[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUmBTqiqeZrdDaVxx42vFGr6OpPdyIWKrLwa14-91Y28":3,"white_papers":58},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":8,"featured":15,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":47,"imageUrl":48,"imageThumbUrls":49,"id":57},true,"Are you tired of generic newsletters that skim over your real challenges? Dastra offers you **Dastra Insights**, a legal and regulatory watch **specially designed for DPOs, in-house counsel, and Privacy and AI professionals**.\n\n🎯 **Targeted, useful monitoring grounded in the day-to-day reality of data protection and AI.**\n\nHere is our selection for **April 2026**:\n\n---\n\n## **AI Act Omnibus: stalled negotiations & uncertainty over the timeline**\n\n**Date**: 28 April 2026\\\n**Source**: [Reuters link](https://www.reuters.com/sustainability/boards-policy-regulation/eu-countries-lawmakers-fail-reach-deal-watered-down-ai-rules-2026-04-29/)\n\nThe trilogue on **28 April 2026** on the **AI Act Omnibus** package, introduced by the Commission in November 2025 to simplify certain aspects of the implementation of the AI Regulation, ended in failure.\n\nThe institutions appeared to be converging on several points, notably a postponement to **2 December 2027** for high-risk systems under **Annex III** and to **2 August 2028** for AI embedded in already regulated products.\n\nHowever, disagreement concerned a structural point: the place of AI systems embedded in products covered by existing sector-specific legislation, such as **medical devices**, **machinery**, **toys**, or **connected vehicles**.\n\nThe issue is whether these systems should remain fully within the scope of the AI Regulation or be governed primarily by sectoral rules.\n\nIn the absence of an agreement, the **currently applicable timeline** remains in force, meaning that the **2 August 2026** deadline for certain obligations on high-risk systems remains, at this stage, the legal reference point.\n\nEven if discussions are to continue (new negotiations around May 13th), companies cannot assume that a postponement will be adopted in time. Some obligations outside the Omnibus, notably the **transparency** requirements for certain generative AI systems under **Article 50**, remain immediate compliance priorities.\n\n## **The EDPB adopts a Data Protection Impact Assessment (DPIA) template**\n\n**Date**: 14 April 2026\\\n**Source**: [Official link](https://www.edpb.europa.eu/news/news/2026/enhancing-compliance-and-consistency-edpb-adopts-dpia-template_fr)\n\nThe EDPB has adopted a **Data Protection Impact Assessment (DPIA)** template to help organizations structure and document their assessments more consistently across the EU.\n\n- The Board specifies that a DPIA is required where processing is likely to result in a **high risk** to rights and freedoms, and that the template was designed to guide controllers step by step.\n\n- The template comes with an **explanatory document** intended to make it easier to use and to address possible issues of interpretation.\n\n- Use of the template is **not mandatory**, but the EDPB highlights its practical value: predefined fields, better completeness, reduced risk of error, and time savings.\n\nThe text is open for **public consultation until 9 June 2026**; after this phase, national authorities will need to take the necessary steps to adopt it either as a single standard or as a “meta-model” aligning national templates.\n\n## **EDPB consultation on guidelines on scientific research**\n\n**Date**: 16 April 2026\\\n**Source**: [Official link](https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2026/guidelines-12026-processing-personal-data_it)\n\nThe EDPB has launched a **public consultation** on its **Guidelines 1/2026** concerning the processing of personal data for **scientific research** purposes.\n\nThe consultation page clearly identifies the topics covered: **health, controller and processor roles, legal basis, consent, and data subject rights**.\n\nThe timeline is also important: the consultation is open from **16 April to 25 June 2026**. For lawyers and DPOs, this text deserves particular attention because it is likely to influence how legal basis, information notices, and safeguards are assessed in research projects, especially in health and AI-related uses.\n\n## **EDPB Annual Report 2025**\n\n**Date**: 9 April 2026\\\n**Source**: [Official link](https://www.edpb.europa.eu/news/news/2026/edpb-annual-report-2025-supporting-stakeholders-through-guidance-and-dialogue_en)\n\nThe EDPB has published its **2025 Annual Report**, which does not in itself create new obligations but provides a clear indication of the Board’s **institutional and doctrinal priorities**.\n\nThe report highlights the **Helsinki Statement on Enhanced Clarity, Support, and Engagement**, aimed at making GDPR compliance clearer and more workable.