On 24th June 2026 the OAIC published two determinations finding that health providers Monash IVF and Medmate breached the Privacy Act through their use of third-party tracking pixels.
These findings are specific to sensitive information, and it’s important to be precise about that. But the implications go wider. Under the Commissioner’s ‘individuation’ test, you don’t need to know someone’s name for their browsing data to be personal information. If it allows a business to single out that person, it can qualify. Responsibility also sits with whoever deployed the pixel, not the agency managing the campaign or the platform serving the ad.
The updated APP 3 guidelines published last month name tracking pixels directly for the first time, alongside a clear data minimisation expectation. IAB Australia has argued consistently this year that responsibility follows control and that compliance frameworks need to be workable and proportionate to be effective. For marketers, the practical step is straightforward: audit what pixels are on your properties, check what data they’re collecting and where it’s going, and make sure your privacy disclosures reflect that accurately.
Look in particular at whether the data collected by the pixel could be used to single out an individual. Remember, the Commissioner has described this approach as ‘novel’ so what you did last year may no longer be enough.
A more detailed brief will be provided to IAB Australia members next week.