New regulatory guidance: Tracking Pixels and Australian Privacy Law

The Office of the Australian Information Commissioner (OAIC) has published some practical guidance on using tracking pixels under Australia’s Privacy Act 1988. 

This article explores the legal considerations for private sector organizations in Australia using third-party tracking pixels on their websites. 

Tracking pixels under the Privacy Act 1988

Tracking pixels are snippets of code offered by third-party providers, including social media platforms such as Meta and Google. Once integrated into a website, a tracking pixel can collect data about users’ activity and send it to the third-party provider for analysis. 

The data collected by pixels can include: 

• Directly identifying information entered into the website via forms, such as name, email address, and phone number. 
• Transaction data, including items viewed and cart additions. 
• Network information like IP address and geolocation data. 

This collection of these types of information, particularly when linked with other data held by third-party platforms, can trigger privacy obligations under the Australian Privacy Act 1988 (Privacy Act). 

Does the Privacy Act prohibit the use of tracking pixels?

The Privacy Act does not prohibit the use of tracking pixels. However, organizations covered by the law must ensure that they comply with the Australian Privacy Principles (APPs) whenever tracking users online (or otherwise handling personal information). 

According to the OAIC, such compliance steps include conducting due diligence to ensure the pixel’s configuration and use aligns with privacy obligations and ensuring “data minimization” – limiting the collection of personal information to the minimum necessary. 

Key privacy obligations for organizations using tracking pixels

Organizations must consider the following APPs when using tracking pixels: 

• Collection of personal information (APP 3): The collection of personal information must be reasonably necessary for the Organization’s functions or activities. Sensitive information should only be collected with explicit consent. 
• Use and disclosure of personal information (APP 6): Personal information should only be used or disclosed for the primary purpose for which it was collected, or for a secondary purpose if an exception applies (e.g., consent or the individual’s reasonable expectations). 
• Direct marketing (APP 7): Organizations using tracking pixels for targeted online advertising must comply with APP 7, including providing individuals with a simple way to opt out. 
• Transparency obligations (APPs 1 and 5): Organizations must be transparent about their use of tracking pixels, including providing clear information in their privacy policy and notifying individuals about the collection and use of their personal information.

What steps should organizations take before deploying tracking pixels?

Before deploying a third-party tracking pixel, organizations should: 

• Conduct due diligence: Review the terms and conditions of the third-party provider, understand the pixel’s configuration options, and ensure the provider has adequate data protection processes. 
• Adopt a privacy-by-design approach: Conduct a Privacy Impact Assessment (PIA) to identify potential privacy risks and mitigation strategies. 
• Configure the pixel appropriately: Limit data collection to the minimum necessary and avoid collecting sensitive information without explicit consent. 
• Ensure lawful and fair collection: Be transparent about the use of tracking pixels and ensure individuals are aware of data collection practices. 

How can organizations demonstrate transparency when using tracking pixels?

Organizations can demonstrate transparency by: 

• Including clear information in their privacy policy: Detail the use of tracking pixels, the types of data collected, and the purposes for which the information is used. 
• Providing notifications to individuals: Inform users about data collection through clear and concise banners or pop-ups on their websites. 
• Offering opt-out mechanisms: Allow individuals to easily opt out of data collection for direct marketing or other purposes. 

What are the potential consequences of non-compliance? 

Failing to comply with privacy obligations related to tracking pixels can lead to various consequences, including: 

• Breaches of the Privacy Act resulting in potential fines and reputational damage. 
• Breach of contract with the third-party provider if the organization fails to meet the provider’s terms and conditions. 
• Loss of trust and negative impact on customer relationships due to a lack of transparency and potential misuse of personal information. 

What else should organizations consider?

In addition to the steps above, consider the following: 

• Regular reviews: Conduct ongoing reviews of tracking technologies to ensure their continued compliance with evolving privacy obligations. 
• Consider alternatives: Explore alternative marketing approaches that might be more privacy-protective. 
• Stay informed: Keep up-to-date with changes in privacy laws and best practices related to tracking technologies. 

By following the steps outlined above, organizations can use tracking pixels in a way that respects privacy and complies with Australian law.