Australian Privacy Commissioner Draws a Line on Tracking Pixels and Health Data

Key Takeaways

• Consent Required for Sensitive Data Tracking: The Privacy Commissioner found that using tracking pixels to collect and use sensitive health-related information for targeted advertising requires user consent under Australia's Privacy Act.
• Medmate and Monash IVF Found to Have Interfered with Privacy: Separate determinations concluded that both organizations breached privacy obligations through their use of third-party tracking technologies on healthcare-related websites.
• Ruling Extends Beyond Health Information: The Commissioner made clear that the same consent requirements apply when tracking technologies collect other forms of sensitive information, including political opinions and racial or ethnic data.
• Common Advertising Technologies Remain Subject to Privacy Law: The decisions reinforce that widespread use of tracking pixels does not exempt organizations from complying with legal obligations governing the collection of sensitive personal information.

Deep Dive

Two privacy determinations released Thursday by the Australian Privacy Commissioner found that health service providers Medmate and Monash IVF interfered with individuals' privacy through their use of third-party tracking pixels. The decisions conclude a year-long investigation by the Office of the Australian Information Commissioner into how the two companies collected information from visitors to websites offering telehealth and fertility services.

Tracking pixels are among the most common tools on the modern internet. They help companies understand who visits their websites, what those visitors do, and whether advertising campaigns are working. They also help fuel the targeted advertising ecosystem that follows people from website to website and platform to platform.

In both determinations, the Privacy Commissioner concluded that using tracking pixels to monitor visitors to health-related websites and then target those individuals with advertising on social media platforms amounted to the collection of sensitive information under Australia's Privacy Act. That finding carries a straightforward consequence: consent is required.

The ruling may sound obvious to many Australians. The online advertising industry has spent years normalizing forms of tracking that would have seemed intrusive not long ago. People have learned to live with advertisements that appear moments after they browse a product, search for a service, or visit a website. What remains far less settled is whether that same machinery can be applied to information that reveals something deeply personal.

The Commissioner's office pointed to its own community attitudes research, which found that nine in ten Australians do not consider it fair or reasonable to be targeted with advertising based on sensitive health information.

"Australians have become accustomed to pervasive online tracking and targeted advertising, but that doesn't mean that they're comfortable with it," the Privacy Commissioner said.

The findings go beyond telehealth appointments and fertility services.

More Than a Health Sector Decision

Health information happened to be at issue in these cases, but the reasoning reaches much further. The Commissioner explicitly stated that website operators must obtain consent when tracking technologies are used to collect other forms of sensitive information, including political opinions, racial or ethnic origin, and similar protected categories of data.

That matters because the same advertising infrastructure appears across vast portions of the internet. The pixels embedded on a healthcare website are often not fundamentally different from those found on news sites, advocacy organizations, educational platforms, or countless other online services. What changes is the nature of the information they are capable of revealing.

"Today's decision establishes that the advanced technology used for tracking and targeted advertising in the online realm still has to be used in compliance with the Privacy Act," the Commissioner said.

A Message for Organizations Beyond Australia

Privacy regulators around the world have spent the past several years scrutinizing the use of tracking technologies, particularly when they intersect with health information. What makes these determinations notable is not that they introduce a new theory of privacy harm. They do not.

Instead, they take a practice that became commonplace and apply a familiar legal principle to it. The message is difficult to misunderstand. Just because a technology has become routine does not mean it exists outside the reach of privacy law. If a tracking tool collects sensitive information, organizations cannot treat consent as optional simply because the collection happens invisibly in the background.

For years, many privacy disputes have turned on complicated questions of data flows, platform architecture, and technical implementation. These decisions are remarkably direct. A person's health information remains sensitive information, even when it is collected by a few lines of code embedded in a webpage.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.