Compliance Essentials

OAIC guidance on tracking pixels and privacy obligations

Category: Privacy | by David Jacobson

The Office of the Australian Information Commissioner (OAIC) has released guidance for private sector organisations to ensure they meet their obligations under the Australian Privacy Act when using third-party tracking pixels on their website.

The guidance makes clear that it is the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it is configured and used in a way that is compliant with the Privacy Act.

A tracking pixel is a piece of code generated by a third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.

The guidance makes the following key points

  • The Privacy Act does not prohibit the use of tracking pixels. However, organisations that deploy third-party tracking pixels on their websites should conduct appropriate due diligence to ensure they are used in a way that is compliant with the Privacy Act and the Australian Privacy Principles (APPs).
  • Organisations should adopt a data minimisation approach and ensure that pixels are configured to limit the collection of personal information to the minimum amount necessary in the circumstances (APP 3).
  • Organisations must generally ensure that sensitive information is not disclosed to third-party platforms through tracking pixels. Sensitive information must only be collected with an individual’s consent (APP 3).
  • Collecting personal information covertly without the knowledge of the individual is likely to be an unfair means of collection (APP 3). Organisations must ensure their privacy policies and notifications contain clear and transparent information about the use of third-party tracking pixels (APPs 1 and 5).
  • Organisations must ensure that any personal information disclosed to third-party providers through tracking pixels is for the primary purpose for which it was collected, or for a secondary purpose if an exception applies (APP 6).
  • If personal information collected via a tracking pixel will be sent overseas by the third-party provider, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (unless an exception applies) (APP 8).
  • Organisations must comply with the direct marketing obligations under APP 7 when using tracking pixels to target individuals with online ads, which includes providing individuals with a simple means to opt-out.
  • Organisations should conduct regular, ongoing reviews of the tracking technologies deployed on their website to ensure their use remains appropriate and complies with privacy obligations.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email
LinkedIn
 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.

Support Plans