Recent Privacy Commissioner decisions make it clear: any organisation using tracking pixels for analytics or marketing may be collecting personal (and potentially sensitive) information. This raises compliance obligations, beyond the health sector.
Every organisation that conducts digital marketing activities should be carefully reviewing the guidance, and considering whether broader review of its use of pixels is warranted (particularly when combined with sensitive information).
Tell me in a minute
The Privacy Commissioner (the Commissioner) has issued two significant privacy determinations[1], along with an accompanying standalone report, on the use of tracking pixels.
The determination and report reflect a potentially wide-ranging approach by the Commissioner on the regulation of targeted advertising and online tracking technologies. If the Commissioner’s interpretations of the Privacy Act set out in the determinations are correct, the impact on any organisation involved in digital marketing in Australia could be dramatic.
Commissioner Initiated Investigation into Monash IVF Pty Ltd (Privacy) [2026] AICmr 40 and Commissioner Initiated Investigation into Medmate Australia Pty Ltd (Privacy) [2026] AICmr 41.
While the determinations and report were limited to health service providers (and so more likely involved the handling of sensitive information requiring consent to collect), the approach to whether an individual is ‘reasonably identifiable’ for the purposes of the definition of personal information is not limited to healthcare.
According to the determinations, individuals need not be identified by name to be ‘reasonably identifiable’: it is sufficient that information enables an organisation to ‘single out’ or ‘distinguish’ an individual from others in a way that affects their rights or interests. Further, an organisation need not possess such information itself, or link it to its own identifiable customers: it is sufficient in the Commissioner’s view if the organisation arranges for such individualised information to be provided directly to a digital advertising platform.
While the Commissioner’s guidance has long referred to targeted advertising using personal information as a form of ‘direct marketing’ for the purposes of APP 7, this is the first time the Commissioner has reflected that guidance in enforcement activity, which raises a host of difficult questions about how the provisions of APP 7 apply in practice. Many of those questions were also raised as part of the Privacy Act review process and could potentially be addressed by further amendments to the Privacy Act.
In each of these recent privacy determinations, Monash IVF and Medmate were found to have breached Australian Privacy Principles by collecting sensitive health information via tracking pixels without consent, failing to notify individuals of their collection of this information, and using the information for direct marketing.
Whether these decisions will be appealed remains to be seen.
We unpack these determinations further below. Reach out to your Mallesons contact if you have questions and would like to understand how these changes may impact your business.
'Of particular concern – many organisations we engaged with were not aware of all the tracking pixels on their websites. It was evident that there is often a separation from marketing areas of a business with privacy focussed teams, or an outsourcing of marketing responsibilities.'
'If your website uses and deploys tools like tracking pixels, it is your responsibility to ensure it is used in a way that is compliant with the Privacy Act. Non-compliance can have serious consequences for individuals using your service – and for your business.’
- OAIC, ‘Your life, pixelated: how tracking pixels watch your every click’, 24 June 2026
Tracking pixels 101
The OAIC conducted an extensive research exercise into the use of tracking pixels. We’ve summarised its findings and explanation of the technology below.
A tracking pixel is a small, typically 1×1 transparent image or JavaScript code snippet embedded in websites, emails, or digital advertisements. By design, tracking pixels are ‘invisible’ to individuals, meaning users are often unaware that their data is being collected and their activity tracked.
When a user visits a webpage containing a tracking pixel, their browser triggers a request to the pixel provider's server, transmitting data about the user's activity. The pixel provider then records this information in its server log files.
In their most basic form, tracking pixels collect ‘Base Pixel Data’ including URLs visited, timestamps, language settings, IP address, device, and browser information. Advanced configurations can collect more granular data, including form inputs (names, emails, phone numbers), items viewed, cart additions, search terms, and button clicks.
Tracking pixels are primarily used for:
- analysing website traffic and user behaviour
- targeting advertisements to individual users on third-party platforms
- measuring advertising campaign success and
- retargeting individuals with relevant advertising.
