Privacy Commissioner finds privacy breaches in third-party tracking pixel investigation

The Australian Privacy Commissioner has found, in 2 separate determinations, that health service providers Medmate Australia Pty Ltd (Medmate) and Monash IVF Pty Ltd (Monash) interfered with the privacy of individuals whose sensitive information was collected via third-party tracking pixels.

The determinations conclude the Office of the Australian Information Commissioner's year-long investigation into how Medmate and Monash collected sensitive information on their websites which provide telehealth and fertility services respectively.

The Privacy Commissioner's decision establishes that the use of tracking pixels to track website visitors to health-related websites, and to subsequently target them with advertising on social media platforms, amounts to a collection sensitive information for which the website provider must obtain users' consent.

"Australians have become accustomed to pervasive online tracking and targeted advertising, but that doesn't mean that they're comfortable with it. In particular when it comes to targeted advertising based on sensitive data, our community attitudes research shows that 9 in 10 Australians consider it neither fair nor reasonable to be targeted on the basis of their sensitive health data," said the Privacy Commissioner.

"Today's decision establishes that the advanced technology used for tracking and targeted in the online realm still has to be used in compliance with the Privacy Act. That means website providers must obtain consent where they're using tracking pixels to collect sensitive information, such as data on health, political opinions, race or ethnicity."

Published alongside the determinations is a separate report on the OAIC's inspection of 50 health service provider websites. Your life, pixelated: how tracking pixels watch your every click, outlines findings, case studies, and recommendations to help individuals and organisations manage the privacy risks of third-party tracking pixels.

The OAIC encourages all APP entities to review their usage of third-party tracking pixels, and ensure proper understanding of the relevant obligations under the Privacy Act 1988 (Cth).