Loading ...

Not just marketing. It’s personal. OAIC’s warning

The Office of the Australian Information Commissioner (OAIC) has brought renewed attention to a risk that many organisations have historically treated as marginal: the use of third party tracking pixels.  As reflected in the recent OAIC report ‘Your life, pixelated: how tracking pixels watch your every click’ and the regulator’s recent determinations against Medmate and Monash IVF, there has been a clear shift in how Australian privacy law approaches online data collection.

At its core, the OAIC’s message is direct and confronting: tracking pixels are not simply benign analytics tools. Where deployed in contexts that reveal sensitive information - particularly health-related environments - they can amount to the collection and disclosure of sensitive information requiring consent. 

This reframing has implications well beyond healthcare. It changes how organisations must assess digital data practices across their entire customer interface.

What are tracking pixels?

A tracking pixel is a small piece of code embedded within a website, typically used for marketing and analytics purposes. When implemented, these pixels can be configured to capture a wide range of user activity like URLs visited, search terms, button clicks, timestamps, items added to a cart, and device data.  This data is often then transmitted to external platforms, including social media companies, for profiling and targeted advertising.

Unlike cookies, tracking pixels are not easily controlled by users. While cookies can be deleted or blocked through browser settings, tracking pixels are built into the underlying code of a webpage and are not visible to users. As a result, they are harder to detect and avoid, and, without specialised tools, most individuals are unlikely to realise that their activity on a website is being tracked in this way.

Technical data or personal narrative?

While the data captured by tracking pixels is very technical in nature and is not usually considered to be ‘personal information’, a central theme running through the OAIC’s report is that the character of data cannot be assessed in isolation. 

In the context of healthcare or other sensitive services, this data can reveal “incredibly intimate details” about an individual’s life. A search for anxiety support, a visit to a fertility treatment page, or the addition of medication to an online cart may indirectly disclose health conditions, vulnerabilities or personal circumstances. 

The determinations against Medmate and Monash IVF make it clear that a contextual analysis is required when using tracking pixels. A page view is no longer neutral. It becomes a signal about the individual behind the screen.  

The key question is no longer limited to what data is collected at a technical level. It is what that data reveals when viewed in context.

Familiar tools, surprising consequences

The Medmate and Monash IVF determinations demonstrate how common digital marketing practices can give rise to serious privacy risk. Both organisations used third party tracking pixels that transmitted user activity to social media platforms, enabling targeted advertising based on interactions with health related content. 

What is alarming is not the technology itself, but how widely it is used. These tools are embedded across standard digital marketing ecosystems. The regulatory concern arises not from the technology per se, but from the nature of the data that can be inferred from its use and the lack of appropriate consent.

Rethinking ‘personal information’

The OAIC’s approach reflects a broader conception of sensitive information than many organisations currently apply. Even where data is hashed or individuals are not directly identified, it may still be personal (and sensitive) if it can be linked or used to single out an individual. 

Browsing data can become personal where it is associated with a user’s profile or can be matched with other information held by third parties.

This undermines a common industry assumption - that technical safeguards such as hashing or pseudonymisation remove privacy risk. The OAIC’s position is that these measures do not eliminate the possibility of identification or targeting, particularly in an ecosystem where platforms already hold extensive user data.

It is no longer enough to focus on direct identifiers; behavioural and inferred data must be treated with equal seriousness.

Systemic governance failures

The OAIC’s inspection of 50 health service provider websites, which culminated in the report and the determinations against Medmate and Monash IVF, revealed systemic governance shortcomings. While 96% of websites investigated used tracking pixels, many organisations were not aware of all the tracking pixels operating on their websites, often due to outsourcing or fragmented responsibilities between marketing, IT and privacy functions. 

More significantly, none of the organisations examined in detail had conducted a privacy impact assessment before deploying tracking pixels. 

These findings point to a broader issue - tracking technologies have typically been treated as low risk marketing tools rather than as mechanisms of regulated data collection. As a result, they have often been implemented without appropriate scrutiny or oversight.

This is not simply a compliance gap. It is a governance design issue requiring structural change in how digital tools are evaluated and controlled.

A clear regulatory signal

The OAIC’s investigation into the use of tracking pixels in the healthcare sector and its subsequent targeted enforcement against Medmate and Monash IVF signals a clear regulatory direction. The OAIC is moving from guidance to active scrutiny, particularly where technologies are widely used, poorly understood and capable of producing significant harm.

Practical implications for business

The OAIC’s report and determinations provide a clear roadmap for organisations seeking to manage this risk.

  1. Reassess whether tracking pixels should be used at all: Where a website or service inherently reveals sensitive information—such as health, mental health or other vulnerable contexts—organisations should consider whether third party tracking pixels are appropriate in the first place.

  2. Map and understand the tracking environment: Organisations should identify all tracking technologies in use, understand the data collected and determine where that data is sent and how it is used, including any overseas flows.

  3. Strengthen governance and oversight: Tracking technologies should be treated as regulated data collection infrastructure, requiring involvement from legal, privacy and risk functions, as well as ongoing monitoring and review.

  4. Improve transparency and consent mechanisms: Clear disclosure and robust consent processes are essential, particularly where sensitive information may be involved.

  5. Apply data minimisation principles: Organisations should actively limit the data collected and ensure that tracking technologies are configured appropriately, rather than relying on default settings. 

Conclusion

The OAIC’s work ultimately represents a broader recalibration of privacy risk in a digital environment. It can no longer be assumed that technical data is low risk - modern data practices operate within a complex ecosystem where seemingly benign technologies can produce significant privacy impacts for individuals.

For Australian organisations, the practical consequence is clear. Tracking pixels can no longer be treated as a peripheral marketing issue. Consideration must be given to whether their use aligns with the organisation’s broader risk appetite, governance frameworks and obligations to protect individuals’ privacy. 

Author: Michael Cossetto

 

This publication is intended as a source of information only. No reader should act on any matter without first obtaining professional advice.