Tracking links in email — what you can know vs what you should

A click is a fact. Someone opened an email, decided the link was worth their next thirty seconds, and pressed it. That signal is genuinely useful — it's the difference between knowing whether your subject line earned attention and knowing whether the body earned action. Branded short links capture that signal cleanly, with no extra plumbing, every time anyone in the email taps anything.

But there's a hop between "I know which links got clicks" and "I know which person clicked, when, on which device, in which city, and how long after I sent the message." Most email tracking sits closer to the second sentence. Most of it doesn't need to. This post is about where the useful information ends and the creepy starts, what the major email tracking techniques actually capture, and how to design measurement that respects both you and the recipient.

The short version: clicks are measurement, opens are surveillance. The longer version is below — including how to get most of what you wanted from open pixels using only the things people actually opt into.

What email link tracking actually measures#

A tracking link is just a URL with extra information that the destination server can use to identify which campaign, which message, and sometimes which recipient triggered the click. The simplest version is utm parameters appended to a regular URL. The next step up is a branded short link that redirects through your domain, logging the click before forwarding the user. The most invasive version is a per-recipient unique link, where each individual email contains a slightly different URL that resolves to the same destination but ties the click to a specific person.

What every level genuinely captures, with no inference: total clicks, click-through rate by campaign, the destination's referrer-based attribution, country and device class from the redirect's HTTP headers (without storing the IP), and the time of click. That's already enough to answer the questions most senders actually have: did this campaign work, which message in this drip earned the most attention, which device class converts higher.

What the per-recipient unique-slug variant adds: which individual person clicked, how many times, in what order, with what gap between scans. This is the data marketers tend to ask for and recipients tend to dislike when they realise it exists.

What clicks don't tell you#

A click measures a decision. It doesn't measure conviction, attention, or intent. The visitor who clicked because they were curious, the visitor who tapped accidentally on mobile, the security gateway scanner that pre-fetches every link in a corporate inbox — they all show up the same way in your dashboard.

Three confounders to keep in mind:

Link-scanning gateways. Microsoft Defender, Mimecast, Proofpoint, Barracuda — all rewrite outbound URLs in corporate emails through their own scanning proxy. Some pre-fetch the destination to check for malware. The effect: you'll see clicks that no human ever made, often within seconds of delivery, sometimes from datacentre IPs in unrelated countries. They inflate raw click counts and skew geography.

Pre-fetchers and previewers. iMessage and Slack preview links before the user clicks. Some browsers prefetch hovered links. Email clients with "show preview" features hit URLs before the recipient opens the message.

The same person tapping twice. Mobile users tap by accident; desktop users open in a new tab and forget. Without per-session deduplication, your "click" count is really an "interaction event" count.

A reasonable click dashboard reports both numbers separately: total clicks (including bots and re-taps) and unique sessions (distinct human-shaped visitors). If your tooling only shows the first number, suspect the geography stats and the time-of-day patterns.

Open pixels are a different beast#

The open pixel — a 1×1 invisible image hosted on the sender's server, embedded in the HTML email — is the canonical way of "measuring opens." It works by exploiting the fact that loading the email triggers an image request to the server, which logs the load.

It's also been broken for years.

The pre-fetch model has spread. Gmail caches images through its own proxy, masking the recipient's IP and timing. Outlook on Office 365 routes images through Microsoft's CDN. Privacy-focused clients like ProtonMail and Hey block remote images by default. The result: open rates measured by pixel are heavily biased toward the few clients that still deliver honest signal, and the measurement gets less reliable every year.

Worse for the marketer: the pixel can't tell you whether the human read anything. It only tells you whether the email client loaded the image — which now happens automatically on most clients regardless of human attention. The metric you're paying for measures something you no longer care about.

Clicks survive this because they require an actual decision. A pre-fetcher might pre-load the page, but the link itself records "someone (or something) hit it" — a real navigation event with stronger semantic content than "an inbox somewhere loaded an image."

The privacy line — and why clicks usually stay on the right side#

The reasonable test: is the recipient's expectation aligned with what your tracking captures?

A subscriber who signed up for your newsletter expects you to know whether they read it and whether they clicked. They don't necessarily expect you to know which device they used, what city they're in, or that they re-clicked the same link three weeks later from a different timezone. You can capture all of that — the question is whether you should, and whether your privacy policy is honest about it.

Two practical principles worth holding on to:

Aggregate data is honest. Per-person profiles are a stretch. Knowing 12% of subscribers clicked a link tells you about your campaign. Knowing that subscriber Y clicked at 11:47 pm from a Toronto IP, then again from Lisbon two weeks later, is reconstruction of someone's life from a marketing channel they signed up for to read content. The first is measurement; the second is dossier-building.

Disclose what you collect. GDPR, CCPA, and the various follow-on laws all converge on the same idea: tell people what you're doing, give them an easy way out, and don't pretend the analytics are something they're not. A privacy policy that says "we use industry-standard tracking" is closer to a lie than a disclosure.

Clicks are measurement. Opens are surveillance. Per-recipient unique slugs are a choice — make it consciously, and tell people you made it.The Linked.Codes editorial team

How branded short links compare to email-platform tracking#

Most email platforms (Mailchimp, Campaign Monitor, ConvertKit, Beehiiv) ship with their own click-tracking. They wrap your URLs through their domain on send — mailchi.mp/abc123 redirects to your real destination. The recipient sees the wrap when they hover; the platform owns the click data.

Branded short links flip this. Your URLs go through your own domain — go.youragency.com/may-promo — and the click data lands in your own dashboard. Three benefits:

• Trust. Recipients see your brand in the link, not a generic redirector. Click-through rates measurably improve when the wrap looks like the sender. The domain-trust effect on short links is the easiest deliverability and CTR gain you'll find.
• Portability. If you switch email platforms next year, your tracking data, slug history, and analytics stay with you. Platform-owned wraps die when you leave the platform.
• Privacy control. You decide what gets logged. The platform's wrap captures whatever the platform's lawyers approved; yours captures whatever your privacy policy promises.

The trade-off: you maintain the redirect infrastructure. For most senders, a self-hosted or branded short-link service covers this in one product without adding ongoing operational work.

A practical risk-checker#

If you're not sure whether your current email tracking sits on the friendly or creepy side of the line, run through the widget below. It's not legal advice — it's a sanity check.

This isn't a regulator's checklist — it's a starting point for a conversation with whoever signs off on your privacy policy. The combinations that score high get scrutinised; the ones that score low usually don't even register as a complaint.

What's legal where (loosely)#

Three jurisdictional notes, simplified:

• GDPR (EU + UK) treats anything that can identify a person as personal data — including IP addresses (under the right circumstances) and per-recipient unique URLs that link back to a known address. Tracking that doesn't have a lawful basis (consent or legitimate interest with disclosure) is a problem.
• CCPA / CPRA (California) focuses on the right to know and delete. If you're profiling Californians, you have to disclose and let them opt out. Click-tracking on its own usually flies; per-person dossiers usually don't.
• CAN-SPAM (US federal) is mostly about identifying the sender and offering unsubscribe. Tracking is largely unregulated at the federal level, but state laws (especially California) layer on top.

If your audience is global, the practical bar is "GDPR-aligned" because that's the strictest. Disclose what you log, log only what you need, give people a one-click way out.

Related reading#

• Branded short links — why the domain matters — the trust effect, click-through rate impact, and how to set it up.
• Bitly alternatives in 2026 — comparison of major short-link platforms and their tracking models.
• Owning your link infrastructure — why portability of click data matters when you outgrow a platform.
• Short-links docs — every destination type, plus how the per-link analytics work.