OAIC determines the use of tracking pixels “did not track”
On 24 June 2026, the Australian Privacy Commissioner published separate determinations which found that both Medmate Australia Pty Ltd and Monash IVF Pty Ltd contravened Australian Privacy Principles (APPs) 3.3, 5.1 and 7.1 through their use of third party tracking pixels to collect and use health information for targeted advertising without the consent or knowledge of the affected individuals (Commissioner Initiated Investigation into Medmate Australia Pty Ltd (Privacy) [2026] AICmr 41; Commissioner Initiated Investigation into Monash IVF Pty Ltd (Privacy) [2026] AICmr 40).
The determinations highlight the need for organisations to review their use of tracking pixels in customer facing platforms and ensure they have steps in place to notify individuals about their collection of personal information through the use of tracking pixels and, where that information is sensitive information, obtain consent to the collection. They also have broader implications for core concepts of what personal information is and when it might be said to be collected.
We discuss the key findings and takeaways below.
What is a tracking pixel?
A tracking pixel is a tiny, invisible image (usually 1x1 pixel in size) or Javascript snippet embedded within an organisation’s website, emails or digital advertising that is used to collect information about an individual's activity. When the individual visits the webpage (or opens the email or advertisement), the individual’s device sends a request to a tracking server operated by the pixel provider. That server records certain types of data embedded within the request which can be used to track online behaviour. Typically, this information is matched with other information the pixel provider has to create segmented audience lists and targeted advertising to the individual.
Pixel providers typically offer a dashboard or interface where organisations using the pixel can track, test and change settings to determine what information is collected through the deployment of the pixel. Through those mechanisms, the data generated is then accessible to the organisation which deploys the pixel, for example to analyse website traffic (such as which pages are visited, time spent on a page and user demographics), to target ads to individual users on the pixel provider's platforms and to measure the success of advertising campaigns.
Collection of sensitive information (APP 3)
Under APP 3.3, an APP entity may only collect "sensitive information" if the individual consents to the collection, unless an exception applies. Sensitive information includes health information.
Was there a “collection” of information?
Medmate embedded pixels from both TikTok and Meta on its website. Each time a user browsed a page, including those relating to health conditions, the browsing data was transmitted to the pixel providers.
Monash IVF deployed seven different tracking pixels: Meta Pixel, Google Ads, Google Analytics 4, Matomo, Jet Interactive, Hotjar and Pinterest. A custom Meta Pixel was designed to track visits to fertility-related webforms, such as pages for egg freezing, embryo donation and genetic carrier screening. The data collected was used by Monash IVF for retargeting purposes, categorising audiences by age, gender and location to serve fertility-related advertising to individuals who had visited its website.
In both cases, Meta's Advanced Matching feature was enabled at some points during the relevant period, allowing users' contact details (obtained through webform submissions and purchases) to be matched to their Meta accounts, regardless of whether they were logged in.
The Commissioner found that both Medmate and Monash IVF – as opposed to the pixel providers – “collected” information for the purposes of the Privacy Act through their deployment of pixels, even though the information concerned was not stored in a record in the physical possession of Medmate or Monash IVF. Critically, this rested on the fact that, in relation to each of them:
the collection of pixel data would not have occurred if it had not actively commissioned the tracking pixels through its selected pixel provider;
it controlled the deployment and embedment of tracking pixels on its website; and
after initial set-up, it could customise the tracking pixel to adjust the information collected.
In reaching this conclusion, the Commissioner noted that it is common practice for entities to store information in a cloud service operated by a cloud service provider, and considered that this was a “logical progression” in the interpretation of the Privacy Act, allowing for adaptation to emerging technologies. More broadly, this emphasises (perhaps not controversially) that outsourcing the technical processes and systems involved in collecting information will not avoid the conclusion that an entity has collected the information, where in substance it controls the basis on which collection occurs.
Was it a collection of information about a person who was "reasonably identifiable"?
The Privacy Act regulates the collection of "personal information", which is information (or an opinion) about an "identified", or "reasonably identifiable", individual, whether true or not and whether recorded in material form or not. Interestingly, the Privacy Act does not define the terms "identified" or "reasonably identifiable", meaning that what information constitutes "personal information" may not always be readily apparent in the circumstances, particularly in the context of online tracking and targeted advertising where a person's identity (ie their name together with other direct identifiers) may not always be known.
In both determinations however, the Commissioner concluded that information makes an individual "reasonably identifiable" where it facilitates "individuation", being where an entity is able to distinguish an individual from others "in a way that affects their rights or interests". This does not necessarily require that individuals can be identified by name, date of birth or other direct identifiers, but simply that the information can be used to affect that individual's rights or interests on an individualised basis.
As both Medmate and Monash IVF could retarget ads to specific individuals using the information collected without knowing their identity, this was found to be sufficient to establish that the individuals were reasonably identifiable by that information. The Commissioner acknowledged this was a "potentially novel application" of the concept of “reasonably identifiable” but that it was again a "logical progression" of the legislative interpretation, consistent with the technology-neutral and principles-based nature of the Privacy Act. The information was “about” a person because (citing the earlier case of Privacy Commissioner v Telstra Corporation Limited) the subject of the information was the relevant person’s behaviour.
The information was “sensitive information” and consent was not obtained
The Commissioner found that Medmate collected details about health conditions or online prescriptions sought by individuals browsing their website, which was revealed through URL structures transmitted to pixel providers TikTok and Meta. In Monash IVF's case, tracking pixels recorded interactions with sub-domains on the website which revealed, or at least allowed inferences to be drawn about, individuals' health information, as those sub-domains related to fertility services and treatments. The Commissioner found that this information was at least sufficient for the website operators to form an opinion about the health circumstances of people who were visiting the relevant websites, evidenced by the fact that the information was used to retarget advertisements to the relevant individuals.
