Report: Most Emails Contain 'Spy Pixel'

John Lister's picture

Two thirds of emails contain a "spy pixel" according to one provider. The invisible pixel could let companies discover where people live and what devices they own. At the very least, it will report back to spammers that the email has been opened, which then validates your email address and will result in additional spam.

The figures comes from "Hey," an email provider that offers a paid service rather than scanning emails to get information for targeted advertising. That means it's possible its user base isn't reflective of the general public, though that shouldn't distort the results of its audit of emails.

The company said on average its customers get 24 emails a day that contain at least one tracking pixel, while 10 percent of customers get at least 50 such messages. In many cases the senders were reputable, well-known businesses. (Source:

Invisible Tracker

A spy pixel is simply a tiny image (literally one pixel in dimension), usually in white so that it can't be seen by the user. The image isn't actually in the mail itself, but instead retrieved from the sender's email server once the message has been rendered on the user's machine.

That retrieval allows the sender to track which emails have actually been read and whether the recipient reopens the email later on. Both of these help companies test how attractive different subject lines are, or whether sending at a certain time of day means users read messages more quickly. They can also make it more effective to target follow-up messages, for example at people who may be thinking over an offer in a promotional email.

However, the process can mean the senders get additional detail beyond the email being opened. For example, they'll typically be able to see the type of device was used to access the email. They'll also get an IP address, which could theoretically narrow down the user to the nearest street, though accuracy varies.

Consent a Key Issue

While this is all information a company can get when somebody visits a website, Hey argues it's a matter of consent. While users choose to visit a site and could reasonably be expected to know this action provides some data, it's not as clear that this happens when opening an email.

It's also arguably spy pixels breach some privacy laws (particular Europe's GDPR) which require active consent before a company can collect any personal data. (Source:

Some email providers allow users to specifically block spy pixels. With others, a similar effect can be had by blocking images from automatically loading or switching to a plain-text-only mode. This is typically the default action taken for most email clients such as Thunderbird or Outlook.

What's Your Opinion?

Did you know about the use of tracking pixels? Is it acceptable to you or does it go too far? Should companies have to get consent before using tracking pixels?

Rate this article: 
Average: 5 (15 votes)


Gurugabe's picture

I see you inserted the "Spy Pixel" into your email. Why?<****************>

Dennis Faas's picture

This is part of PHPList, which is the program that I use to send out emails to our list of subscribers. PHPList has been around for over 20 years and has used tracking pixels for almost as long.

Despite what is written in article, it is fairly common practice for legitimate bulk emailers (such as Infopackets) to use tracking pixels. The issue mentioned in the article is more to do with spammers that use tracking pixels because they are not authorized email senders. They use the technology to illegally verify if email addresses are valid.

For the record, I don't use the PHPList pixel tracking stats to look to see if anyone on the mailing list opens the newsletter, if that matters.

doulosg's picture

I heard about this decades ago and always wonder about junk email that gets opened accidentally. What is not clear from the article is whether the message actually needs to be opened for reading, or if simply appearing in the inbox is sufficient for data to be sent back to the source.

As to IP addresses identifying a specific street, maybe this is the advantage of using the phone company as an ISP: I am generally shown as located dozens or even hundreds of miles away from home by my dynamic IP assignment.

matt_2058's picture

The irony is companies that send an email boasting of their policies to keep your info private and that very email containing multiple spy pixels.

As with other comments, I was aware of the pixel-tracking when it was first reported a long time ago. If it were only about a sender getting a report of how many emails were opened, I wouldn't see a problem. But it's not and far too much data is collected. Cross reference that info with other sources and a very good profile is completed. Privacy is lost even if you are using a throw-away email address to receive the emails.

I'd like to see stricter policies on data collection, or transparency in a way that's idiot proof for the most unaware users.

beach.boui's picture

Thunderbird, Gmail, Yahoo Mail, Outlook and most other email clients I've seen or used all have the option to disallow graphics to be automatically loaded in an email. Users can easily set this as the default so that no email they open will automatically ask for that tracking pixel. Unless the message, itself, is contained in a graphic, which often is the case, the user can read the email without loading graphics at all. Doesn't make for a very pretty email. But, that's the cost of privacy. All of my email clients are set to not load graphics upon opening.