1 hour ago
3
People researching topics such as egg freezing, prostate conditions and contraception on two health websites were tracked through invisible code and had their searches fed to social media giants in conduct Australia’s privacy watchdog has now ruled unlawful.
Privacy Commissioner Carly Kind found that fertility provider Monash IVF and telehealth company Medmate both interfered with the privacy of website visitors by using third-party tracking pixels without consent, then used what they gathered to chase those people with advertising. Both companies have been ordered to stop and delete the data they collected.
A pixel is an invisible piece of code embedded in a website that records what a visitor does, from the pages they read to the searches they run, and sends that information to companies such as Meta and TikTok.
The regulator’s findings, to be published on Wednesday, are its first ruling on the technology. They establish that a website using tracking pixels to collect health information and then target those visitors with advertising is collecting sensitive personal information that requires consent under the Privacy Act.
Kind said the harm went beyond the discomfort of being followed by ads.
“The potential real-world harm is that people don’t feel comfortable searching out information and health services online … because they’re worried that their health data is going to be used and passed on to big tech social media companies,” she said in an interview.
She pointed to “the chilling effect of knowing that one is under surveillance online, and then self-censoring or stopping yourself from looking for information that really could assist you or your family”.
Both companies argued during the investigation that they did not collect personal or sensitive information because the data was scrambled before it was shared, a position Kind rejected.
The findings follow reporting by this masthead in December 2023 that revealed TikTok’s pixel was scraping email addresses and phone numbers from major Australian websites, often before users had agreed to any privacy policy. The Office of the Australian Information Commissioner opened an inquiry, then closed it in May 2024, finding the data harvesting “unacceptable” but no clear breach of the law.
Kind said that decision had been deliberate, allowing her office to focus on the websites that deploy pixels rather than the tech giants that receive the data. Website operators “make the decision to deploy the pixel, configure the pixel, and have the direct relationship with the individuals”, she said.
Monash IVF used tracking pixels on its website from July 30, 2012, until December 2024, at one point running seven of them, including a Meta pixel placed on pages dealing with egg freezing, sperm and egg donation, and fertility health checks. Visits to those pages were enough to reveal a person’s interest in fertility treatment, Kind found, and Monash used the data to retarget women with ads for IVF, egg freezing and nurse chats.
The privacy finding adds to a difficult year for Monash IVF, which reached settlements in March with families affected by two embryo mix-ups at its Brisbane clinic and its Clayton clinic in Melbourne, and last month was hit with a fresh negligence suit in the Victorian Supreme Court over a Brisbane case in which a woman gave birth after being implanted with another patient’s embryo.
Medmate ran Meta and TikTok pixels from April 2021. Evidence in the regulator’s determination showed the TikTok pixel transmitted full web addresses that disclosed the condition or medication a person was seeking, including pages for contraception, benign prostatic hyperplasia and urinary tract infections.
Medmate also switched on a Meta feature that matched website visitors to their social media accounts even when not logged in.
Kind found both companies breached Australian Privacy Principles by collecting sensitive information without consent, failing to tell people it was happening, and using that information for direct marketing.
Central to the rulings is an expanded reading of when a person is “reasonably identifiable”, with Kind holding that a company need not know a visitor’s name, only be able to single them out and treat them differently.
She acknowledged the interpretation was novel and likely to be tested in court, and said she would welcome that.
“We both welcome, and in fact invite, judicial engagement on this question,” she said, adding that the decision would probably go to appeal or review, leaving “a couple of years ’til we have certainty”.
Neither company was fined. Kind said penalty proceedings were “really resource-intensive and lengthy”, and a determination delivered “immediate outcomes for the Australian community, rather than delaying those outcomes for a number of years in pursuit of a penalty”.
Continued non-compliance across the industry would be the “next step up the ladder of regulatory intervention”, she said.
The tracking practice is widespread. A separate OAIC scan of 50 health websites found 96 per cent used some tracking technology, and of those using a third-party pixel, 77 per cent made no mention of it in their privacy policy. Kind stressed she was not trying to ban pixels, only to force companies to “go through the appropriate processes to obtain the consent of their users”.
She maintained the Privacy Act still needed reform, including a “fair and reasonable” test that would “fundamentally shift power back to users”.
Both companies co-operated with the investigation. Medmate has removed all tracking pixels from its site, while Monash has begun a privacy review and disabled unused pixels. Either can apply to the Administrative Review Tribunal within 28 days.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.
