Tracking and privacy

The NSW Email Design System uses plain HTML—no hidden pixels, no link rewrites, no JavaScript. This keeps the code lightweight and puts decisions about analytics in your hands. Use the guidance below to decide whether to include tracking and, if so, how to do it responsibly.

What hidden tracking does

A standard “open-pixel” is a 1 × 1 pixel transparent image that loads from the sender's server. When triggered, it can reveal a reader's IP address, rough location, device type and the time they opened the email—often without their knowledge. This kind of tracking is common in marketing emails.

Why open rates are less reliable

Privacy features are reducing the accuracy of open rates:

• Apple Mail Privacy Protection pre-loads images through Apple’s servers, inflating open rates and removing location data.

• Gmail and corporate security tools use image proxies that also pre-fetch images.

• Campaign Monitor now recommends focusing on clicks and conversions, acknowledging that open rates are no longer reliable.

Privacy obligations for government

Under Australian Privacy Principle (APP) 3, covert tracking may breach the “fair means” requirement. APPs 1 and 5 also require clear disclosure in your privacy policy. The Office of the Australian Information Commissioner (OAIC) warns against using tracking without proper disclosure.

In the UK and EU, tracking pixels are considered cookie-style technology and generally require informed consent unless essential.

How the NSW Email Framework supports privacy

• No built-in tracking. Each template is static HTML with no external calls. Analytics only start when you integrate with your chosen email provider.

• Transparent code. Any tracking you add must be explicit, making reviews and privacy assessments easier.

• Privacy-first by default. If your message doesn’t require behavioural data, use the default build and state clearly that “no tracking technologies are included” in your privacy notice.

Responsible tracking: a checklist

Before adding analytics, consider:

1. Do you need this data, or are click metrics enough?

2. Have you updated your privacy policy and consent process?

3. Can you minimise personal data, for example by hashing identifiers?

Include these checks as part of your approval process. They align with OAIC privacy-by-design principles and international standards like the GDPR.

Sources

• How to stop your emails from tracking you – Wired

• Apple Mail Privacy Protection in 2024 – SendGrid

• Gmail Image Proxy and Unreliable Opens – Suped

• Open & Click Rates – Campaign Monitor Help Centre

• Tracking Pixels and Privacy Obligations – OAIC (2024)

• Direct Marketing & PECR: Tracking Pixels – UK ICO (2024)