Do not ‘set-and-forget’ tracking pixels: the latest guidance from the Office of the Australian Information Commissioner
Published on November 8, 2024 by Selwyn Black and Yue Lucy Han
What are tracking pixels?
Tracking pixels are codes used to track user activities on websites, emails, and applications. They create a log of user activities such as a user’s usage duration, IP address, type of device, date of interaction, activities on other websites, and more.
Why should you care as an organisation?
Tracking pixels collect data.
The data may be personal information as defined in the Privacy Act 1988 (Cth) as:
’Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.’
Your organisation may have privacy obligations for the collection and use of the data collected by tracking pixels.
The Office of the Australian Information Commissioner (OAIC) released privacy guidance on 4 November 2024 about ‘Tracking Pixels and Privacy Obligations’ for organisations and government agencies.
Some of the risks identified by the OAIC:
- An umbrella application of tracking pixels may be excessive and expose the organisation to further compliance obligations.
- Tracking pixels may inadvertently collect sensitive information (such as religious beliefs or political opinions), which heightens the regulatory burden on organisations.
- Tracking pixels may cause organisations to fall foul of direct marketing prohibitions.
Organisations should treat tracking pixels with great caution and critically evaluate their usage.
How can you manage your organisation’s privacy obligations around tracking pixels?
Before your organisation deploys tracking pixels
(a) Your organisation should conduct a privacy impact assessment to critically evaluate its privacy obligations.
(b) Your organisation should critically evaluate third-party providers, including their terms and conditions, and privacy practices.
(c) Update your privacy policy and privacy collection notices to be transparent about the tracking pixels’ usage. This should be informed by the results of your privacy impact assessment.
When your organisation is using tracking pixels
(d) Implement systems to monitor the data collected by tracking pixels.
(e) Understand your data deletion obligations and securely delete personal information.
(f) Regularly review the third-party provider to ensure they are still compliant with their obligations and stay updated on any changes.
Speak to Us
We can assist your organisation to understand its privacy obligations and undertake a privacy impact assessment. We can help your organisation update its privacy policy and privacy collection notices to help you stay on top of your obligations.
Please note that this article does not constitute legal advice. If you are seeking professional advice on any legal matters, you can contact Carroll & O’Dea Lawyers on 1800 059 278 or via our Contact Page and one of our lawyers will be able to assist you.