Two thirds of emails sent to personal accounts include a tracking pixel that reveals how the user responded to the message.

Email client Hey analysed its traffic in collaboration with the BBC, and found that many companies could trace if and when an email was opened, how many times it was opened, what device it was opened from, and a general idea of the user’s location from their IP address.

Many of the world’s biggest companies use tracking pixels in their emails, analysis has shown.

Hey processes one million emails a day, according to co-founder David Heinemeier Hansson, out of a total 306.4 billion sent every day in 2020. According to the company, of those million emails received by the top 10 per cent of users, more than 50 contain tracking pixels.

The average user, meanwhile, gets 24 emails with tracking pixels - equating to 600,000 tracking attempts per day.

Tracking emails in this way is a “grotesque invasion of privacy”, Mr Hansson says. “It’s not like there’s a flag saying ‘this email includes a spy pixel’ in most email software”.

In order to stop this happening, users can purchase a subscription to Hey, which offers the feature for premium users, or by blocking images by default.

In Gmail, this can be done under Settings, then General, and then checking a box that states : “Ask before displaying external images”.

In the Mail app for iOS, images can be disabled in the main Settings app, under Mail, and then switching the “load remote images” toggle.

There are also free extensions for Google Chrome (and other Chromium browsers such as Brave) and Microsoft Edge available - but it is always worth checking exactly how these extensions might use consumer data by reading the privacy policy before installing.

Tracking pixels are not a new phenomenon. In 2017, Wired reported that nearly one fifth of all email communication is tracked. The “ice breaker”, email intelligence company OMC co-founder Florian Seroussi said at the time, was Gmail.

When sponsored links appeared in users’ emails, targeted using advertising data, it seemed invasive; but soon it became “common knowledge and everyone’s fine with it.”

The way these pixels work is the same way that finding images on the internet works. A user’s computer requests an image from a server, and when the server returns the image it is tracked by software. When a user downloads an email, the server can tell what has happened to it through similar means.

Tracking pixels also go by many names - web beacons, web bugs, tracking bugs, web tags, page tags, pixel tags, 1 x 1 GIFs, and clear GIFs - but users are unlikely to actually see them.

Use of tracking pixels in the UK is governed by the 2003 Privacy and Electronic Communications Regulations (Pecr) and as well as General Data Protection Regulation (GDPR).

This states that organisations should inform recipients of the pixels and obtain content - similar to how users have to actively turn on read receipts in messaging apps.

“Solely placing something in a privacy notice is not consent, and it is hardly transparent,” Pat Walshe from Privacy Matters told the BBC, who also pointed out that the ICO uses a tracking pixel within its own emailed newsletter.

“We’re working with our provider to remove the pixel functionality and this should be completed soon,” an ICO spokesperson told the BBC.

“We can also use the fact that they visited a site or app to show them an ad from that business – or a similar one – back on Facebook,”  the site’s product management director, David Baser, wrote in 2018.