Tracking pixels are extraordinarily widespread across the world. The most widely deployed tracking pixel is active on over 2 million domains worldwide. Major providers include social media platforms and search engines.
An OAIC inspection of 50 Australian healthcare provider websites found that 96% used tracking technologies, with 52% using a third-party tracking pixel. Concerningly, 77% of those using tracking pixels did not disclose this in their privacy policies.[2]
OAIC, Your life, pixelated: how tracking pixels watch your every click, 24 June 2026.
The Commissioner’s investigations
On 11 June 2026, Commissioner Carly Kind handed down two determinations arising from the Commissioner's recent investigations into the use of tracking pixels by health service providers. Both investigations were launched on 9 December 2024, following the OAIC's publication of guidance on tracking pixels on 4 November 2024 and a preliminary scan by the OAIC of 50 health service provider websites.
The first determination focused on Monash IVF, which provides fertility services and treatments across Australia. The Commissioner found that it had deployed seven different tracking pixels (Meta, Google Ads, Google Analytics 4, Matomo, Jet Interactive, Hotjar, and Pinterest) on its website from as early as 30 July 2012 through to 9 December 2024.
The second determination focused on Medmate Australia Pty Ltd, which provides telehealth consultations, online prescriptions, and other health services. It deployed certain tracking pixels from April 2021 to 9 December 2024, with Advanced Matching enabled on one of those pixel platforms for over three years.
Neither entity conducted a privacy impact assessment before deploying the tracking pixels on their websites.
Both entities ran paid advertising campaigns on social media platforms during the relevant periods. Monash IVF ran campaigns primarily on Meta platforms (Facebook and Instagram) and Google Ads, targeting individuals based on their website activity, interests, age range, and location. It also uploaded Custom Audience lists containing customer names, emails, and phone numbers to Meta for retargeting.
Medmate similarly paid for advertising campaigns on Meta platforms and TikTok, creating Custom Audience lists to retarget individuals based on their website interactions such as purchases, cart additions, or checkout initiations.
The legal issues raised
Each of the investigations focused primarily on three of the Australian Privacy Principles (APP):
Findings and reasoning of the Commissioner
Each of Medmate and Monash IVF took the position in their respective situations that they did not collect personal or sensitive information via tracking pixels. The Commissioner rejected this characterisation and made the following identical findings against both respondents:
|
APP
|
Obligation
|
Finding
|
|
APP 3.3
|
Must not collect sensitive information without consent |
Neither entity obtained consent, express or implied, for the collection of sensitive information via tracking pixels. The Commissioner rejected each of the entities’ position that they did not collect personal or sensitive information. |
|
APP 5.1
|
Must take reasonable steps to notify individuals of collection matters |
Neither entity adequately notified individuals of the APP 5.2 matters, including the fact that tracking pixels were being used to collect sensitive information, the purposes for which data was collected, and the disclosure of data to pixel providers. The Commissioner found that a privacy policy alone is insufficient; APP 5 requires active, timely notification at or before the point of collection. Medmate’s late implementation of a cookie consent pop-up (active for only 24 days before the investigation commenced) was also found insufficient as it did not specifically reference tracking pixels, Meta or TikTok. Both entities had the resources and technological means to implement notification mechanisms, including ‘consent mode’ functionality offered by pixel providers. |
|
APP 7.1
|
Must not use sensitive information for direct marketing without consent |
Both entities used tracking pixels to retarget advertising to individuals based on their website interactions, which in the Commissioner’s view constituted direct marketing for the purposes of APP 7. Neither entity obtained the consent required under APP 7.4 for the use or disclosure of sensitive information for direct marketing. The Commissioner found that by retargeting individuals with ads based on their online behaviour, both entities used or disclosed sensitive information for direct marketing without consent. |
The Commissioner’s orders
The Commissioner made identical declarations and orders against each of the respondents under section 52(1A) of the Privacy Act:
- Cease and destroy (within 60 days): Stop collecting sensitive information through tracking pixels and destroy all sensitive information held in pixel provider dashboards, to the extent permitted by law.