\n\nIt also emphasizes the growing importance of **inter-regulatory cooperation**, notably with the Commission, on the relationship between the GDPR and other digital-law instruments such as the **DMA**, the **DSA**, and the preparatory work on the **AI Act**.\n\n## **European Commission and EDPB: joint work on competition and data protection**\n\n**Date**: 28 April 2026\\\n**Source**: [Official link](https://competition-policy.ec.europa.eu/about/news/commission-services-and-edpb-will-start-joint-work-guidance-interplay-between-eu-competition-law-and-2026-04-28_en)\n\nThe Commission services and the EDPB have announced the launch of joint work aimed at producing **guidance on the interaction between EU competition law and data protection law**.\n\nThe press release states that this work will focus on targeted situations in which data law is relevant to the competition analysis, and vice versa.\n\nThe stated objective is to ensure a **coherent** approach across the two bodies of law, while providing greater clarity for economic operators and enforcement authorities. \\\n\\\nThis initiative follows on from the work carried out on the **DMA/GDPR** interface. It is an important signal for major platforms, digital ecosystems, and more broadly all cases where data plays both an economic and regulatory role.\n\n## **Recommendation on age verification at EU level**\n\n**Date**: 29 April 2026\\\n**Source**: [Official link](https://digital-strategy.ec.europa.eu/en/library/commission-sets-out-common-approach-eu-wide-age-verification-technologies)\n\nThe Commission has adopted a recommendation aimed at promoting the deployment in the EU of **age verification** solutions based on **anonymous proof-of-age** technologies, with an explicit focus on **privacy** and **data protection**.\n\nIt recommends that Member States use the **European blueprint**, prepare implementation plans, and cooperate with DSA coordinators, the Commission, researchers, and civil society. The text provides that EU citizens should have access to **robust, privacy-preserving solutions by 31 December 2026**.\n\nThe Commission also announces a **European age-verification scheme**, a list of solutions compliant with security and privacy standards, and a list of trusted providers for age-proof attestations. \\\n\\\nNotably, the solution must allow a user to prove that they are above a certain age **without revealing their exact age or identity** to the platform.\n\n## **Targeted consultation on the energy consumption and emissions of AI models and systems**\n\n**Date**: 7 April 2026\\\n**Source**: [Official link](https://digital-strategy.ec.europa.eu/en/consultations/targeted-consultation-measuring-energy-consumption-and-emissions-ai-models-and-systems)\\\n\\\nThe Commission has launched a targeted consultation as part of a study on **measuring and promoting energy-efficient, low-emission AI** in the EU. \\\n\\\nResponses are intended to help develop a **measurement framework** for the AI Act’s energy objectives, and could also inform the design of a possible **AI energy/emissions label**. \\\n\\\nThe text is aimed in particular at companies that develop or deploy **GPAI models** or other AI systems, as well as their component and service providers. It recalls a concrete regulatory point: providers of GPAI models must document **known or estimated energy consumption** in their technical documentation under **Annex XI of the AI Act**. \\\n\\\nStakeholders could express interest until **10 May 2026**, then respond to a questionnaire until **15 May 2026**; the final summary will be published on the basis of **aggregated data**.\n\n## **CNIL priority inspections for 2026**\n\n**Date**: 3 April 2026\\\n**Source**: [Official link](https://www.cnil.fr/fr/controles-prioritaires-2026)\n\nThe CNIL has announced its **priority inspection themes for 2026**: **recruitment**, the **French electoral register (REU)**, and **sports federations**.\n\nThe most directly relevant topic for data/AI monitoring is **recruitment**. The CNIL explains that these inspections, three years after publication of its dedicated guide, will check recruiters’ GDPR compliance on issues such as **automated decision-making systems**, **candidate information**, and **retention periods**.\n\nThe inspections will focus primarily on **large companies** and **recruitment agencies**.\n\n## **CNIL final recommendations on tracking pixels in emails**\n\n**Date**: 14 April 2026\\\n**Source**: [Official link](https://www.cnil.fr/fr/recommandation-pixel-suivi-courriels)\n\nThe CNIL has published the final version of its recommendations on **tracking pixels in emails**, in response to the growing use of this technique to measure message opens, personalize communications, track readership, or measure **deliverability**.\n\nIt recalls that these pixels fall within the scope of **trackers**, in conjunction with **Article 82** of the French Data Protection Act, and clarifies in which cases their use requires **consent** and in which cases an **exemption** may apply.