We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

  • On this page

Carly Kind

Carly Kind
Privacy Commissioner

Published:  

Have you ever wondered how the same pair of shoes or holiday package you just looked at ended up on your social media feed? Unknown to you, social media platforms such as Meta and TikTok may be watching your every click.

Tracking technologies are not a new phenomenon, and tracking pixels are just one of these technologies offered by many social media companies and other digital platforms. A tracking pixel is a piece of code that organisations embed into their websites, often for marketing and analytics purposes. Third-party tracking pixels can be configured for a variety of purposes, which can track the webpages you go to, every click, everything you put in your cart, and in some circumstances, information you enter into forms – all of which is shared with social media companies to profile and target ads to you.

Tracking pixels are distinct from cookies in that you cannot delete them and they are much harder to avoid. While you can easily clear your browser cookies or adjust your settings to block them entirely, tracking pixels are embedded into the website’s coding and invisible to the human eye. Unless you use screening tools, it is unlikely that you would be aware that a tracking pixel is operating on the website you are browsing.

You may not be surprised to find that this is occurring as you browse for shoes or holidays. However, imagine if you were looking for information about some health symptoms you were experiencing, or if you were seeking resources about anxiety. Most likely, in these circumstances, you would be under the impression that you were anonymously browsing and would not expect that your web browsing activity is being shared with social media companies.

To further understand the usage and prevalence of tracking pixels, in October and November 2024, the OAIC conducted a scan of 50 health service provider websites. The websites scanned represent an array of Australia’s digital landscape in the health sector, including:

  • helpline and mental health services
  • health services for children and young people
  • pharmaceuticals
  • health services including insurance, fertility and abortion.

Of the websites scanned:

  • 96% used tracking technologies
  • 52% used a third-party tracking pixel
  • Of the entities that used a third-party tracking pixel, 77% did not mention the use of third-party tracking pixels within their privacy policy.

Following our scan, we conducted a closer inspection of 12 websites identified based on the number and types of ad trackers used, types of personal information collected via the websites and the services they provide to the community. Further information about our research and findings are detailed in the expandable section below.

While it is not possible for the OAIC to investigate every matter of potential non-compliance, we take a risk based and proportionate approach to regulation. This inspection subsequently resulted in:

  • Commissioner initiated investigations being launched in December 2024 in relation to strategically selected organisations, the determinations of which are published [link to Privacy determinations page for Monash] and [link to Privacy determinations page for Medmate].
  • targeted engagement with a further 8 organisations about the use of tracking pixels on their websites.

What our website inspection revealed

Of the 12 websites inspected:

  • all used more than 1 tracking pixel provided by a third party
  • 50% used more than 1 tracking pixel provided by social media platforms
  • all used the third-party tracking pixel provided by Meta
  • 50% used the TikTok tracking pixel
  • 25% used the Snapchat tracking pixel.

We observed that web browsing activity was being transmitted to social media platforms, and this included, among other things:

  • full URL, which contains information about the page you visited
  • website searches
  • button clicks
  • time and date stamp
  • device information.

Despite this, our review of the inspected websites found that:

  • there was no way for individuals to easily tell that their web browsing activity was being tracked
  • the majority did not disclose in their privacy policies that tracking pixels were in use, or that information was being shared with social media platforms
  • only 4 entities referred to tracking pixels in their privacy policies. Of these, only 2 referred to the specific social media platform information was being shared with
  • where the collection and use of web browsing data was referred to in privacy policies, assurances were provided that data cannot be tracked back to one user.

While the information provided to individuals about the use of third-party tracking pixels was often vague, giving the impression of anonymity, our inspection revealed that this is not the case. Notably, we observed instances where:

  • when an individual is logged into their social media account (either by phone app or web browser) browsing activity is linked to their profile
  • form fields including hashed name, address or telephone numbers were being shared with social media platforms. This information is used to match this to individuals and their profile, even where they are not logged in.

Our inspection showed that in the context of healthcare services, the information transmitted via tracking pixels is not just technical data – it can reveal incredibly intimate details about an individual’s life. For example:

  • browsing specific webpage for information about medical or health conditions, which could look something like: ‘page: url: "http://[domain]/mental-health"’
  • answering questionnaires by clicking buttons on a webpage to indicate symptoms for medical or mental health conditions
  • searches for support services for example, domestic violence or eating disorders – which could look something like: cd [button text]: Search term for example "UTI Medication"
  • screening outcomes to determine what services or resources are to be recommended
  • what you add to cart, including the type and categories of medication.