- Implement before recommencing: Before resuming use of tracking pixels, implement compliant consent mechanisms for collection (APP 3) and direct marketing (APP 7), and take reasonable notification steps (APP 5).
- Report back to the OAIC: Notify the OAIC within 90 days of compliance and again before recommencing use of tracking pixels.
5 key lessons when deploying tracking pixels
You deploy it, you collect it
The Commissioner confirmed that deploying tracking pixels constitutes ‘collection’ of personal information, even though data is transmitted to and stored on third-party pixel provider servers. The reasoning being that the entity that commissions, deploys and customises the tracking pixel exercises sufficient control and authority over the collection to be treated as the collector.
This finding means that organisations are unable to outsource accountability by arguing that the third-party pixel provider holds the data. If you choose to deploy tracking pixels on your website, you are collecting the information it transmits.
Critically, the determinations do not distinguish between the different levels of ‘identifiability’ that the information may have in each party’s hands. For example, assuming information transmitted by a pixel is ‘collected’ by an organisation despite being directly transmitted and stored on a third party server, it is unclear whether the information transmitted by a pixel is personal information in the hands of the organisation because it is able to be linked to an identifiable individual by the third party pixel provider (and may never be linked to an identifiable individual by the organisation itself).
A new test for identifiability: ‘individuation’
The Commissioner has now adopted a more expansive interpretation of ‘reasonably identifiable’, holding that an individual is reasonably identifiable where information permits an entity to single out or distinguish that individual from others in a way that affects their rights or interests. Specifically, the Commissioner states:[3]
'I observe that new technologies provide entities with new ways to affect the privacy of individuals by collecting, using and disclosing a range of types of information. Many of those types of information may historically not have been considered personal information, such as technical identifiers, social media handles, email addresses, or physical characteristics. However, as technology has evolved to make it possible for entities to use such information to track and target individuals, both in online and offline environments, our understanding of “identifiability” has evolved in parallel.'
'In my view, in the current context, the phrase “reasonably identifiable” ought to be interpreted as applying to circumstances where information facilitates “individuation”, that is to say, the information permits an entity to “single out” or “distinguish” an individual from others in a way that affects an individual’s rights or interests. This is supported by the text of s 6 of the Privacy Act, … its legislative context — including the legislative history of the definition — and the purpose of the definition.'
'In part, the purpose of the “identifiability” element of the definition of personal information operates to ensure that the Privacy Act does not capture information about a person in circumstances in which the collecting entity cannot use the information about an individual in any meaningful way that would affect an individual’s rights or interests, for example, by pairing that information with other information. If there is a reasonable prospect that information about an individual held by an entity may be used by the entity to affect that individual’s rights or interests, the information is personal information.’ [Emphasis added].
And then adds:[4]
'I acknowledge that the acts and practices under scrutiny in this matter give rise to potentially novel applications of the term “reasonably identifiable” as they arise in the context of advanced tracking technologies. As with the concept of collect, I consider that this interpretation of “reasonably identifiable” is a logical progression of the legislative interpretation of the Privacy Act. Given that the Privacy Act is a principles-based legislative instrument and the APPs are technology neutral, this interpretation allows concepts to adapt to changing technologies and evolve with the times.' [Emphasis added.]
As this significantly broadens the practical scope of ‘personal information’ under the Privacy Act, the Commissioner’s so-called ‘potentially novel’ application of the term ‘reasonably identifiable’ to advanced tracking technologies will no doubt be debated.