\n\nThe text provides an important clarification: an exemption is recognized for the **individual measurement of deliverability** when it is linked to a **service requested by the recipient**, subject to strict safeguards; data must be limited to what is strictly necessary and used only for that purpose.\n\nThe CNIL also clarifies which emails may be considered linked to a requested service, including certain **transactional emails** and those for which the recipient has already consented.\n\nFinally, it adopts a **phased approach** for legacy contact databases: for addresses collected before the recommendation was published, actors have **three months** to clearly inform recipients about the use of pixels and to allow them to **object easily**.\n\n## **ICO final guidance on Storage & Access Technologies**\n\n**Date**: 29 April 2026\\\n**Source**: [Official link](https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/04/final-storage-and-access-technologies-guidance-published/)\n\nThe ICO has published its final guidance on **Storage and Access Technologies (SATs)**, that is, on how the **PECR** and, where applicable, the **UK GDPR**, apply to **cookies, tracking pixels, device fingerprinting**, and similar technologies.\n\nThe regulator says the text was updated after **two consultations** and in light of changes introduced by the **Data (Use and Access) Act**.\n\nIt highlights the addition of **new examples** and **practical clarifications** aimed at making compliance easier. The announcement also includes an enforcement message: according to the ICO, **99% of the UK’s top 1,000 websites** now meet its cookie-banner compliance requirements following its targeted action with the sector.","\u003Cp>Are you tired of generic newsletters that skim over your real challenges? Dastra offers you \u003Cstrong>Dastra Insights\u003C/strong>, a legal and regulatory watch \u003Cstrong>specially designed for DPOs, in-house counsel, and Privacy and AI professionals\u003C/strong>.\u003C/p>\n\u003Cp>🎯 \u003Cstrong>Targeted, useful monitoring grounded in the day-to-day reality of data protection and AI.\u003C/strong>\u003C/p>\n\u003Cp>Here is our selection for \u003Cstrong>April 2026\u003C/strong>:\u003C/p>\n\u003Chr />\n\u003Ch2 id=\"ai-act-omnibus-stalled-negotiations-uncertainty-over-the-timeline\">\u003Cstrong>AI Act Omnibus: stalled negotiations & uncertainty over the timeline\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 28 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.reuters.com/sustainability/boards-policy-regulation/eu-countries-lawmakers-fail-reach-deal-watered-down-ai-rules-2026-04-29/\" rel=\"nofollow\">Reuters link\u003C/a>\u003C/p>\n\u003Cp>The trilogue on \u003Cstrong>28 April 2026\u003C/strong> on the \u003Cstrong>AI Act Omnibus\u003C/strong> package, introduced by the Commission in November 2025 to simplify certain aspects of the implementation of the AI Regulation, ended in failure.\u003C/p>\n\u003Cp>The institutions appeared to be converging on several points, notably a postponement to \u003Cstrong>2 December 2027\u003C/strong> for high-risk systems under \u003Cstrong>Annex III\u003C/strong> and to \u003Cstrong>2 August 2028\u003C/strong> for AI embedded in already regulated products.\u003C/p>\n\u003Cp>However, disagreement concerned a structural point: the place of AI systems embedded in products covered by existing sector-specific legislation, such as \u003Cstrong>medical devices\u003C/strong>, \u003Cstrong>machinery\u003C/strong>, \u003Cstrong>toys\u003C/strong>, or \u003Cstrong>connected vehicles\u003C/strong>.\u003C/p>\n\u003Cp>The issue is whether these systems should remain fully within the scope of the AI Regulation or be governed primarily by sectoral rules.\u003C/p>\n\u003Cp>In the absence of an agreement, the \u003Cstrong>currently applicable timeline\u003C/strong> remains in force, meaning that the \u003Cstrong>2 August 2026\u003C/strong> deadline for certain obligations on high-risk systems remains, at this stage, the legal reference point.\u003C/p>\n\u003Cp>Even if discussions are to continue (new negotiations around May 13th), companies cannot assume that a postponement will be adopted in time. Some obligations outside the Omnibus, notably the \u003Cstrong>transparency\u003C/strong> requirements for certain generative AI systems under \u003Cstrong>Article 50\u003C/strong>, remain immediate compliance priorities.\u003C/p>\n\u003Ch2 id=\"the-edpb-adopts-a-data-protection-impact-assessment-dpia-template\">\u003Cstrong>The EDPB adopts a Data Protection Impact Assessment (DPIA) template\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 14 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.edpb.europa.eu/news/news/2026/enhancing-compliance-and-consistency-edpb-adopts-dpia-template_fr\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The EDPB has adopted a \u003Cstrong>Data Protection Impact Assessment (DPIA)\u003C/strong> template to help organizations structure and document their assessments more consistently across the EU.