent your guests have already given earlier.
Communication which doesn’t require consent to track
It’s important to understand the scope of these new compliance laws regarding non-marketing emails. Not all emails are marketing emails. A large chunk of emails that flow is about transactions. Booking confirmations, payment confirmations, cancellation confirmations and similar emails are transactional emails, not marketing emails.
And it’s great if sending businesses can have tracking to know the status of these transactions.
CultBooking uses tracking pixels in transactional emails. Sending these emails does not require marketing consent because they are necessary to fulfil the contract between the hotel and the guest. Open tracking (typically via a tracking pixel) is generally considered part of ensuring delivery and documenting that an important transactional message reached and was opened by the guest.
This allows the hotelier to verify that the booking confirmation was not only delivered but also opened. All these status messages are visible in CultBooking’s Extranet and via API for technical partners.
There’s still one thing to look into
That was all about how hotels/businesses, by default, secure users’ browser experience when using the CultBooking engine.
What if there’s a hotel or a client that’s also running separate email marketing campaigns, let’s say using popular tools like Mailchimp or HubSpot, targeting subscribers in France or Italy? In this case, as these systems embed invisible open-tracking pixels, you still need to comply with the new email pixel consent rules. The legal burden for obtaining consent for email tracking exists independently.
That’s one difference that needs to be understood.
HubSpot began rolling out support to help its clients transition to a compliant ecosystem while keeping campaigns running.
The booking engine widget/button provided by CultBooking itself remains safe and compliant out of the box. We value business and the privacy of the guests our businesses care about.
info@cultbooking.com
0049 30 726225 0