On November 4, 2024, the Office of the Australian Information Commissioner (OAIC) announced that it published guidance on tracking pixels and privacy obligations. The OAIC explained that the guidance is intended to ensure private sector organizations meet their obligations under the Australian Privacy Act (the Privacy Act) when using third-party tracking pixels. The OAIC highlighted that organizations deploying these pixels must ensure compliance with the Privacy Act and the Australian Privacy Principles (APPs), particularly around data minimization, transparency, and user consent.

Privacy obligations when using tracking pixels

The OAIC describes a tracking pixel as a piece of code generated by a third-party provider embedded in a website that collects information about a user's activity. The guidance clarifies that, although the Privacy Act does not prohibit tracking pixels, organizations must carefully control data collection to align with privacy principles. This includes implementing a data minimization approach, avoiding the collection of sensitive information without consent, and limiting the data shared with third parties to what is necessary for the intended purpose. Additionally, the guidance states that organizations should ensure that personal information is only used for the primary purpose of collection unless exceptions apply.

Sensitive data and overseas transfers

The guidance highlights that sensitive information, such as health details or religious beliefs, should only be collected through tracking pixels with express user consent. The guidance also notes that if personal information is transferred overseas by third-party providers, organizations must ensure those parties adhere to the APPs. Organizations are advised in the guidance to limit pixel deployment to avoid collecting sensitive information unnecessarily.

Direct marketing and transparency

According to the guidance, any use of tracking pixels for direct marketing purposes must align with APP 7, which requires that individuals be able to opt out easily and that sensitive information is only used for marketing with explicit consent. Additionally, the guidance notes that organizations should also provide a clear, accessible way for users to opt out of targeted advertising. The guidance states that organizations should be transparent about the collection, use, and disclosure of personal information using third-party tracking pixels. In this regard, the guidance notes that organizations should clearly disclose their use of third-party tracking pixels in their privacy policy, including the kinds of personal information collected by the pixel and the purposes for which the information is handled.

You can read the press release here and the guidance here.