-
On this page
Purpose
This guidance sets out general considerations for private sector organisations that use third-party tracking pixels on their websites.[1] It does not cover all privacy issues and obligations in relation to the use of tracking pixels. Organisations should consider this guidance together with the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles guidelines.
Key points
- The Privacy Act does not prohibit the use of tracking pixels. However, organisations that deploy third-party tracking pixels on their websites should conduct appropriate due diligence to ensure they are used in a way that is compliant with the Privacy Act and the Australian Privacy Principles (APPs).
- Organisations should adopt a data minimisation approach and ensure that pixels are configured to limit the collection of personal information to the minimum amount necessary in the circumstances (APP 3).
- Organisations must generally ensure that sensitive information is not disclosed to third-party platforms through tracking pixels. Sensitive information must only be collected with an individual’s consent (APP 3).
- Collecting personal information covertly without the knowledge of the individual is likely to be an unfair means of collection (APP 3). Organisations must ensure their privacy policies and notifications contain clear and transparent information about the use of third-party tracking pixels (APPs 1 and 5).
- Organisations must ensure that any personal information disclosed to third-party providers through tracking pixels is for the primary purpose for which it was collected, or for a secondary purpose if an exception applies (APP 6).
- If personal information collected via a tracking pixel will be sent overseas by the third-party provider, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (unless an exception applies) (APP 8).
- Organisations must comply with the direct marketing obligations under APP 7 when using tracking pixels to target individuals with online ads, which includes providing individuals with a simple means to opt-out.
- Organisations should conduct regular, ongoing reviews of the tracking technologies deployed on their website to ensure their use remains appropriate and complies with privacy obligations.
What is a tracking pixel?
Many social media companies and other digital platforms offer tracking pixels. A tracking pixel is a piece of code generated by the third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.
There are different types of tracking pixels that can be used for a variety of purposes. For example, pixels can be used to analyse website traffic (e.g. which pages are visited, time spent on a page and user demographics), to target ads to individual users on third-party platforms, and to measure the success of advertising campaigns. Pixel providers typically offer a dashboard or interface where organisations can track, test and change their pixel settings.[2]
Tracking pixels
User visits website with pixel installed
Pixel loads and collects data (form inputs, IP address, geolocation, items viewed, cart additions, URL information) about user's activity.
Pixel transmits data to social media platform.
Social media platform matches pixel data with data about existing users of the platform.
User leaves website and visits social media
User receives targeted ads and content from website on social media platform
Privacy obligations
Organisations will have privacy obligations in relation to their use of tracking pixels where it results in the collection, use and disclosure of personal information.
The 13 APPs in the Privacy Act set out legally binding obligations for APP entities when handling personal information and sensitive information.
‘Personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable. The term ‘personal information’ encompasses a broad range of information which may include technical and inferred information depending on the circumstances.[3]
Individuals do not necessarily need to be identified from the specific information being handled to be ‘reasonably identifiable’ under the Privacy Act. An individual can be ‘reasonably identifiable’ where the information collected through a third-party tracking pixel (such as an IP address, URL information, or a hashed email address) is able to be linked or matched with other information held by the third-party platform. In these circumstances, both the organisation and the third-party platform will have privacy compliance obligations in relation to this information.
Types of personal information
Types of information collected by tracking pixels that may be personal information for the purposes of the Privacy Act includes:
- Information collected: Form inputs such as name, address, date of birth, email address and phone number
- Information collected: Transaction data such as items viewed and cart additions
- Information collected: Network information (such as IP address) and geolocation data
- Information collected: URL information
- Information collected: Other activity data such as pages visited, content viewed, session duration.
Key consideration
It may not always be clear whether the data collected and disclosed through a tracking pixel is personal information for the purposes of the Privacy Act. Given the potential privacy risks and significant community concern about the use of tracking technologies, the OAIC strongly encourages organisations to err on the side of caution and comply with the Privacy Act when using third-party tracking pixels on their website.
Before deploying tracking pixels
It is the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it is configured and used in a way that is compliant with the Privacy Act.
Before deploying a third-party pixel, organisations should ensure they understand how the product works, identify the potential privacy risks involved and implement measures to mitigate those risks.
Organisations should be mindful that many third-party pixel providers offer non-negotiable terms and conditions that place responsibility for compliance with relevant laws on the pixel customer (i.e. your organisation). Before entering into a contract with a third-party pixel provider, an organisation should review the terms of the agreement to understand its obligations and make sure the third party has appropriate processes in place to protect personal information and comply with any obligations it has under the Privacy Act. Organisations should also ensure they stay up to date with any changes to the terms of the agreement, which may alter the steps your organisation needs to take to ensure compliance with privacy obligations.
