Pixels, Collection and Individuation: Privacy Commissioner Determinations in Medmate Australia and Monash IVF
The Privacy Commissioner goes after Pixels and it is going to change how re-marketing works
Table of contents
Share
In her recent decisions, Privacy Commissioner Carly Kind has found privacy issues with the use of pixels and is expanding the definition of personal information. So what happened?
Medmate Australia Pty Ltd
Medmate, an online telehealth and prescription service, used Meta and TikTok tracking pixels on its website between April 2021 and December 2024. The pixels collected sensitive health information, including URLs revealing specific medications sought and health conditions, without user consent. Medmate used this data to retarget health-related ads to individuals on social media platforms, including through Meta's Advanced Matching feature, which linked interactions to user accounts even when not logged in.
Monash IVF Pty Ltd
Monash IVF, a fertility services provider, used up to seven tracking pixels (including Meta, Google Ads, Pinterest and others) from as far back as July 2012 through December 2024. The pixels tracked visits to highly sensitive sub-domain pages (egg freezing, sperm donation, fertility health checks) and form submissions, and this data was used to retarget individuals with fertility-related advertising on Meta and Pinterest, including using uploaded Custom Audience lists containing names, emails and phone numbers.
Key Similarities
Both matters involved health service providers that:
used social media tracking pixels without obtaining valid consent
failed to adequately notify individuals of the collection and disclosure of their sensitive health information, and
used that information for targeted direct marketing.
These actions were deemed breaches APPs 3.3, 5.1, and 7.1.
In both cases, the entities denied collecting personal or sensitive information via pixels and had engaged external media agencies to manage pixel use without conducting privacy impact assessments.
Both received identical remedial declarations, requiring them to cease pixel use, destroy collected sensitive information, and implement proper consent mechanisms before resuming.
Key Differences
Medmate | Monash IVF | |
Period | April 2021 – Dec 2024 | July 2012 – Dec 2024 |
Pixels used | Meta, TikTok | 7 pixels (Meta, Google Ads, Google Analytics 4, Matomo, Jet Interactive, Hotjar, Pinterest) |
Advanced Matching | Enabled Oct 2021 – Dec 2024 | Enabled for unknown period, turned off 18+ months before investigation |
Partial remediation | Implemented cookie consent pop-up (Nov–Dec 2024), found insufficient | Updated privacy policy post-investigation; no pre-investigation consent mechanism |
Data specificity | URLs revealed specific medications and conditions (e.g. contraception, BPH) | Sub-domain pages revealed fertility-related interests; Custom Audience lists uploaded with direct identifiers |
Commissioner's Key Findings
Collection
The Commissioner confirmed that an entity "collects" personal information under the Privacy Act even when the data is stored on third-party servers (the Pixel Providers), provided the entity controls the deployment and configuration of the pixels. Commissioning a pixel, embedding it, and customising its parameters is sufficient to constitute collection. This is consistent with the technology-neutral, principles-based nature of the Privacy Act.
Individuation and "Reasonably Identifiable"
The Commissioner adopted an expansive interpretation of "reasonably identifiable," holding that it extends to "individuation", which is the ability to single out or distinguish an individual from others in a way that affects their rights or interests. Full identification by name or direct identifiers is not required.
Where an entity can use pixel data to target specific individuals with personalised advertising, even anonymously, those individuals are reasonably identifiable. This interpretation is framed as a deliberate evolution of the law to keep pace with tracking technology.
Sensitive Information
Visiting a health service provider's website was itself found to constitute health information, because it reveals an individual's interest in particular health services and allows inferences about their health condition. This applied to Medmate's medication-specific URLs and Monash's fertility-related sub-domain pages equally.
APP 5 — Notification
A privacy policy alone is insufficient to meet the notification obligation under APP 5.1. Entities must actively notify individuals at or before the time of collection, particularly where sensitive information is involved. Cookie consent banners are also insufficient unless they specifically reference tracking pixels and the relevant Pixel Providers. The higher the sensitivity of the data, the higher the threshold for adequate notification.
APP 7 — Direct Marketing
Retargeting individuals with tailored ads on social media platforms based on their website interactions constitutes direct marketing using sensitive information. The use of Custom Audiences, demographic layering, and event tracking all point to individuals being identified and targeted on an individualised basis.
Next Steps for Businesses
Audit all tracking pixels before your next campaign
Map every pixel deployed on your website, including those managed by agencies, and identify what data each collects, where it is sent, and whether sensitive information (including health, financial or other APP-sensitive categories) could be inferred from page URLs or form interactions. Do not assume that because data sits on a third-party server, you don't "hold" it.
Implement a layered, pixel-specific consent mechanism
A generic cookie banner is not enough, particularly where sensitive information is involved. Consent must be informed, specific and voluntary. Businesses should implement a consent pop-up that explicitly names tracking pixels and the platforms they send data to (e.g. Meta, TikTok), explains the purpose (including retargeting), and prevents pixels from firing until consent is obtained. Consider using Pixel Providers' "consent mode" functionality to gate pixel activation.
Conduct a privacy impact assessment before deploying or re-enabling pixels
Neither Medmate nor Monash had conducted privacy impact assessments prior to deploying pixels, something the Commissioner noted in both decisions. Before deploying any tracking pixel, businesses should formally assess the privacy risks, document their consent and notification mechanisms, review agency contracts to ensure accountability, and record the legal basis for any collection of sensitive information. This is particularly important for health, fertility, mental health, or other sensitive service providers.