What the engagement with organisations told us

As a result of our inspection, we engaged with targeted organisations to outline their obligations under the Privacy Act and make inquiries about their use of tracking pixels. Our engagement showed that organisations, even those that provide valuable services to the community, may share personal information with third parties due to gaps in understanding of how tracking technologies worked. We observed that:

1. There are assumptions that web browsing data is ‘de-identified’

Many organisations we engaged with argued that web browsing data is de-identified, hashed or pseudonymised and that privacy obligations did not apply. Some things we heard included:

Our understanding was that the data collected by tracking pixels for the purpose of advertising through our … campaigns did not contain personal or sensitive information and the information collected was encrypted or hashed…

Any personal information is hashed before it is transmitted, viewed by us and third parties. We only view hashed data and generalised trends for analytical purposes.

We use direct marketing in the form of targeted paid advertisements on Meta (Facebook and Instagram) and LinkedIn. Information disclosed through these pixels on these channels is hashed and cannot be reversed...

Of the 12 organisations we engaged with, none had conducted a Privacy Impact Assessment prior to using tracking pixels on their websites.

2. Organisations are not aware of the tracking pixels on their websites

Of particular concern – many organisations we engaged with were not aware of all the tracking pixels on their websites. It was evident that there is often a separation from marketing areas of a business with privacy focussed teams, or an outsourcing of marketing responsibilities. This resulted in instances where tracking pixels are deployed or configured without organisations’ awareness or a ‘set and forget’ approach.

Case study – lack of organisational awareness regarding tracking pixel usage

A health service provider the OAIC engaged with was not aware and surprised to find out that there was active tracking pixels deployed on its website, as its business Facebook social media page had been disabled a long time ago.

As a result of the engagement with the OAIC, the health service provider undertook a detailed audit of its website. It reported that a third-party vendor was originally engaged to design and manage its website, including analytics and optimisation tools and tracking pixels from advertising and social media platforms had progressively been added over time. The health service provider found that there were 50 tracking pixels active on its website that was not necessary to the operation of its website or its business and was not aware of the type of information being shared with external platforms.

This case demonstrates how tracking pixels may be introduced without organisations’ awareness. The health service provider immediately commenced removal of all tracking pixels and committed to conducting a Privacy Impact Assessment.

3. Organisations are not aware of the potential harms

Many organisations underestimate the potential harms associated with tracking technologies. Some organisations we engaged with viewed the use of tracking technologies as a way to engage with particular audiences on the platforms they regularly frequent to provide information about services they may need, rather than a mechanism that may enable individuals to be extensively profiled. However, without careful consideration, individuals may be exposed to unintended harms, particularly where individuals’ profiles can be used to exploit their interests and vulnerabilities.

Case study – CareCo’s Marketing campaign

CareCo is a community-based health service provider that provides mental health and chronic illness support services. CareCo is eager to promote and improve access to its services and engage a wider audience, particularly younger people.

As part of a broader digital strategy, CareCo engaged a marketing consultancy to improve its website performance and community reach. The marketing consultancy recommended the use of Meta and TikTok pixels on its website to better understand website visitor behaviour and optimise outreach – the Meta and TikTok dashboards also seemed easy for CareCo to use and understand.  

After the marketing company set up the website, CareCo’s first advertising campaign was directed to individuals who had visited their website in the last two weeks and were between the ages of 25 and 30.

Case study – Mary’s eating disorder 

Mary visited CareCo’s website late one night following a web search for information about eating disorders. She browses several pages, reads about counselling options and downloads a pamphlet. She does not create an account or request an appointment as she was not ready to take that step.

Within days, Mary noticed that she was receiving ads on social media from CareCo and other companies she had never engaged with, advertising counselling services. Mary also noticed one ad about natural weight loss supplements and she could not understand why.

She felt overwhelmed and uncomfortable – had her phone been listening to her conversations?

This case shows how tracking pixels can be used to retarget individuals based on their interactions with a website.  Tracking pixels operate as part of a broader digital advertising ecosystem. Information transmitted by tracking pixels can be combined with information social media platforms hold about their users to facilitate retargeting and the profiling and targeting of individuals based on their inferred interests.

What steps can you take to regain control

Individuals can take steps to empower themselves in the digital space.

There are free, online tools individuals may access – for example, Blacklight – The Markup created by investigative journalists is a simple and easily accessible tool that can scan websites and provide an overview of the tracking technologies in use.