Failing to conduct appropriate due diligence can create a range of privacy compliance and other legal risks (e.g. breach of contract if an organisation acts inconsistently with the terms and conditions of use).
Due diligence for tracking pixels should not amount to a ‘set and forget’ approach. To ensure compliance with privacy obligations, organisations should conduct regular reviews of the tracking technologies deployed on their website to ensure they are configured appropriately, and that their ongoing use remains reasonable and necessary in the circumstances.
Adopting a privacy by design approach
Organisations should adopt a ‘privacy by design’ approach to their use of third-party tracking pixels.[4] A Privacy Impact Assessment (PIA) will assist organisations to adopt a privacy by design approach and comply with APP 1.2.[5]
A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. There is real community concern about the use of online tracking technologies and a PIA would help to demonstrate an organisation’s commitment to, and respect of, individuals’ privacy.[6]
This guidance highlights some key privacy considerations for organisations seeking to deploy third-party tracking pixels. A PIA will assist organisations to conduct a holistic assessment of the privacy risks and impacts throughout the information lifecycle.
Key considerations
Some questions that organisations should ask about third-party tracking pixels to assist with conducting a PIA include, but are not limited to:
- What information will be collected by the tracking pixel (for example, will sensitive information be collected)? How can the pixel be configured to prevent or minimise the collection and disclosure of personal information?
- How will the third-party provider use and disclose the personal information? Will the third-party provider use the data for their own commercial purposes or share it with other entities?
- Will the information be sent overseas? If so, to what countries?
- How will the information be secured and how long will it be retained?
- Does the third-party provider have appropriate processes in place to protect personal information and comply with any obligations it has under the Privacy Act?
The OAIC has developed resources to assist organisations to undertake PIAs in relation to new or updated projects. See the OAIC’s PIA Guide and PIA tool.
Collection of personal information (APP 3)
The collection of personal information for the purposes of pixel usage is permissible where the collection is reasonably necessary for your organisation’s functions or activities (APP 3.2) and the other APP obligations outlined below are met.
What is reasonably necessary is an objective test based on whether a reasonable person who is properly informed would agree that the collection is necessary. A key factor in determining whether a collection of personal information is reasonably necessary for a function or activity includes whether the entity could undertake the function or activity without collecting that personal information, or by collecting a lesser amount of personal information.[7]
It is your organisation’s responsibility to be able to justify that a particular collection is reasonably necessary. See Chapter 3: APP 3 Collection of solicited personal information in the APP Guidelines for more information.
Key consideration
Organisations could consider whether there are other methods of reaching customers for marketing purposes that may be more privacy protective and acceptable to the community (for example, using first-party data to market to individuals via more direct channels (such as email) where the individual has clearly consented or would otherwise expect your business to send them marketing materials).
Ensuring the pixel is configured appropriately
Before deploying a third-party tracking pixel, organisations should identify the types of data that will be collected and how it will be used and shared.[8] Many third-party pixel providers enable business users to set custom parameters or configure the types of data that will be collected and disclosed to the third-party provider.
Organisations should adopt a data minimisation approach and ensure that pixels are configured to limit the collection of personal information to the minimum amount of personal information that is reasonably necessary in the circumstances.
Key consideration
Organisations should configure pixels to collect and share the minimum amount of data. Organisations should consider only deploying the pixel on certain webpages rather than the entire website to limit the data transmitted to third party platforms.
Sensitive information
Sensitive information is personal information that includes information or an opinion about an individual’s racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, and health information.
Sensitive information is generally afforded a higher level of privacy protection under the APPs in recognition of the adverse consequences that may result for individuals if it is handled inappropriately.
Before deploying a tracking pixel, organisations must consider whether activity on their website could result in the collection of sensitive information. For example, a pixel may collect and disclose information during a flight booking that could reveal sensitive information about an individual (such as making a special assistance request for a hearing impairment which could constitute health information). An individual may also reveal sensitive information about themselves solely by visiting a website, for example, a website providing mental health or counselling services.[9]
Under APP 3.3, an organisation must only collect sensitive information with the individual’s consent and where it is reasonably necessary for its functions or activities.[10] The exceptions to obtaining consent in APP 3.4 are unlikely to apply in circumstances where sensitive information is collected using third-party tracking pixels for commercial purposes.
An organisation should generally seek express opt-in consent from an individual if their sensitive information is likely to be collected and disclosed to third-party platforms through a tracking pixel. Opt-out mechanisms are a type of implied consent. It is only appropriate to infer consent from an opt-out mechanism in limited circumstances.[11]
The OAIC expects that sensitive information would only be shared through third-party tracking pixels in limited circumstances. Organisations should generally ensure pixels are configured to prevent the collection and disclosure of sensitive information about website users. Organisations should also be mindful that many third-party providers prohibit pixel users from sharing sensitive information with them as part of their terms and conditions of use.
In circumstances where sensitive information could be revealed about an individual solely by visiting a website, organisations should consider whether the use of any third-party tracking pixels is appropriate. To mitigate privacy risks, it may be preferable to avoid the use of third-party tracking pixels in these circumstances.
Key consideration
Organisations should consider whether the data collected via a tracking pixel constitutes sensitive information. Pixels should be configured to avoid the disclosure of sensitive information to third-party platforms. Sensitive information should only be collected through a tracking pixel with an individual’s express consent.
Collecting by lawful and fair means
Under APP 3.5, an organisation must only collect personal information by ‘lawful and fair means.’ A ‘fair means’ of collection is one that is not unreasonably intrusive. Whether a collection occurs by unfair means will depend on the circumstances. For example, it would usually be unfair to collect personal information covertly without the knowledge of the individual.
By design, tracking pixels are ‘invisible’ to individuals, meaning individuals will often not be aware that their data is being collected and that their activity is being tracked. In these circumstances, it is important that organisations are clear and transparent about their use of third-party tracking pixels (see below for further information).
Use and disclosure of personal information (APP 6)
Organisations will need to ensure they comply with APP 6 in relation to the use and disclosure of personal information through tracking pixels.[12] Before deploying third-party tracking pixels, organisations should clearly understand how the third-party platform will use and disclose the information it receives.
APP 6 does not apply to the use or disclosure of personal information for the purposes of direct marketing, which is covered by APP 7 (see below).
APP 6 requires entities to only use or disclose personal information for the primary purpose for which it was collected, unless they have consent or can establish the secondary use or disclosure would be reasonably expected by the individual, and is related (or directly related, for sensitive information) to the primary purpose.
If an organisation is seeking to rely on consent for the use and disclosure of personal information, it should generally obtain express opt-in consent. It is only appropriate to infer consent from an opt-out mechanism in limited circumstances.[13]
Whether an individual would reasonably expect the use or disclosure of their personal information is an objective test which has regard to what a reasonable person, properly informed, would expect in the circumstances. A secondary use or disclosure may be within an individual’s reasonable expectations if it was expressly outlined in a notice at the time of collection and in an organisation’s privacy policy (see more information about transparency obligations below).
Organisations must also consider whether personal information collected via a tracking pixel will be sent overseas by the third-party provider. In these circumstances, an organisation must take reasonable steps under APP 8 to ensure that the overseas recipient does not breach the APPs (unless an exception applies) before deploying tracking pixels on its website. For more information, see Chapter 8: APP 8 Cross-border disclosure of personal information in the APP Guidelines.
Direct marketing (APP 7)
APP 7 applies to organisations that use or disclose personal information for direct marketing.[14] It does not apply to direct marketing communications covered by the Do Not Call Register Act 2006 or the Spam Act 2003.
This means that APP 7 will apply to targeted online advertising using an individual’s personal information. If an organisation is using or disclosing personal information using a third-party tracking pixel to target individuals with ads on third-party platforms, it must comply with APP 7.
This means that organisations must:
- only use or disclose personal information where the individual would reasonably expect the organisation to use or disclose the personal information for direct marketing
- provide individuals with a simple way to request not to receive direct marketing communications from the organisation, and
- if an individual asks, stop using or disclosing their personal information for direct marketing.[15]
An individual may reasonably expect their personal information to be used or disclosed for direct marketing purposes if they have consented, or if they have been notified about the use or disclosure of their personal information for these purposes. Organisations may only use or disclose sensitive information for direct marketing purposes with the individual’s consent (APP 7.4).
Organisations should enable website users to opt-out of receiving targeted online ads using tracking pixels. For example, an organisation could deploy a banner or pop-up when a user first visits a website which provides notice of the use of third-party tracking pixels for marketing or advertising purposes and allows the user to opt-out.
Key considerations
Organisations must comply with APP 7 when using third-party tracking pixels to target individuals with online advertising and provide individuals with a simple way to opt-out.
Transparency obligations (APPs 1 and 5)
Organisations must be transparent about the collection, use and disclosure of personal information using third-party tracking pixels.
Organisations are required to have a clearly expressed and up to date privacy policy about their management of individuals’ personal information (APP 1.3). APP 1.4 sets out the matters that must be addressed in an organisation’s privacy policy. Organisations should clearly disclose their use of third-party tracking pixels in their privacy policy, including the kinds of personal information collected by the pixel and the purposes for which the information is handled.
A privacy policy is not meant to be a substitute for notification requirements under APP 5. APP 5 also requires an organisation that collects personal information to take reasonable steps to notify an individual of certain matters or to ensure the individual is aware of those matters. Reasonable steps must be taken at or before the time of collection, or as soon as practicable after.
Organisations should notify individuals of their use of third-party tracking pixels to collect and disclose personal information, and other matters listed in APP 5.2 as are reasonable in the circumstances. This may include the third-party pixel providers that the organisation usually discloses personal information to, and any overseas recipients.
An individual may be notified or made aware of APP 5 matters through a variety of formats, provided the matters are expressed clearly. This could include via a banner or pop-up when an individual visits a website which notifies a visitor of the use of tracking pixels, with links to further privacy information on an organisation’s website.
For more information see, Chapter 1: APP 1 Open and transparent management of personal information and Chapter 5: APP 5 Notification of the collection of personal information in the APP Guidelines.
Key considerations
An organisation must ensure its privacy policy and collection notices contain clear and transparent information about the use of third-party tracking pixels to collect, use and disclose personal information.
Additional resources
- Australian Privacy Principles guidelines
- Guide to developing an APP privacy policy
- Guide to undertaking privacy impact assessments
- Privacy impact assessment tool
- Undertaking a privacy impact assessment (eLearning course)
- Direct marketing
- Sending personal information overseas
[1] Tracking pixels may also be used in apps, emails and other digital channels. This guidance note primarily refers to the use of tracking pixels on websites. Organisations should still consider the information in this guidance when seeking to deploy tracking pixels through other channels.
[2]Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking
[3] For more information, see What is personal information?.
[4] ‘Privacy by design’ is a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructure. See Privacy by design.
[5] APP 1.2 requires organisations to take reasonable steps to implement practices, procedures and systems to ensure the organisation complies with the APPs, and is able to deal with related enquiries and complaints. For more information, see Chapter 1: APP 1 Open and transparent management of personal information
[6]The OAIC’s Australian Community Attitudes to Privacy Survey 2023 found that the majority of Australians believe the following practices were unfair and unreasonable: online tracking, profiling and targeted advertising to children (89%), online tracking, profiling and targeted advertising to vulnerable individuals (88%), online tracking, profiling and targeted advertising to adults based on personal (but not sensitive) information (69%), targeted advertising based on sensitive information (84%).
[7] See Chapter 3: APP 3 Collection of solicited personal information. See also Commissioner initiated investigation into 7-Eleven Stores Pty Ltd (Privacy) (Corrigendum dated 12 October 2021) [2021] AICmr 50 (29 September 2021) (austlii.edu.au)
[8]Website Privacy Controls | New York State Attorney General (ny.gov)
[9] Personal information includes opinions or inferences drawn about people, whether or not these are accurate. The definition of personal information already contemplates inferences by seeking to cover ‘opinions’, ‘whether true or not’ about an individual.
[10] Consent means express or implied consent (s 6(1) of the Privacy Act). More information about the four key elements of consent is available in Chapter B: Key concepts.
[11] See Chapter B: Key concepts.
[12] Further information about APP 6 requirements and exceptions is in the APP Guidelines at Chapter 6: APP 6 Use or disclosure of personal information.
[13] See Chapter B: Key concepts.
[14] Direct marketing involved the use or disclosure of personal information to communicate directly with an individual to promote goods or services.
[15]This guidance outlines the requirements under APP 7 where the personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used or disclosed for the purpose of direct marketing (APP 7.2). APP 7 contains additional requirements in circumstances where the personal information has been collected from a third party, or from the individual directly but the individual does not have a reasonable expectation that their personal information will be used or disclosed for the purpose of direct marketing (APP 7.3). See Chapter 7: APP 7 Direct marketing.