On 24 June 2026, Australia’s Privacy Commissioner Carly Kind published two landmark determinations against Medmate Australia and Monash IVF. Both companies used third-party tracking pixels on their websites without user consent. Both captured sensitive health information and fed it to Meta and TikTok for advertising purposes. Both have been ordered to stop the practice and delete the data they collected.
These are the first OAIC determinations specifically addressing tracking pixels. They will not be the last.
What the ruling found
Monash IVF ran up to seven tracking pixels on pages covering egg freezing, sperm donation, genetic testing, and fertility health checks, from July 2012 until December 2024. Medmate ran Meta and TikTok pixels from April 2021, capturing which telehealth service a person sought, what medication they added to cart, and whether they completed a purchase.
Neither company was aware of the full extent of what their pixels were transmitting. Both argued the data was hashed before it left their sites. The Commissioner rejected that argument.
Hashing is not de-identification. A hashed email address is a persistent identifier. Social media platforms use it to match a website visitor to their existing profile, even when that person is not logged in. Meta Advanced Matching, which Medmate had enabled from October 2021, was specifically designed for this purpose.
The Commissioner found both companies breached three Australian Privacy Principles: APP 3 for collecting sensitive information without consent, APP 5 for failing to notify users that their data was being captured and transmitted, and APP 7 for using sensitive information for direct marketing without consent.
The individuation test changes the scope
The most consequential part of the ruling is the Commissioner’s interpretation of “reasonably identifiable.”
Previous compliance frameworks assumed a person’s identity needed to be known, name, passport number, date of birth, before privacy obligations applied. The determinations imply a different test: individuation. If a system can single out a person and treat them differently based on their behaviour, that person is “reasonably identifiable” under the Privacy Act, regardless of whether their name is known.
This is not a health-specific finding. Any site where browsing behaviour can be used to infer something sensitive, financial distress, pregnancy, addiction, sexuality, political views, sits in the same legal frame. Retailers, lenders, publishers, and media companies are all within scope.
IAB Australia stated it plainly after the ruling: “Under the Commissioner’s ‘individuation’ test, you don’t need to know someone’s name for their browsing data to be personal information. If it allows a business to single out that person, it can qualify.”
DataTrue’s scan data was part of this story
Mi3 published an investigation alongside the OAIC determinations using scan data from DataTrue. Our scans identified five national health retail brands where a search for abortion medication was transmitted to third parties, including Google Ads, TikTok, Facebook, Pinterest, Criteo, and Bing.
In one case, the user had already rejected the cookie opt-out. The sharing continued regardless.
This is the gap the OAIC has now confirmed as a Privacy Act breach. A privacy policy that references data sharing. A cookie banner that appears compliant. Tags that fire anyway. All three existed at Medmate. The Commissioner found none of them were sufficient.
What the OAIC expects every organization to do
The OAIC has been direct about what compliant practice requires. Three obligations apply to any organisation using tracking pixels.
Know what is running on your site. The OAIC found organizations often did not know which pixels had been deployed. Marketing teams add tags. Agencies configure them. Nobody audits what they do. Of the 50 health provider websites inspected, 77% that used third-party pixels made no mention of them in their privacy policy. One organisation discovered 50 active tracking pixels during the OAIC inquiry. Its Facebook business page had been disabled years earlier. The pixels were still running.
Know what your pixels are transmitting. Page URLs reveal health information. Button clicks reveal intent. Cart additions reveal medication choices. The full URL of a page titled “/contraception” or “/mental-health-support” is not anonymous browsing data. The OAIC found this to be sensitive information under the Privacy Act.
Test that your consent mechanism actually stops collection. Publishing a privacy policy does not satisfy APP 5. A cookie pop-up introduced after the OAIC issued guidance in November 2024 did not satisfy it either. The Commissioner found Medmate’s banner still failed to adequately disclose that sensitive information was being collected and transmitted to third-party platforms for advertising. The obligation is technical, not documentary.
No fine does not mean no consequence
Neither company was fined. Both were ordered to stop collection immediately, delete data held in pixel provider dashboards, and notify the OAIC before restarting use of the technology.
The Commissioner has confirmed that financial penalties are the next regulatory step if the industry does not respond. She has also explicitly invited the courts to test the individuation interpretation on appeal, a process she expects to take two years. The law as it stands today applies in the meantime.
Acting after an enforcement action costs significantly more than acting before one.
What to do now
Audit every pixel and SDK active on your properties. Do not rely on what your agency or web developer says is there. DataTrue’s scan data found pixels active on sites whose owners believed they had been removed years earlier.
Map what each pixel transmits, including via page URLs, form fields, and cart and checkout events. Do not accept vendor assurances that data is “anonymised” or “hashed” without verifying it technically.
Test your consent implementation by simulating user consent acceptance and rejection. Check whether tags stop firing when consent is withdrawn. If they do not, your consent management platform is not working as your privacy policy describes.
DataTrue can run a scan of your properties and deliver a report within 48 hours. The report shows which pixels are active, what data they are transmitting, and whether your consent mechanism stops them.
Contact us to find out what is firing on your site.