This reasoning was critical, as the conclusion that the information was health information (and therefore a form of “sensitive information” under the Privacy Act) drove the requirement for consent to the collection to be obtained. The Commissioner found that neither entity obtained valid consent to the collection. Citing earlier guidance issued by the OAIC, the Commissioner noted that for consent to be valid, it must be “informed, voluntary, current and specific” and be given by “individuals who have the requisite capacity”.
In Medmate's case, a cookie consent pop-up was introduced late in the relevant period, but it did not mention tracking pixels, Meta or TikTok. The Commissioner found the reference to cookies was not sufficiently specific to extend to tracking pixels, given they are distinct from tracking pixels and can be used to track activity across multiple devices. The consent was also found to not be sufficiently specific, the Commissioner stating that “the level of specificity required is higher" for sensitive information.
In Monash IVF's case, there was no evidence that express consent for the collection of sensitive information via tracking pixels was ever sought from website visitors.
On that basis, both entities were found to have contravened APP 3.3.
Failure to notify about the collection of personal information (APP 5)
Under APP 5.1, APP entities must take reasonable steps to notify the individual (or ensure their awareness) of certain matters which are reasonable in the circumstances, at or before the time of collecting personal information (or as soon as practicable afterwards). Those matters include the purposes of the collection and the entities, or types of entities, to whom the information is usually disclosed. Medmate relied on the contents of its privacy policy between April 2021 and November 2024 to demonstrate it had given the required notice. However, the Commissioner found that a privacy policy alone was not sufficient in the circumstances to notify individuals for the purpose of APP 5.1, which she stated requires an entity to take “specific action” to notify individuals “at the time of, or as soon as practicable after, the collection has taken place”. The cookie consent pop-up that Medmate introduced on 15 November 2024 was also considered inadequate as it did not specifically inform users that tracking pixels were collecting sensitive information and being disclosed to pixel providers.
Monash IVF provided no information about tracking pixels on its website during the relevant period, other than references to cookies and Google Analytics (but none of the other six tracking pixels used). The Commissioner noted that Monash IVF had previously deployed pop-ups on the website for other purposes and had the financial and technological means to implement proper notification of the pixel technologies and concluded that in the circumstances it had not taken “reasonable steps” to give the required notices at the appropriate time.
In finding that neither entity had given the notice required, the Commissioner noted that the reasonable steps required to notify individuals may have been met by deploying a banner or pop-up at the first webpage visit, which either provided the required APP 5.1 notice or specifically directed individuals to relevant information regarding the entity's collection of personal information using tracking pixels in a separate policy.
Using or disclosing personal information for direct marketing without consent (APP 7)
APP 7.1 contains a general prohibition against using or disclosing personal information for direct marketing. APP 7.4 then provides a relevant exception in that sensitive information may be used or disclosed for direct marketing only with the individual's consent.
The Commissioner found that both Medmate and Monash IVF breached APP 7.1 by not obtaining consent to the use or disclosure of sensitive information for direct marketing.
Medmate used pixel data to retarget ads to segmented audience groups of individuals based on their website interactions, serving those groups targeted advertising on pixel provider platforms. While Medmate's Privacy Policy referred to web beacons and the collection of browsing behaviour, it was silent on the subsequent disclosure of that information for direct marketing purposes. Neither express nor implied consent could have been obtained given this absence of specific information on the website.
Monash IVF used the Meta Pixel to retarget marketing communications to specific individuals, linking website interactions to Meta accounts and tracking webform submissions. While Monash IVF's Group Privacy Policy identified marketing as a secondary purpose, it incorrectly stated that personal information was only collected when an individual submitted a webform inquiry or registration, whereas data was transmitted via tracking pixels from the moment a user visited the website. The Privacy Policy also did not exhaustively list all tracking pixels in use. On that basis, express consent was never sought, and implied consent could not be inferred because individuals were not provided accurate or sufficient information about Monash IVF's pixel data practices.
Key takeaways
Exerting sufficient control over the process of collecting information is enough to trigger “collection” obligations. You do not need to have direct possession of data collected through an independent technology platform where you have caused the collection of information by that platform and have the ability to control it.
Whether a person is "reasonably identifiable" does not necessarily require that you know who they are, as long as you can single them out. Organisations do not have to be able to directly identify an individual through the collection of a person's name or other direct identifiers. It is sufficient that the business has the ability to single out an individual for the purpose of engaging in activity that may allow them to be distinguished from others "in a way that affects their rights or interests", which would include directing targeted advertising to that individual. This could potentially involve difficult questions of degree. While the Commissioner has acknowledged the novelty of this interpretation, it should be taken as indicative of the approach to enforcement in the absence of any contrary authority or legislative clarification (which may form part of upcoming privacy reforms).
A consent to collect sensitive information or conduct direct marketing will be viewed critically. The Commissioner’s view that consent to the collection of sensitive information must be informed, voluntary, current and specific potentially sets a high bar in relation to the collection of information, as does her view that the level of specificity may vary based on whether sensitive information is involved. Organisations relying on consent to the collection of sensitive information for direct marketing purposes should review the terms of those consents carefully to assess whether they need to be enhanced to avoid invalidity.
Privacy policies, while necessary, may not alone be sufficient for the purpose of giving notices under APP 5.1 on websites. Reliance on privacy policies which “sit in the background” for the purpose of giving notices about the collection of personal information (such as through cookies and tracking pixels) is fraught, particularly when collecting sensitive information.
Cookie pop-ups do not suffice for notification about pixel-based information collection. Cookies and tracking pixels are not the same technologies. Obtaining a cookie consent will not satisfy the obligation to obtain consent to the collection of sensitive information for direct marketing using tracking pixels.