\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>The Board specifies that a DPIA is required where processing is likely to result in a \u003Cstrong>high risk\u003C/strong> to rights and freedoms, and that the template was designed to guide controllers step by step.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The template comes with an \u003Cstrong>explanatory document\u003C/strong> intended to make it easier to use and to address possible issues of interpretation.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Use of the template is \u003Cstrong>not mandatory\u003C/strong>, but the EDPB highlights its practical value: predefined fields, better completeness, reduced risk of error, and time savings.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cp>The text is open for \u003Cstrong>public consultation until 9 June 2026\u003C/strong>; after this phase, national authorities will need to take the necessary steps to adopt it either as a single standard or as a “meta-model” aligning national templates.\u003C/p>\n\u003Ch2 id=\"edpb-consultation-on-guidelines-on-scientific-research\">\u003Cstrong>EDPB consultation on guidelines on scientific research\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 16 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2026/guidelines-12026-processing-personal-data_it\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The EDPB has launched a \u003Cstrong>public consultation\u003C/strong> on its \u003Cstrong>Guidelines 1/2026\u003C/strong> concerning the processing of personal data for \u003Cstrong>scientific research\u003C/strong> purposes.\u003C/p>\n\u003Cp>The consultation page clearly identifies the topics covered: \u003Cstrong>health, controller and processor roles, legal basis, consent, and data subject rights\u003C/strong>.\u003C/p>\n\u003Cp>The timeline is also important: the consultation is open from \u003Cstrong>16 April to 25 June 2026\u003C/strong>. For lawyers and DPOs, this text deserves particular attention because it is likely to influence how legal basis, information notices, and safeguards are assessed in research projects, especially in health and AI-related uses.\u003C/p>\n\u003Ch2 id=\"edpb-annual-report-2025\">\u003Cstrong>EDPB Annual Report 2025\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 9 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.edpb.europa.eu/news/news/2026/edpb-annual-report-2025-supporting-stakeholders-through-guidance-and-dialogue_en\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The EDPB has published its \u003Cstrong>2025 Annual Report\u003C/strong>, which does not in itself create new obligations but provides a clear indication of the Board’s \u003Cstrong>institutional and doctrinal priorities\u003C/strong>.\u003C/p>\n\u003Cp>The report highlights the \u003Cstrong>Helsinki Statement on Enhanced Clarity, Support, and Engagement\u003C/strong>, aimed at making GDPR compliance clearer and more workable.\u003C/p>\n\u003Cp>It also emphasizes the growing importance of \u003Cstrong>inter-regulatory cooperation\u003C/strong>, notably with the Commission, on the relationship between the GDPR and other digital-law instruments such as the \u003Cstrong>DMA\u003C/strong>, the \u003Cstrong>DSA\u003C/strong>, and the preparatory work on the \u003Cstrong>AI Act\u003C/strong>.\u003C/p>\n\u003Ch2 id=\"european-commission-and-edpb-joint-work-on-competition-and-data-protection\">\u003Cstrong>European Commission and EDPB: joint work on competition and data protection\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 28 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://competition-policy.ec.europa.eu/about/news/commission-services-and-edpb-will-start-joint-work-guidance-interplay-between-eu-competition-law-and-2026-04-28_en\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The Commission services and the EDPB have announced the launch of joint work aimed at producing \u003Cstrong>guidance on the interaction between EU competition law and data protection law\u003C/strong>.\u003C/p>\n\u003Cp>The press release states that this work will focus on targeted situations in which data law is relevant to the competition analysis, and vice versa.\u003C/p>\n\u003Cp>The stated objective is to ensure a \u003Cstrong>coherent\u003C/strong> approach across the two bodies of law, while providing greater clarity for economic operators and enforcement authorities. \u003Cbr />\n\u003Cbr />\nThis initiative follows on from the work carried out on the \u003Cstrong>DMA/GDPR\u003C/strong> interface. It is an important signal for major platforms, digital ecosystems, and more broadly all cases where data plays both an economic and regulatory role.\u003C/p>\n\u003Ch2 id=\"recommendation-on-age-verification-at-eu-level\">\u003Cstrong>Recommendation on age verification at EU level\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 29 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/commission-sets-out-common-approach-eu-wide-age-verification-technologies\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The Commission has adopted a recommendation aimed at promoting the deployment in the EU of \u003Cstrong>age verification\u003C/strong> solutions based on \u003Cstrong>anonymous proof-of-age\u003C/strong> technologies, with an explicit focus on \u003Cstrong>privacy\u003C/strong> and \u003Cstrong>data protection\u003C/strong>.