However, this issue is not entirely new. The 2021 Privacy Act Review Discussion Paper originally proposed clarifying when an individual is ‘reasonably identifiable’, but this was not carried through to the review’s Final Report. Instead, the Final Report proposed separate regimes for targeting, direct marketing, and trading in personal information, with the distinction between targeted advertising and direct marketing proving particularly contentious. In fact, a number of industry participants raised questions about the practical implementation of these proposals.
Whilst ‘tranche one’ of the privacy reforms did not address such issues, only time will tell whether a future ‘tranche’ will do so. Until such time, some industry stakeholders may look to obtain greater legislative clarity, given that the Commissioner’s interpretation may present compliance challenges for mainstream digital advertising practices. Whether these determinations prompt renewed calls for statutory reform, or are tested on appeal, remains to be seen.
Privacy Impact Assessments are non-negotiable
Neither Monash IVF nor Medmate conducted a privacy impact assessment (PIA) before deploying any of their tracking pixels. Consistent with our key takeaways from the Bunnings decision here, the Commissioner reinforced that PIAs are the mechanism by which organisations identify and mitigate privacy risks associated with new technologies and practices. The failure to conduct one was noted in both determinations.
Any organisation deploying or considering deploying tracking pixels, analytics tools or similar technologies should conduct a PIA as a matter of course, particularly where sensitive information may be involved.
A privacy policy is not a notification
Each of Monash IVF and Medmate relied on their privacy policies as evidence of compliance with APP 5.1 notification obligations. The Commissioner rejected this, emphasising that the obligation to maintain a privacy policy under APP 1 is a separate and distinct obligation from the obligation under APP 5 to take reasonable steps to notify individuals at or before the time of collection.
The OAIC expects active, timely notification — ideally via a banner or pop-up at the point of first interaction with your website — that specifically addresses the use of tracking pixels, the purposes of collection, and disclosure to third parties. Generic cookie consent banners are unlikely to be sufficient, particularly where sensitive information is involved.
OAIC sees targeted ads as direct marketing
For health service providers, the Commissioner found that an individual's engagement with a health website, including the pages visited, reveals health information about that individual, which was sensitive information under sections 6 and 6FA of the Privacy Act. For example, in Monash IVF, visiting pages relating to egg freezing, sperm donation or fertility checks was sufficient to constitute health information.
The Commissioner, upon publishing these determinations has also published a separate report on the OAIC’s inspection of 50 health service provider websites named Your life, pixelated: how tracking pixels watch your every click, which outlines findings, case studies, and recommendations to help individuals and organisations manage the privacy risks of third-party tracking pixels.
Any organisation whose website touches health, wellness, mental health, pharmaceuticals, or other sensitive topics should treat all pixel captured data as potentially sensitive and apply the appropriate privacy protections and considerations.
Beyond sensitive information
It is important to remember, while these determinations focus on health sector organisations, the Commissioner’s reasoning applies more broadly. Even where an organisation’s website does not collect sensitive information — and therefore does not require consent under APP 3.3 — obligations under APP 5 (notification) and APP 7 (direct marketing) continue to apply. The OAIC’s guidance confirms that organisations should notify individuals about tracking pixel use at or before the time of collection, ideally via a banner or pop-up. A privacy policy alone is not sufficient.
Similarly, organisations using tracking pixels for targeted advertising must comply with APP 7, including providing individuals with a simple way to opt out. The practical effect is that any organisation using tracking pixels for advertising — whether in health, retail, financial services, or otherwise — must implement appropriate notification mechanisms and opt-out controls.
Commissioner Initiated Investigation into Monash IVF Pty Ltd (Privacy) [2026] AICmr 40 at [71]-[73]. See also Commissioner Initiated Investigation into Medmate Australia Pty Ltd (Privacy) [2026] AICmr 41 at [72]-[74].
Commissioner Initiated Investigation into Monash IVF Pty Ltd (Privacy) [2026] AICmr 40 at [74]. See also Commissioner Initiated Investigation into Medmate Australia Pty Ltd (Privacy) [2026] AICmr 41 at [75].




