Robert Gregory
Rob is an experienced commercial lawyer who advises Australian and international public, private and for‑purpose clients across education, technology, media, telecommunications and consumer law.
View profileOAIC determinations highlight the privacy risks of tracking pixels and reinforce organisations’ obligations when collecting personal or sensitive information online.

For many organisations, tracking technologies are a routine component of digital marketing, used to measure website traffic, analyse user behaviour and support targeted advertising.
The recent Office of the Australian Information Commissioner (OAIC) investigations into Medmate Australia Pty Ltd (Medmate) and Monash IVF Pty Ltd (Monash IVF) (determinations) provide regulatory insight into the use of tracking pixels in Australia.
These investigations, culminating in determinations published in June 2026, clarify how the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) apply to the deployment of tracking technologies.
A tracking pixel is a piece of code generated by a third-party provider and embedded within an organisation’s website to collect information about user activity. This may include information such as an IP address, URL information or a hashed email address.
When a user visits a website containing a tracking pixel, the pixel loads and sends certain data to the third-party provider’s server.
Tracking pixels are commonly used for website analytics, digital advertising and campaign measurement.
For example, organisations may use tracking pixels such as the Meta Pixel, Google Analytics tags or the LinkedIn Insight Tag to understand how users interact with their website, assess the effectiveness of advertising campaigns and retarget users who have previously visited particular webpages.
Organisations may have obligations under the Privacy Act where tracking pixels result in the collection, use or disclosure of personal or sensitive information.
‘Personal information’ is broadly defined in the Privacy Act to be information or an opinion about an identified individual, or an individual who is reasonably identifiable.
The determinations demonstrate that OAIC’s view is that information may constitute personal information even where it does not identify an individual by name or hold direct identifiers such as a passport number, driver licence number or date of birth.
The Privacy Commissioner (Commissioner) opined that an individual may be “reasonably identifiable” where information permits an organisation to single out or distinguish that individual from others in a way that affects their rights or interests.
In both determinations, the organisations submitted that they could not identify individuals from the information collected by tracking pixels. However, despite apparently accepting these submissions in each determination, tracking pixel data was found to be personal information because it recorded logged-in users’ interactions with websites and might be matched with information held by third-party platforms, enabling those individuals to be identifiable.
This demonstrates that, in practice, the OAIC takes a very broad view of when information collected by tracking pixels or similar technologies is “reasonably identifiable” of an individual, so as to bring it within the core definition of “personal information”.
The Commissioner acknowledges in both determinations that there is little judicial consideration of the definitions of personal information, but drew on the Australian Law Reform Commission 2008 report to support this very broad interpretation of when an individual is “reasonably identifiable”.
Types of information collected by tracking pixels that may constitute personal information include:
Additionally, ‘sensitive information’ is a subset of personal information and includes information or opinions about matters such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record and health information.
Sensitive information is afforded a higher level of protection under the APPs than personal information. In particular, an organisation must generally not collect sensitive information unless the individual has provided consent and the collection is reasonably necessary for the organisation's functions or activities, unless a specific exception applies.
Depending on the context, information collected through tracking pixels may also allow inferences to be drawn about an individual, including inferences about sensitive matters such as health status or medical treatment and therefore may constitute sensitive information.
In the determinations, the Commissioner considered the use of tracking pixels offered by social media platforms and the heightened privacy risks associated with user matching, profiling and targeted advertising.
The determinations make clear OAIC’s expectation that organisations deploying third party tracking pixels remain responsible for ensuring that those technologies are configured and used consistently with the Privacy Act and the APPs.
This requires organisations to understand how the relevant pixel operates in practice, assess whether the information collected constitutes personal information or sensitive information, and implement measures to mitigate the associated privacy risks and to comply with the Australian Privacy Principles (APPs).
In both investigations, the Commissioner found that pixel generated data collected through health related websites could reveal, or permit inferences to be drawn about, users’ health status.
In the Medmate investigation, this arose from users’ interactions with a telehealth platform, including information about services accessed or medications sought. In the Monash IVF investigation, it arose from users’ interactions with fertility related webpages, which could reveal or support inferences about reproductive health and personal circumstances.
On that basis, the Commissioner found Medmate and Monash IVF’s conduct to be inconsistent with the requirements of the Privacy Act and the APPs.
In response to the Commissioners findings, organisations should consider whether their use of these technologies complies with the Privacy Act and the APPs. This may include:
Maddocks can assist organisations by reviewing and updating privacy policies, preparing collection notices and privacy impact assessments, identifying gaps in privacy compliance, advising on broader obligations under the Privacy Act and the APPs and assisting with the review and negotiation of agreements with providers.
Please reach-out to our team to find out more.
Rob is an experienced commercial lawyer who advises Australian and international public, private and for‑purpose clients across education, technology, media, telecommunications and consumer law.
View profileGeorgia is an experienced commercial lawyer advising government, professional services and education organisations.
View profileKeep up to date with our legal insights and events
Sign upTargeted changes are now in place for approvals, strategic assessments, information sharing and advisory processes.
The Court addressed the proper approach to assessing both economic and cultural loss.
In June, the Attorney-General tabled the Australian Law Reform Commission’s Final Report...
Participation requires much more than a legal response.
Partner
Sector Leader - Education
Melbourne