\u003C/p>\n\u003Cp>It recommends that Member States use the \u003Cstrong>European blueprint\u003C/strong>, prepare implementation plans, and cooperate with DSA coordinators, the Commission, researchers, and civil society. The text provides that EU citizens should have access to \u003Cstrong>robust, privacy-preserving solutions by 31 December 2026\u003C/strong>.\u003C/p>\n\u003Cp>The Commission also announces a \u003Cstrong>European age-verification scheme\u003C/strong>, a list of solutions compliant with security and privacy standards, and a list of trusted providers for age-proof attestations. \u003Cbr />\n\u003Cbr />\nNotably, the solution must allow a user to prove that they are above a certain age \u003Cstrong>without revealing their exact age or identity\u003C/strong> to the platform.\u003C/p>\n\u003Ch2 id=\"targeted-consultation-on-the-energy-consumption-and-emissions-of-ai-models-and-systems\">\u003Cstrong>Targeted consultation on the energy consumption and emissions of AI models and systems\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 7 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/consultations/targeted-consultation-measuring-energy-consumption-and-emissions-ai-models-and-systems\" rel=\"nofollow\">Official link\u003C/a>\u003Cbr />\n\u003Cbr />\nThe Commission has launched a targeted consultation as part of a study on \u003Cstrong>measuring and promoting energy-efficient, low-emission AI\u003C/strong> in the EU. \u003Cbr />\n\u003Cbr />\nResponses are intended to help develop a \u003Cstrong>measurement framework\u003C/strong> for the AI Act’s energy objectives, and could also inform the design of a possible \u003Cstrong>AI energy/emissions label\u003C/strong>. \u003Cbr />\n\u003Cbr />\nThe text is aimed in particular at companies that develop or deploy \u003Cstrong>GPAI models\u003C/strong> or other AI systems, as well as their component and service providers. It recalls a concrete regulatory point: providers of GPAI models must document \u003Cstrong>known or estimated energy consumption\u003C/strong> in their technical documentation under \u003Cstrong>Annex XI of the AI Act\u003C/strong>. \u003Cbr />\n\u003Cbr />\nStakeholders could express interest until \u003Cstrong>10 May 2026\u003C/strong>, then respond to a questionnaire until \u003Cstrong>15 May 2026\u003C/strong>; the final summary will be published on the basis of \u003Cstrong>aggregated data\u003C/strong>.\u003C/p>\n\u003Ch2 id=\"cnil-priority-inspections-for-2026\">\u003Cstrong>CNIL priority inspections for 2026\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 3 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.cnil.fr/fr/controles-prioritaires-2026\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The CNIL has announced its \u003Cstrong>priority inspection themes for 2026\u003C/strong>: \u003Cstrong>recruitment\u003C/strong>, the \u003Cstrong>French electoral register (REU)\u003C/strong>, and \u003Cstrong>sports federations\u003C/strong>.\u003C/p>\n\u003Cp>The most directly relevant topic for data/AI monitoring is \u003Cstrong>recruitment\u003C/strong>. The CNIL explains that these inspections, three years after publication of its dedicated guide, will check recruiters’ GDPR compliance on issues such as \u003Cstrong>automated decision-making systems\u003C/strong>, \u003Cstrong>candidate information\u003C/strong>, and \u003Cstrong>retention periods\u003C/strong>.\u003C/p>\n\u003Cp>The inspections will focus primarily on \u003Cstrong>large companies\u003C/strong> and \u003Cstrong>recruitment agencies\u003C/strong>.\u003C/p>\n\u003Ch2 id=\"cnil-final-recommendations-on-tracking-pixels-in-emails\">\u003Cstrong>CNIL final recommendations on tracking pixels in emails\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 14 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.cnil.fr/fr/recommandation-pixel-suivi-courriels\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The CNIL has published the final version of its recommendations on \u003Cstrong>tracking pixels in emails\u003C/strong>, in response to the growing use of this technique to measure message opens, personalize communications, track readership, or measure \u003Cstrong>deliverability\u003C/strong>.\u003C/p>\n\u003Cp>It recalls that these pixels fall within the scope of \u003Cstrong>trackers\u003C/strong>, in conjunction with \u003Cstrong>Article 82\u003C/strong> of the French Data Protection Act, and clarifies in which cases their use requires \u003Cstrong>consent\u003C/strong> and in which cases an \u003Cstrong>exemption\u003C/strong> may apply.