€12.5M Fine and New Email Rules: What Italy's April 2026 GDPR Decisions Mean for Your Business

Key Takeaways

• Italian DPA Crackdown: April 2026 marks a major shift with €12.5M in fines against Poste Italiane for invasive app tracking and the introduction of strict mandatory consent rules for email tracking pixels.
• Security vs. Privacy: The Garante ruled that "fraud prevention" (PSD2) does not justify scanning user devices or apps.
• Email Consent Required: Businesses have 6 months to ensure email tracking pixels are opt-in, allowing users to receive emails without being tracked.
• Shopify Merchant Impact: Shopify store owners should audit third-party SDKs and update email sign-up flows to ensure they aren't firing trackers before affirmative consent.
• Consentmo Solution: Tools like Consentmo automate this compliance by scanning for trackers, managing granular cookie/pixel consent, and maintaining the legal logs required to avoid these specific Italian DPA penalties.

What Happened

Italy's data protection authority, the Garante per la Protezione dei Dati Personali (the "Garante"), made headlines twice in the same week.

On April 20, 2026, it announced a combined fine of over €12.5 million against Poste Italiane SpA and its subsidiary Postepay SpA for unlawfully tracking the personal data of millions of app users.

Then, on April 21, 2026, it published binding guidelines on the use of tracking pixels in emails — requiring explicit user consent in most cases — and giving businesses six months to comply.

These are not isolated incidents. They are part of a clear pattern: Italian regulators are looking closely at how businesses collect data through apps and emails, and they are ready to act.

Story 1: Poste Italiane Fined €12.5M for Scanning Users' Phones

Source: Italian DPA Press Release, April 20, 2026 | Decision 237/2026, Doc-Web 10241537

The BancoPosta and Postepay mobile apps, both used by millions of Italians for banking and payments, required users to authorize the scanning of their smartphone as a condition of using the service. The apps used a third-party SDK (LexisNexis ThreatMetrix) that scanned:

• All installed and running applications
• Device fingerprints
• Operating system version
• Hardware and advertising IDs
• VPN indicators
• IP addresses and mobile network identifiers
• Geolocation data

The companies argued this was necessary for fraud prevention and to comply with PSD2 (the EU's Payment Services Directive). The Garante rejected that argument. Less invasive alternatives existed, and after 7 months of operation, the system showed no greater fraud detection efficiency than those alternatives.

The data affected 14.5 million Android users (5.97 million on BancoPosta, 8.6 million on Postepay). Data was also retained for 28 months, exceeding the companies' own declared maximum of 24 months.

• Poste Italiane SpA fined: €6,624,000
• Postepay SpA fined: €5,877,000
• Total: €12,501,000

The Garante also ordered both companies to cease the contested processing and comply with proper data retention rules.

‍

Story 2: Italy Now Requires Consent for Email Tracking Pixels

Source: Italian DPA Press Release, April 21, 2026 | Provision No. 284 of April 17, 2026

What Are Tracking Pixels?

A tracking pixel is a tiny (1x1), transparent, invisible code embedded in an email. It send info to the sender if their email:

• Whether and when the email was opened
• The recipient's IP address
• The device type and email client used
• How many times the email was reopened

Most email marketing platforms use them by default. Until now, many businesses used them without a second thought. That changes with Italy's new guidelines.

What the Garante Decided

The Garante classified tracking pixels as a form of access to users' terminal devices, subject to the same rules that govern cookies. Under the guidelines, their use requires prior, free, specific, and informed consent from the recipient in most situations.

Users must also be able to withdraw consent easily and selectively: they can choose to stop the pixel tracking while continuing to receive emails normally, or stop all tracking-based communications entirely.

‍

What Are the Exceptions?

Not every use of tracking pixels requires consent. The Garante recognizes three exceptions:

1. Anonymized aggregate statistics - If you use a single, shared pixel (not unique per user) purely to count the total open rate, and you anonymize all related technical data (IP address, device type, etc.), consent is not required.
2. Security and authentication - Pixels used strictly for account activation confirmation or password reset flows are exempt.
3. Mandatory institutional communications - Legally required messages (such as mandatory banking notifications or public health communications) are exempt.

For everything else, including standard marketing emails and audience segmentation - consent is required.

The good news: the Garante accepts that consent to tracking pixels can be bundled into a broader consent for promotional communications, as long as it is presented in a neutral, non-coercive way.

Compliance deadline: 6 months from the publication of the guidelines in Italy's Official Journal.

What These Decisions Mean for Shopify Merchants

If you sell to customers in Italy or anywhere in the EU - both of these decisions are directly relevant to your store.

On App Tracking and Data Collection

The Poste Italiane case confirms that security or fraud prevention cannot serve as a blank check for data collection. If your Shopify store uses third-party apps, analytics tools, or anti-fraud plugins that collect device or behavioral data, you need to:

• Check what data each app collects: review their privacy policies and data processing agreements (required under GDPR Art. 28).
• Confirm a lawful basis exists for each type of data collected: "it helps prevent chargebacks" does not automatically justify invasive tracking.
• Make sure users are informed before any data collection begins: this means a compliant cookie banner that accurately describes all active tracking.
• Avoid "consent or no access" designs: if refusing cookies blocks a user from browsing or checking out, that is coercive consent under GDPR Art. 7(4), the exact violation that cost Poste Italiane millions.

On Email Marketing

If you send marketing emails to Italian (or EU) subscribers and use an email platform like Klaviyo, Mailchimp, Omnisend, or similar, you almost certainly use tracking pixels. Here is what to review:

• Check whether open tracking is on by default in your email platform and for which segments.
• Update your privacy policy to disclose the use of tracking pixels clearly and in plain language.
• Review your consent flows - do subscribers explicitly know they are consenting to email open tracking? If not, update your signup forms before the six-month deadline.
• Consider granular opt-outs - allow users to keep receiving your emails without the pixel tracking, especially for your Italian subscriber base.
• Contact your email service provider to understand what data they collect, how long they retain it, and whether they offer anonymized aggregate tracking as an alternative.

‍

The Cookie Consent Connection

Both enforcement actions reinforce the same principle: consent must come first, and it must be genuine. For Shopify merchants, this starts at the very first touchpoint - the cookie banner.

A properly configured cookie banner:

• Discloses all tracking technologies active on your store (including pixels, analytics tags, and marketing scripts)
• Requires affirmative opt-in before non-essential cookies and trackers fire
• Allows users to accept, reject, or customize their choices
• Logs and stores consent records in case of an audit

Consentmo's GDPR compliance app for Shopify handles all of this automatically. From cookie scanning and banner display to consent logging and compliance pages. With 70M+ monthly user consents processed and trusted by 90,000+ merchants, it is built specifically to keep Shopify stores on the right side of regulations like these.

Protect your Shopify store for free →

The Bottom Line

April 2026 sent two clear signals from Italy:

1. Data collection justified by "security" or "fraud prevention" must still pass the necessity test and coercive consent will be penalized, regardless of your company's size.
2. Email tracking pixels are no longer a gray area - they require disclosure and, in most cases, explicit consent from recipients.

Both decisions flow from the same foundation: GDPR's core principles of transparency, data minimization, and genuine user control. They apply to any business serving EU users, not just Italian companies.

If you are a Shopify merchant, the practical steps are clear: audit what your apps collect, review your email marketing consent flows, and ensure your cookie banner accurately reflects every tracker active on your store.