Legal Insights

Pixelated privacy: Key obligations for organisations using tracking technologies

By
• 09 July 2026 • 7 min read

OAIC determinations highlight the privacy risks of tracking pixels and reinforce organisations’ obligations when collecting personal or sensitive information online.

For many organisations, tracking technologies are a routine component of digital marketing, used to measure website traffic, analyse user behaviour and support targeted advertising. 

The recent Office of the Australian Information Commissioner (OAIC) investigations into Medmate Australia Pty Ltd (Medmate) and Monash IVF Pty Ltd (Monash IVF) (determinations) provide regulatory insight into the use of tracking pixels in Australia. 

These investigations, culminating in determinations published in June 2026, clarify how the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) apply to the deployment of tracking technologies.

What is a tracking pixel?

A tracking pixel is a piece of code generated by a third-party provider and embedded within an organisation’s website to collect information about user activity. This may include information such as an IP address, URL information or a hashed email address.

When a user visits a website containing a tracking pixel, the pixel loads and sends certain data to the third-party provider’s server.

Tracking pixels are commonly used for website analytics, digital advertising and campaign measurement. 

For example, organisations may use tracking pixels such as the Meta Pixel, Google Analytics tags or the LinkedIn Insight Tag to understand how users interact with their website, assess the effectiveness of advertising campaigns and retarget users who have previously visited particular webpages.

How does this intersect with your organisation’s privacy obligations?

Organisations may have obligations under the Privacy Act where tracking pixels result in the collection, use or disclosure of personal or sensitive information.

‘Personal information’ is broadly defined in the Privacy Act to be information or an opinion about an identified individual, or an individual who is reasonably identifiable. 

The determinations demonstrate that OAIC’s view is that information may constitute personal information even where it does not identify an individual by name or hold direct identifiers such as a passport number, driver licence number or date of birth. 

The Privacy Commissioner (Commissioner) opined that an individual may be “reasonably identifiable” where information permits an organisation to single out or distinguish that individual from others in a way that affects their rights or interests.

In both determinations, the organisations submitted that they could not identify individuals from the information collected by tracking pixels. However, despite apparently accepting these submissions in each determination, tracking pixel data was found to be personal information because it recorded logged-in users’ interactions with websites and might be matched with information held by third-party platforms, enabling those individuals to be identifiable. 

This demonstrates that, in practice, the OAIC takes a very broad view of when information collected by tracking pixels or similar technologies is “reasonably identifiable” of an individual, so as to bring it within the core definition of “personal information”.

The Commissioner acknowledges in both determinations that there is little judicial consideration of the definitions of personal information, but drew on the Australian Law Reform Commission 2008 report to support this very broad interpretation of when an individual is “reasonably identifiable”.

Types of information collected by tracking pixels that may constitute personal information include:

  • geolocation data; 
  • transaction data such as items viewed and added to cart;
  • information included on online forms including name, address, date of birth, email address and phone number;
  • device information; 
  • website URL (containing information about the page you visited); and
  • activity such as pages visited, content viewed and time spent on a website.

Additionally, ‘sensitive information’ is a subset of personal information and includes information or opinions about matters such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record and health information. 

Sensitive information is afforded a higher level of protection under the APPs than personal information. In particular, an organisation must generally not collect sensitive information unless the individual has provided consent and the collection is reasonably necessary for the organisation's functions or activities, unless a specific exception applies.

Depending on the context, information collected through tracking pixels may also allow inferences to be drawn about an individual, including inferences about sensitive matters such as health status or medical treatment and therefore may constitute sensitive information.

What guidance has been provided on the use of tracking pixels?

In the determinations, the Commissioner considered the use of tracking pixels offered by social media platforms and the heightened privacy risks associated with user matching, profiling and targeted advertising. 

The determinations make clear OAIC’s expectation that organisations deploying third party tracking pixels remain responsible for ensuring that those technologies are configured and used consistently with the Privacy Act and the APPs. 

This requires organisations to understand how the relevant pixel operates in practice, assess whether the information collected constitutes personal information or sensitive information, and implement measures to mitigate the associated privacy risks and to comply with the Australian Privacy Principles (APPs).

In both investigations, the Commissioner found that pixel generated data collected through health related websites could reveal, or permit inferences to be drawn about, users’ health status. 

In the Medmate investigation, this arose from users’ interactions with a telehealth platform, including information about services accessed or medications sought. In the Monash IVF investigation, it arose from users’ interactions with fertility related webpages, which could reveal or support inferences about reproductive health and personal circumstances. 

On that basis, the Commissioner found Medmate and Monash IVF’s conduct to be inconsistent with the requirements of the Privacy Act and the APPs.

What can your organisation do to manage privacy risks?

In response to the Commissioners findings, organisations should consider whether their use of these technologies complies with the Privacy Act and the APPs. This may include:

  • Documenting business need: To address community expectations and potential concerns about the use of tracking technology, ensure that a benefit/risk analysis has been conducted to demonstrate whether the use of the relevant technology can be justified as reasonable and necessary for the agency to carry out its functions and activities;
  • Transparency and collection notice: ensuring privacy policies and collection notices clearly describe the use of tracking pixels, including how personal information and sensitive information is collected, used and disclosed;
  • Consent: assessing whether the use of tracking pixels may result in the collection or disclosure of sensitive information, and ensuring consent is obtained;
  • Third-party provider due diligence: reviewing agreements with third-party pixel providers to understand how personal information is handled, whether it is used for the provider’s own purpose, and what safeguards are in place to protect that information; and
  • Privacy impact assessments: ensuring a privacy impact assessment is undertaken, particularly where tracking technologies are introduced or used in a way that may involve new or increased privacy risks.

Maddocks can assist organisations by reviewing and updating privacy policies, preparing collection notices and privacy impact assessments, identifying gaps in privacy compliance, advising on broader obligations under the Privacy Act and the APPs and assisting with the review and negotiation of agreements with providers.

Do you have any questions for us?

Please reach-out to our team to find out more.

Robert Gregory

Rob is an experienced commercial lawyer who advises Australian and international public, private and for‑purpose clients across education, technology, media, telecommunications and consumer law.

View profile

Georgia Hunt

Georgia is an experienced commercial lawyer advising government, professional services and education organisations.

View profile
By

Recent articles

Online Access