\u003C/p>\n\u003Cp>The text provides an important clarification: an exemption is recognized for the \u003Cstrong>individual measurement of deliverability\u003C/strong> when it is linked to a \u003Cstrong>service requested by the recipient\u003C/strong>, subject to strict safeguards; data must be limited to what is strictly necessary and used only for that purpose.\u003C/p>\n\u003Cp>The CNIL also clarifies which emails may be considered linked to a requested service, including certain \u003Cstrong>transactional emails\u003C/strong> and those for which the recipient has already consented.\u003C/p>\n\u003Cp>Finally, it adopts a \u003Cstrong>phased approach\u003C/strong> for legacy contact databases: for addresses collected before the recommendation was published, actors have \u003Cstrong>three months\u003C/strong> to clearly inform recipients about the use of pixels and to allow them to \u003Cstrong>object easily\u003C/strong>.\u003C/p>\n\u003Ch2 id=\"ico-final-guidance-on-storage-access-technologies\">\u003Cstrong>ICO final guidance on Storage & Access Technologies\u003C/strong>\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 29 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/04/final-storage-and-access-technologies-guidance-published/\" rel=\"nofollow\">Official link\u003C/a>\u003C/p>\n\u003Cp>The ICO has published its final guidance on \u003Cstrong>Storage and Access Technologies (SATs)\u003C/strong>, that is, on how the \u003Cstrong>PECR\u003C/strong> and, where applicable, the \u003Cstrong>UK GDPR\u003C/strong>, apply to \u003Cstrong>cookies, tracking pixels, device fingerprinting\u003C/strong>, and similar technologies.\u003C/p>\n\u003Cp>The regulator says the text was updated after \u003Cstrong>two consultations\u003C/strong> and in light of changes introduced by the \u003Cstrong>Data (Use and Access) Act\u003C/strong>.\u003C/p>\n\u003Cp>It highlights the addition of \u003Cstrong>new examples\u003C/strong> and \u003Cstrong>practical clarifications\u003C/strong> aimed at making compliance easier. The announcement also includes an enforcement message: according to the ICO, \u003Cstrong>99% of the UK’s top 1,000 websites\u003C/strong> now meet its cookie-banner compliance requirements following its targeted action with the sector.\u003C/p>\n","Dastra Insights: what happened in April?","A legal and regulatory watch service specifically designed for DPOs, legal professionals, and Privacy and AI practitioners.",1542,9,0,null,"en","dastra-insights-what-happened-in-april",false,"Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2026-05-04T09:13:00","2026-05-04T09:13:30.4856042","2026-05-04T10:59:24.1921597",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[],"https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu-original.jpg",[50,51,52,53,54,55,56],"https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu-1000.webp","https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu.webp","https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu-1500.webp","https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu-800.webp","https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu-600.webp","https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu-300.webp","https://static.dastra.eu/content/8a597890-2da8-48b7-8234-a1a2f2380b44/dastractu-100.webp",60004,{"items":59,"total":99,"size":100,"page":100},[60],{"title":61,"nbDownloads":62,"excerpt":12,"lang":13,"url":63,"intro":64,"featured":15,"state":16,"author":65,"authorId":18,"datePublication":66,"dateCreation":67,"dateUpdate":68,"mainCategory":69,"categories":76,"metaDatas":84,"imageUrl":89,"imageThumbUrls":90,"id":98},"Your Checklist to Multi-State Privacy Impact Assessments ",7,"your-checklist-to-multi-state-privacy-impact-assessment-compliance","Master multi-state Privacy Impact Assessments by downloading this checklist.",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},"2026-02-23T10:07:00","2026-02-23T10:07:01.6114712","2026-02-24T15:38:38.0037058",{"id":70,"name":71,"description":12,"url":72,"color":73,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":74,"translations":75},70,"Livre blanc","white-papers","#1795d3",3,[],[77,82],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":78},[79,80,81],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},{"id":70,"name":71,"description":12,"url":72,"color":73,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":74,"translations":83},[],[85],{"typeMetaDataId":86,"value":87,"id":88},4,"https://static.dastra.eu/backofficefilescontainer/6c9c6770-09f5-44d2-ac35-466a87c40426/US PIA Cross State Checklist Best Practices.pdf",117305,"https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-original.jpg",[91,92,93,94,95,96,97],"https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-1000.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-1500.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-800.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-600.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-300.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-100.webp",59886,12,1]