Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

Published:  

The Office of the Australian Information Commissioner (OAIC) has released guidance for private sector organisations to ensure they meet their obligations under the Australian Privacy Act when using third-party tracking pixels on their website.

Publication of the guidance responds to industry demand for greater detail on the application of the Privacy Act to tracking technologies, as well as interest in the topic across government, media and the community.

Many social media companies and other digital platforms offer tracking pixels. A tracking pixel is a piece of code generated by a third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.

Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms. They can be important to business for analysis, advertising and measurement of return on investment.

“However, many of these tracking tools are harmful, invasive and corrosive of online privacy,” Australian Privacy Commissioner Carly Kind said.

“This is a real concern in the community with our Australian Community Attitudes to Privacy Survey 2023 finding that 69% of adults did not think it fair and reasonable that their personal information was used for online tracking, profiling and targeted advertising, with that rising to 89% when material was targeted at children.”

The guidance makes clear that it is the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it is configured and used in a way that is compliant with the Privacy Act.

Before deploying a third-party pixel, organisations should ensure they understand how the product works, identify the potential privacy risks involved and implement measures to mitigate those risks, and not adopt a ‘set and forget’ approach.

Failing to conduct appropriate due diligence can create a range of privacy compliance and other legal risks.

Consistent with the OAIC’s recent guidance on the use of generative AI products, the OAIC is seeking to expand its range of guidance for organisations so that they can continue to grow their businesses while meeting privacy obligations in a way that builds community trust.