Invisible tracking tools face privacy crackdown

Published on the 02/07/2026 | Written by Heather Wright


OAIC ruling puts consent at pixel centre…

Australia’s privacy regulator has redrawn the line on online tracking with third-party tracking tools embedded in business websites now under scrutiny.

In its first determination on tracking pixels, the Office of the Australian Information Commissioner (OAIC) has found that two health providers – Medmate Australia and Monash IVF – interfered with user privacy by using the technology to track website visitors and target them with advertising on social media platforms.

“Advanced technology used for tracking and targeted advertising in the online realm still has to be used in compliance with the Privacy Act.”

Privacy Commissioner Carly Kind’s decision establishes that the use of tracking pixels to track website visitors to health-related websites and to subsequently target them with advertising on social media platforms, amounts to a collection of sensitive information for which website providers must obtain users’ consent.

Tracking pixels are small pieces of code provided by third parties – typically platforms like Meta (with Meta Pixel) or TikTok (with its TikTok Pixel, integrated into TikTok Ads Manager, and used either natively or via TikTok partners including Shopify). They’re embedded into webistes to collect data about user activity. When a visitor loads a page, the pixel transmits information about that interaction back to the platform, enabling functions such as campaign measurement, audience profiling and ad targeting. Kind notes tracking pixels can be configured for a variety of purposes, tracking webpages users visit, clicks, what is put into carts and, in some cases, information entered into forms. Unlike cookies, they can’t easily be cleared or blocked entirely.

While such tracking is widely used across sectors, the regulator’s determinations focused on health-related websites, where browsing behaviour can reveal – or allow inferences about – an individual’s health status. This is classified as sensitive information under Australia’s Privacy Act.

The Commissioner found that using pixels in this context to track visitors and retarget them with ads amounted to collecting sensitive information without consent, in breach of privacy obligations.

“Today’s decision establishes that the advanced technology used for tracking and targeted advertising in the online realm still has to be used in compliance with the Privacy Act,” Kind says.

The ruling extends beyond just health, with Kind noting that website providers using tracking pixels to collect any sensitive information, such as data on political opinions, race or ethnicity, as well as health, must obtain consent.

Widespread use, limited disclosure

Alongside the determinations, the OAIC released findings into a ‘scan’ of 50 health service provider websites, highlighting how common the use of tracking pixels has become – and how poorly it is disclosed.

The regulator found that more than half of the sites examined used a third-party tracking pixel, yet 77 percent of those did not mention the technology in their privacy policies.

Overall, 96 percent of the websites used some form of tracking technology.

The OAIC says the results point to a broader issue across the digital ecosystem, where tracking technologies are embedded into websites but remain largely invisible to users.

A deeper dive into 12 websites found 50 percent used more than one tracking pixel provided by social media platforms, with all using Meta’s pixel.

Among the information being sent to the social media platforms was the full URL containing information about the page visited, website searches, button clicks, and device information.

Instances were form fields, including hashed name, address and phone numbers were shared with social media platforms were also observed, enabling matching of information to individuals and their profile, even when they are not logged in.

Despite that, the majority did not disclose use of the pixels or that information was being shared with social media platforms.

In the case of Medmate, a telehealth provider, the company was using both Meta and TikTok pixels and fed full URLs to TikTok which revealed information on health conditions, including urinary tract infections, bacterial vaginosis and the need for emergency contraception, and medication sought by individuals.

The company, which stopped using all tracking pixels on its site as of December 2025, paid for online advertising campaigns, primarily on Facebook, Instagram and TikTok, using custom audience lists to retarget individuals based on their website interactions.

The company had Meta Pixel’s Advanced Matching feature enabled from October 2021 to December 2024, enabling collection of more granular information about individuals.

“For periods in which the Advanced Matching feature was not in use, Medmate could retarget ads to those individuals who visited the website on the pixel provider platforms,” Kind says. “I am therefore satisfied that Medmate was able to distinguish individuals from others in a way that affected their rights or interests by using tracking pixels to target and treat individuals on an individualised basis, even without their identity being known.

Monash IVF meanwhile used five active tracking pixels, including Meta, Google Ads and google Analytics in December 2024. It also used two others, including Pinterest, at different times.

It used Meta Pixel for advertising campaigns relating to egg donor and freezing, endometriosis, fertility and sperm donation, among others and created custom audience lists using other sources of customer information, uploading the lists to Meta Pixel Provider Dashboard to retarget advertising and ‘layer, build and further refine individuals’ they wanted to retarget.

Broader compliance signals

The determinations are the first of their kind from the OAIC on tracking pixels and signal increasing regulatory attention on digital tracking and targeted advertising practises.

Kind has emphasised that existing privacy laws apply to modern tracking technologies, regardless of how they are implemented or which third-party platforms are involved.

The OAIC’s guidance on tracking pixels notes that while the Privacy Act does not prohibit the use of the technology, organisations deploying third-party tracking pixels on their websites should conduct appropriate due diligence to ensure they are used in a way that is compliant with the Privacy Act and Australian Privacy Principles, and should ensure sensitive data isn’t disclosed to third-party platforms and is only collected with consent.

“Organisations must ensure their privacy policies and notifications contain clear and transparent information about the use of third-party tracking pixels,” the guidance says.

It says organisations should adopt a data minimisation approach and conduct regular, ongoing reviews of tracking technologies deployed on their website to ensure use remains appropriate and complies with privacy obligations.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

MORE NEWS:

Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...
ErrorHere