Contact Us

The OAIC releases its guidance on the use of tracking pixels

7 November 2024

The Office of the Australian Information Commissioner (OAIC) has released its long-awaited guidance to assist private sector organisations in fulfilling their obligations under the Privacy Act 1988 (Cth) (Privacy Act) when utilising third-party tracking pixels on their websites.

This guidance was developed in response to industry calls for more detailed information on how the Privacy Act applies to tracking technologies, as well as growing interest from government, media, and the community.

What is a tracking pixel?

Many social media companies and other digital platforms offer tracking pixels.

A tracking pixel is a piece of code generated by the third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.

There are different types of tracking pixels that can be used for a variety of purposes. For example, pixels can be used to analyse website traffic (e.g. which pages are visited, time spent on a page and user demographics), to target ads to individual users on third-party platforms, and to measure the success of advertising campaigns. Pixel providers typically offer a dashboard or interface where organisations can track, test and change their pixel settings.

These pixels, along with other tracking tools like cookies, enable detailed user monitoring across the internet and social media platforms. They are valuable for businesses in terms of analysis, advertising, and evaluating return on investment.

Australian Privacy Commissioner Carly Kind has highlighted concerns, stating:

“Many of these tracking tools are harmful, invasive, and detrimental to online privacy.”

Privacy obligations relating to tracking pixels

Organisations have privacy obligations in relation to their use of tracking pixels where it results in the collection, use and disclosure of personal information.

The 13 APPs in the Privacy Act set out legally binding obligations for APP entities when handling personal information and sensitive information.

‘Personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable. The term ‘personal information’ encompasses a broad range of information which may include technical and inferred information depending on the circumstances.

Individuals do not necessarily need to be identified from the specific information being handled to be ‘reasonably identifiable’ under the Privacy Act. An individual can be ‘reasonably identifiable’ where the information collected through a third-party tracking pixel (such as an IP address, URL information, or a hashed email address) is able to be linked or matched with other information held by the third-party platform. In these circumstances, both the organisation and the third-party platform will have privacy compliance obligations in relation to this information.

Key lessons from the OAIC’s guidance

  1. The Privacy Act does not prohibit the use of tracking pixels. However, organisations that deploy third-party tracking pixels on their websites should conduct appropriate due diligence to ensure they are used in a way that is compliant with the Privacy Act and the Australian Privacy Principles (APPs)
  2. Organisations should adopt a data minimisation approach and ensure that pixels are configured to limit the collection of personal information to the minimum amount necessary in the circumstances (APP 3)
  3. Organisations must generally ensure that sensitive information is not disclosed to third-party platforms through tracking pixels. Sensitive information must only be collected with an individual’s consent (APP 3)
  4. Collecting personal information covertly without the knowledge of the individual is likely to be an unfair means of collection (APP 3). Organisations must ensure their privacy policies and notifications contain clear and transparent information about the use of third-party tracking pixels (APPs 1 and 5)
  5. Organisations must ensure that any personal information disclosed to third-party providers through tracking pixels is for the primary purpose for which it was collected, or for a secondary purpose if an exception applies (APP 6)
  6. If personal information collected via a tracking pixel will be sent overseas by the third-party provider, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (unless an exception applies) (APP 8)
  7. Organisations must comply with the direct marketing obligations under APP 7 when using tracking pixels to target individuals with online ads, which includes providing individuals with a simple means to opt-out
  8. Organisations should conduct regular, ongoing reviews of the tracking technologies deployed on their website to ensure their use remains appropriate and complies with privacy obligations.

Do you have any questions?

If you would like assistance implementing practices and procedures to comply with the above guidance, please get in touch with us!

CALL US NOW
MESSAGE US
BOOK A CALL

Posted in Data & Privacy Law

Tagged , , , , ,

© 2025 Hindsight Legal Advisers. All rights reserved.
Liability limited by a scheme approved under Professional Standards Legislation