The Australian Privacy Commissioner has found two health service providers breached privacy law by collecting sensitive health information through third-party tracking pixels without consent.
The Office of the Australian Information Commissioner (OAIC) ruled that telehealth provider Medmate Australia and fertility specialist Monash IVF interfered with individuals' privacy.
The decisions establish that using tracking pixels to monitor health-website visitors and serve them targeted ads amounts to collecting sensitive information. That collection requires user consent under the Privacy Act 1988 (Cth).
Privacy Commissioner Carly Kind linked the rulings to community expectations about sensitive data. “Australians have become accustomed to pervasive online tracking and targeted advertising, but that doesn't mean that they're comfortable with it,” Kind said.
Kind said research showed 9 in 10 Australians consider targeting based on sensitive health data neither fair nor reasonable.
The OAIC ordered both providers to stop the collection within 60 days and destroy affected data where permitted by law. Each must implement valid consent and notification measures before resuming pixel use.
The determinations found breaches of Australian Privacy Principles 3.3, 5.1 and 7.1, covering collection, notification and direct marketing.
A companion OAIC report on an inspection of 50 health-provider websites found 96 per cent used tracking technologies. It found 52 per cent used a third-party tracking pixel, and 77 per cent of those did not disclose it in their privacy policy.
A closer inspection of 12 sites found all used a Meta pixel, half used the TikTok pixel and a quarter used the Snapchat pixel.
The inspection found full URLs, website searches, button clicks, time stamps and device data were transmitted to social media platforms.
For Medmate, the OAIC found TikTok pixel URLs embedded the health conditions and medications users sought, including contraception and infection treatments.
For Monash, the OAIC found Custom Audience lists containing names and contact details had been uploaded to Meta to retarget advertising.
The report warned that many organisations did not know which pixels ran on their sites, citing outsourced marketing and a hands-off approach.
“Tracking pixels are not a 'set and forget' type tracking tool,” the report said.
None of the 12 organisations had completed a privacy impact assessment before deploying pixels, the report found.
The OAIC urged organisations to map data flows, document what each pixel collects and where it is sent, and review deployments regularly.
“Every page view potentially reveals or infers health information about an individual,” the report said.
It said sensitive information should only be collected via a tracking pixel with express consent, and recommended a privacy by design approach.
“It is your responsibility to ensure it is used in a way that is compliant with the Privacy Act,” the report said of tracking pixel deployment.