For more technically-savvy individuals, the European Data Protection Board Website Auditing Tool is a free and open-source software which helps detect and analyse trackers used on websites, including cookies and tracking pixels. Results can be exported and imported from the application.

Browser extensions are another way of inspecting a website for tracking technologies. Some well-known tools including Brave, Ghostery and Chrome DevTools can be used to identify tracking pixels on websites and in some instances, block ads.

Social media platforms also offer way for individuals to view and download the data shared with them. For Facebook users, the ‘Off-Facebook Activity’ allows you to see the data other organisations have shared with Meta about your website interactions. For TikTok users, this can be accessed by selecting Settings and Privacy > Account > Download your data. Individuals may also choose to clear past activity and adjust the settings on their account to prevent the use of future off-platform activity for targeted advertising on the social media platform.

Key takeaways for organisations

On 4 November 2024, the OAIC published guidance in relation to organisations using third party tracking pixels on their websites and set out general considerations for compliance with the Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APPs).

Our work in this space has revealed that privacy risks are not only confined to data breaches or malicious actors and are embedded in the online environment that we engage with on a day-to-day basis. For health provider organisations and any other organisation that handles personal or sensitive information, your responsibilities are clear − protecting individuals’ privacy means you must not just understand the information you intentionally collect, but also the information your systems may be collecting and disclosing to third parties.

If your website uses and deploys tools like tracking pixels, it is your responsibility to ensure it is used in a way that is compliant with the Privacy Act. Non-compliance can have serious consequences for individuals using your service – and for your business.

In an environment of heightened community expectations around privacy and data handling, this is an opportune time for organisations to take stock of, consider and prioritise individuals’ privacy rights and the consequences of ignoring these rights for individuals. In addition to the recommendations in our guidance, some key takeaways for organisations include:

  1. Assess the sensitivity of data (actual and inferred) and configure tracking pixels appropriately

    Tracking pixels will typically share information about your website visitors and what they did on the website. Consider the people that may visit your website and what inferences can be drawn from their browsing activity.

    Browsing data may be personal, and sensitive information. Every page view potentially reveals or infers health information about an individual – if someone visits pages about anxiety, STDs or fertility, it is likely they have a personal health interest.

    As required by APPs 3 and 6, tracking pixels should be configured appropriately to limit the collection of personal information to the minimum amount reasonably necessary in the circumstances and to avoid the disclosure of sensitive information to social media platforms. Sensitive information should only be collected via a tracking pixel with an individual’s express consent.

  2. Know what tracking technologies are in place and where

    Organisations must understand their data flows and identify which tracking pixels are in use. For any tracking technologies deployed, your organisation should be documenting what data is being collected and where it is sent. Your organisation should also be conducting regular, ongoing reviews of the tracking technologies deployed on the website to ensure their use remains appropriate and complies with privacy obligations.

    Tracking pixels are not a ‘set and forget’ type tracking tool. If your organisation uses them, you must actively monitor what the tracking pixels are doing. If they are collecting more information that initially expected, or sending it somewhere that was not approved of, you are responsible for managing it.

  3. Ensure transparency and valid consent mechanisms are in place

    Organisations need to ensure that their privacy policy and collection notice contain clear and transparent information about the use of tracking pixels to collect, use or disclose personal information. Organisations must also ensure that the information provided is clearly expressed and easy to understand.

    If your organisation uses or discloses sensitive information for direct marketing purposes, you must ensure that they only do so with the individual’s consent – this is required by APP 7. For consent to be valid, it must be voluntary, specific and informed; the individual must also have the capacity to give consent.

    When using tracking pixels to target individuals with online advertising on social media platforms, organisations must provide individuals with a simple way to opt-out. For example, an organisation could deploy a banner or pop-up when a user first visits a website which provides notice of the use of third-party tracking pixels for marketing or advertising purposes and allows the user to opt-out.

  4. Implement a privacy by design approach

    Whilst the Privacy Act does not prohibit the use of tracking pixels, it requires organisations to use them responsibly. However, if your organisation handles sensitive information or serves vulnerable communities, such as children, we strongly recommend you reconsider your use of tracking tools. Tracking individual’s online behaviours in certain circumstances may be incompatible with the goals you wish to achieve with your services, for example, offering services where confidentiality is paramount.

    Consideration should be given to whether there are other methods of reaching customers for marketing purposes that may be more privacy protective and acceptable to the community. For example, using first-party data to market to individuals via more direct channels (such as email) where the individual has clearly consented or would otherwise expect your business to send them marketing materials.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia