Add more content here...
November, 2024

Privacy regulator releases update for brands, publishers on tracking pixels, use of cleanrooms and data matching – then fines begin

What you need to know:

  • The Office of the Australian Information Commissioner (OAIC) has released fresh advice on tracking pixels, emphasising due diligence, data minimisation, and clear user consent.
  • Some companies using data matching and the use of hashed emails and cleanrooms are likely to be in breach of current privacy law, according privacy experts.
  • The new guidelines are part of a broader shift towards transparent data practices, with regular reviews and enhanced user controls mandated to protect consumer privacy.
  • New privacy legislation will grant the OAIC direct fining power, with penalties reaching $330,000 for administrative breaches and $66,000 for infringement notices.
  • While the current Privacy Act does not ban tracking pixels – used by publishers and brands alongside cookies and tags – it does require firms to ensure compliance through thorough due diligence and minimal data collection practices.
  • Explicit opt-in consent is required for any sensitive data collected through tracking pixels, including health information and racial background, and brands are reminded of the importance of transparency is essential; businesses must clearly inform users of their data practices, ideally via updated privacy policies and in-website notices.
  • Organisations are also encouraged to regularly review tracking technology compliance, moving away from a “set and forget” approach.
  • Privacy experts warn that brands must address these guidelines urgently, with new compliance challenges emerging as third-party cookies are phased out.

If I can get one message out it’s don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms.

Carly Kind, Australian Privacy Commissioner in an Mi3 podcast last month

Enforcement notice

New advice about tracking pixels released Monday by the Office of the Australian Information Commissioner urges brands to focus on due diligence, data minimisation, and obtaining clear user consent and stresses the need to balance data collection needs with stringent privacy obligations. The new guidelines underscore a shift toward more transparent data practices, requiring regular reviews and enhanced user controls to safeguard consumer privacy.

Tracking pixels have become a cornerstone of gathering user data and delivering targeted advertising. But they now represent a significant regulatory burden around privacy and have been a central issue of new legislation.

The first tranche of new privacy laws introduced into Parliament make it easier for the OIAC to fine brands for privacy transgressions and those fines will sting with $330,000 for basic administrative breaches, and $66,000 infringement notices – and it can do this directly, without needing to go to court for approval.

The new advice is based on current laws. But even without the new powers likely to come with the second tranche of privacy legislation, regulators like Privacy Commissioner Carly Kind are already adopting a more aggressive stance. As Kind last month told Mi3: “It’s really important for me to get the message to your audience that, notwithstanding the privacy reforms … our office is taking a slightly different approach than we have historically,” says Kind.

“Part of that is about putting more [information] out for entities, but also being more enforcement-focused than we have been historically.”

Kind underlined that the regulator has plenty to get its teeth into under the current Privacy Act – because a lot of companies are likely already in breach even if they haven’t realised that yet.

“If I can get one message out it’s don’t take your foot off the gas, because we’re going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms.”

She specifically called out tracking pixels as within the regulator’s crosshairs, and flagged potential probes for loyalty programs, data enrichment and data broking businesses, as well as use of location data.

When we audit sites, we consistently uncover sensitive data being collected through mechanisms that standard privacy assessments miss completely – health conditions revealed in search queries, religious preferences in URL parameters, personal details in abandoned form data, all being shared with dozens of third parties without proper governance.

Chris Brinkworth, Managing Partner, Civic Data

What’s next

The first tranche of Privacy Act reform focuses on four key things: A new statutory tort (a legal framework which governs civil wrongs) to address serious invasions of privacy; development of Australia’s first Children’s Online Privacy Code to better protect children from online harms (with $3m extra for the OAIC to do it); greater transparency around automated decision making (ADM) practices including upfront privacy notice changes; and stronger enforcement and penalties to hinder doxing, or the practice of maliciously releasing significant personal information online.

In his speech introducing the legislation, Australia’s Attorney-General Mark Dreyfus said, “The vast data flows that underpin digital ecosystems have also created the conditions for significant harms, like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams. Strong privacy laws and protections are critical to building public trust and confidence in the digital economy and driving the investments needed to keep people’s data safe.”

If it is re-elected, the federal government plans to proceed with a second tranche of privacy reforms. The Privacy Commissioner said her “hunch” is that these will likely land next year, once the election is out of the way.

New guidance

Within the new guidance, called Tracking pixels and privacy obligations, the OIAC notes, “The Privacy Act does not prohibit the use of tracking pixels. However, organisations that deploy third-party tracking pixels on their websites should conduct appropriate due diligence to ensure they are used in a way that is compliant with the Privacy Act and the Australian Privacy Principles (APPs).”

“Organisations should adopt a data minimisation approach and ensure that pixels are configured to limit the collection of personal information to the minimum amount necessary in the circumstances.”

Responding on LinkedIn yesterday, Helios Privacy Partner Anna Johnston described the new advice as “critical”, noting that “…tools and pseudonyms commonly used for data-matching (eg hashed emails) constitute PI (personal information), so you can’t sidestep your privacy obligations by using them.”

In a data matching context, Johnson said individuals didn’t need to be identified from the “specific information being handled” to be deemed “reasonably identifiable” under the current Privacy Act. “An individual can be ‘reasonably identifiable’ where the information collected through a third party tracking pixel (eg an IP address, URL information or a hashed email address) is able to be linked or matched with other information held by the third party platform,” Johnston said. “In these circumstances, both the organisation and the third-party platform will have privacy compliance obligations in relation to this information.”  

Among the other key takeaways from this week’s new advice:

  • Consent is non-negotiable for sensitive data: Sensitive information—such as health details or racial background—should not be collected via tracking pixels without explicit consent. The OAIC says that generally businesses must seek express opt-in consent from users if sensitive information is likely to be collected. This is a significant shift for marketers accustomed to more lenient practices.
  • Transparency is key: Organisations must be transparent about their data collection practices. This includes having a clear and up-to-date privacy policy that informs users about how their data will be used. Additionally, businesses should notify users about the use of tracking pixels when they visit their websites, ideally through a banner or pop-up that provides further privacy information.
  • Regular reviews are necessary: The OAIC encourages organisations to regularly review their tracking technologies to ensure compliance with privacy obligations. This isn’t a “set and forget” situation; ongoing assessment is vital to adapt to changing regulations and technologies.
  • Direct marketing compliance: When using tracking pixels for targeted advertising, businesses need to comply with the direct marketing obligations stated in the Australian Privacy Principles (APPs). This means providing users with an easy way to opt out of targeted advertising campaigns.

IAB Australia chief Gai Le Roy welcomed the updated advice, “The new guidance from the OAIC is a helpful clarification on the use of tracking pixels and points out that while the use of tracking pixels is not prohibited, it is the responsibility of organisations to make sure that they comply with the law when they use them – that includes being transparent about their use in privacy policies and notifications, and complying with other requirements around data minimisation and getting consent for sensitive information, amongst others.”

Risky business

Privacy specialists suggest brands and publishers heed the warnings – and not to risk botched attempts at compliance.

“This isn’t something you can assess with standard compliance tools or general IT knowledge,” per Chris Brinkworth, managing partner at consultancy Civic Data, given the technical complexity involved in marrying the use of tracking pixels to privacy obligations.

“A single tracking pixel can transmit sensitive information through multiple mechanisms – from URL structures revealing health conditions to form inputs capturing personal details before submission, often without proper consent or documentation.”

Brinkworth said Civic Data’s audits suggest widespread problems and breaches. He cited one recent example where a brand had 14 different tag management systems operating simultaneously on a single website.

“Sometimes external parties [can] still have access but there are no records of who has that access to deploy pixels or why.”

According to Brinkworth, “We consistently uncover sensitive data being collected through mechanisms that standard privacy assessments miss completely – health conditions revealed in search queries, religious preferences in URL parameters, personal details in abandoned form data, all being shared with dozens of third parties without proper governance. This isn’t theoretical – it’s happening right now across Australian digital properties, which is why the OAIC has picked up on this.”

He said uncertainty over third-party cookies have often led firms to make poor choices in seeking out alternatives.

“Organisations have rushed to adopt alternative tracking technologies suggested by their vendor and agency partners without fully understanding the privacy implications.  Marketing teams unknowingly implement sophisticated solutions like CNAME cloaking based on advice from media agencies, while IT teams deploy tag management systems suggested by analytics partners. Meanwhile, privacy teams are trying to document it all using basic scanning tools.”

(CNAME cloaking emerged five years ago. It’s basically a means of disguising third party trackers as first party trackers.) 

Brinkworth cautioned that a fragmented approach is a recipe for compliance failures and inevitable fines.

“This isn’t about quick fixes or basic cookie scanning – it’s about understanding and controlling complex data flows that most organisations don’t even know exist within their digital properties.”

Phase two

If it is re-elected the government is expected to introduce a second tranche of privacy laws that will more directly impact the way brands track consumers online, by extending the list of technical issues – unique phone IDs for instance – that will be treated as personally identifiable information.

This extension of “individuation” – a term coined by Johnston – will complicate the management of a brand’s ecosystem even further.

According to Nicole Stephensen, managing director of Ground Up Privacy, the government’s goal is to widen the definition of personal information. Individuation is where a person, even if they’re not expressly knowable by their name or their address or some other data that meets the definition of personal information in the current Privacy Act, is able to be uniquely recognised or set apart in some way and so they “are still able to be tracked and targeted and traced by virtue of that information.”

Per Stephensen, “Widening of the definition of personal information to deal with that issue of individuation is a really big deal.”

She suggested the intent is to address, “the ability, particularly in a marketing and data brokerage sense, to know a person exists even if you don’t exactly know who they are by name, and to be able to target them, trace them, track them”.

Civic Data’s Brinkworth notes that the tightening of Australia’s privacy regime needs to be considered in the wider context. “When you combine this with recent European Data Protection Board guidance on the same technologies replacing cookies, it’s clear this isn’t just an Australian concern – it’s a global privacy challenge that requires sophisticated understanding.”