Privacy commissioner rules Medmate and Monash IVF breached privacy law through tracking pixels

The decisions establish that when tracking pixels are used on health-related websites to monitor visitors and facilitate targeted advertising on social media platforms, the activity constitutes the collection of sensitive information under the Privacy Act.

As a result, website operators must obtain users’ consent before collecting such data.

The ruling is expected to have broader implications for organisations using third-party advertising and analytics tools.

“Australians have become accustomed to pervasive online tracking and targeted advertising, but that doesn’t mean that they’re comfortable with it,” Privacy Commissioner Carly Kind said in a 24 June statement.

“In particular, when it comes to targeted advertising based on sensitive data, our community attitudes research shows that nine in 10 Australians consider it neither fair nor reasonable to be targeted on the basis of their sensitive health data.”

The commissioner said the determinations reinforce that organisations cannot rely on the complexity of digital advertising technologies to avoid their obligations under privacy law.

VIEW ALL

“Today’s decision establishes that the advanced technology used for tracking and targeted advertising in the online realm still has to be used in compliance with the Privacy Act,” the commissioner said.

The OAIC has also released a companion report, Your life, pixelated: how tracking pixels watch your every click, following an inspection of 50 health service provider websites. The report outlines privacy risks associated with tracking pixels and provides recommendations for organisations and consumers.

The regulator is urging all entities subject to the Privacy Act to review their use of third-party tracking technologies and ensure they understand and comply with their obligations when collecting sensitive information, including health data, political opinions, race and ethnicity.