The Office of the Australian Information Commissioner’s (OAIC) determinations against Medmate Australia Pty Ltd (Medmate) and Monash IVF Pty Limited (Monash) demonstrates the expectation for health-focused websites to treat sensitive information with caution, and confirms the OAIC’s position in their 2024 guidance (the Pixel Guidance) that organisations deploying a third‑party tracking pixel on their websites remain responsible for ensuring that any personal information collected complies with the Australian Privacy Principles (APPs).
The determinations found that Medmate and Monash tracked online users on their websites and collected, used and disclosed to third parties sensitive information without those users’ consent, as required by APPs 3.3 and 7.1, and without taking steps to notify individuals, as required by APP 5.1. The findings are specific to sensitive information and not everything will be relevant to organisations who capture personal information through tracking technologies. However, they clarify the OAIC’s interpretation of “personal” and “sensitive information” in an ad tech context and underscore websites’ responsibility for the information that they choose to share with third party pixel providers. While the determinations focus on health information, all organisations should be aware of the implication that any inferences made about sensitive information (like an online user’s racial origins or sexual life) may be in play.
To see the determinations in full, please visit (the Medmate Determination) here, and (the Monash Determination) here.
Background
Both Medmate and Monash are organisations, which provide health services to Australian individuals, including through their websites. Over the period covered by the determinations, both Medmate and Monash deployed tracking pixels on their websites. When an individual visits a website where a tracking pixel has been deployed by the website operator, information collected by the tracking pixel is shared with the pixel provider’s server. Once pixel information is received by the provider, they are usually able to match this information with individuals’ profiles on their platform and present them with relevant advertising as directed by the website operator.
Depending on the parameters set by the organisation who deploys the website, different kinds of information about an individual’s website activity will be disclosed to the thirdparty pixel provider, from the details of the webpage viewed by the individual (i.e. URL, domains visited and metadata such as timestamp and device information) (Page View Information) to more customisable data (such as when an individual books an appointment or completes a registration or sign-up process).
For Medmate and Monash:
Medmate | Monash | |
Services provided | Telehealth consults, online prescriptions, medical certificates and mental health and weight loss support. | Fertility services and treatments |
Key categories of data collected, based on website’s configuration of pixel |
|
|
Key findings
Below are the key findings that we have gleaned from the Medmate and Monash Determinations:
A website operator is responsible for collecting data through pixels, which are deployed on their website
In its updated guidance on APP 32, the OAIC clarifies that two entities may collect the same personal information at the same time. Whether the entity with “control”, but not possession is taken to collect personal information will depend on the contractual arrangements in place. The Medmate and Monash Determinations put this statement into practice. In both determinations, the OAIC found that the website operator exercised control over the deployment, configuration and customisation of the tracking pixels, and that this control was sufficient to constitute “collection” under the Privacy Act, even though the data was stored directly within the tracking pixel itself and by the pixel provider.3
The Privacy Act does not (yet) distinguish between controllers and processors of personal information, but these determinations suggest that in practice, the OAIC will distinguish between the responsibilities held by organisations, depending on each organisation’s role. Where a website operator has chosen to deploy and customise tracking pixels, then they will be held to have control over the personal information collected through those pixels. This is the case even where it is the pixel provider (rather than the website) which stores such information.
In the Medmate determination, the OAIC briefly mentions that Medmate has undertaken a review of their “contractual arrangements with external marketing agencies”.4 We strongly recommend that all organisations who engage third parties to collect personal information on their behalf (whether through marketing or other arrangements) review the scope of their contracts and, specifically, consider how responsibility is allocated under the contract and what that means for each party’s obligations under the Privacy Act. It is also worth revisiting liability and audit positions in this context, to make sure that they reflect the likely risk.
Data collected through a tracking pixel will typically constitute “personal information”
Under the Privacy Act, “personal information” includes information, or an opinion about an individual who is “reasonably identifiable” from such information (or opinion).5 While Medmate and Monash argued that they could not identify individuals from the information collected by the tracking pixels “in the sense of knowing or using resources available to it to gain access to direct identifiers”,6 this argument was unsuccessful. The OAIC confirmed that: “…the definition of personal information does not expressly require that an individual be specifically identifiable, or identifiable by direct identifiers such as their legal name, passport or driver’s licence number, or date of birth."7 The OAIC took a similar position in relation to hashed email addresses and phone numbers, when submitted with URLs as part of an advanced matching technique.
Particularly relevant to the ad tech context, the OAIC found that “reasonably identifiable” applies to circumstances where information facilitates “individuation”: i.e. circumstances where an organisation can single out an individual from others in a way that affects their rights and interests, even if such information does not include or cannot be easily combined with the individual’s direct identifiers (such as name)8 This was the case where Medmate and Monash used the information obtained to retarget individuals on pixel providers’ platforms, as part of Medmate and Monash’s advertising campaigns. Both organisations also created Custom Audience lists to retarget individuals based on their behaviour on the website.
While the OAIC admits that this is a novel approach, the finding remains in keeping with the Privacy Act and, particularly, the revisions to the definition of “personal information” in 2012 to ensure that the term was “sufficiently flexible and technologically-neutral to encompass changes in the way that information that identifies an individual is collected and handled9 It is also consistent with the government’s response to the Privacy Act review report, where they considered that an individual may be reasonably identifiable “where they are able to be distinguished from all others, even if their identity is not known".10
Direct identifiers have never been the only hallmark of whether an individual is “reasonably identifiable” from information about them, and it is not surprising that if an organisation can track, profile or target people at an individual level, the information which allows them to do so may be personal information. That said, the OAIC’s stated test as to whether information “affects an individual’s rights and interests” is somewhat novel. Organisations should assess whether information that they hold “reasonably identifies” an individual by reference to factors, such as the decisions, opinions or inferences which they make using such information, and how those decisions impact the individual. This is in addition to other relevant factors, such as the likelihood of identification occurring and the resources available to an organisation to identify an individual (including other information which is available to them).11
In these determinations, the tracking pixel collected, used and disclosed sensitive information
For the OAIC, both Medmate and Monash had configured the tracking pixel to collect sensitive information. In part, this is because of the nature of both organisations’ websites, which clearly provide health services to individuals. At a high level, “sensitive information” includes information or an opinion about an individual’s health, their expressed wishes about the future provision of health services or a health service which is provided, or to be provided, to them.12
Both websites used tracking pixels to collect and log information about an individual’s engagement with a health service provider’s website. In the view of the OAIC, this could constitute either health information about an individual or allow inferences or opinions to be made about that individual’s health, as it demonstrates their interest in a specific, health-related service. This is consistent with the Pixel Guidance, in which the OAIC takes a broad interpretation of “sensitive information”, and suggests that it may be revealed “solely by [an individual] visiting a website, for example, a website providing mental health or counselling services".13
The OAIC’s interpretation of “sensitive information” is expansive, particularly in the case of MedMate, which provided a variety of health services to individuals. Specifically, sensitive information includes a user’s visit to specific sections of a health website, even where the visit may not reveal the individual’s precise health condition. Again, the driver behind the OAIC’s interpretation seems to be that both Medmate and Monash used the information collected through pixels to retarget ads relating to their services, suggesting that they had formed an opinion about the individual’s health, which was connected to their own offering (even if that opinion was not specific to a particular condition). Squire Patton Boggs notes too that health information is only one example of sensitive information – the same logic set out in the determinations would likely apply to inferences drawn by advertisers about other sensitive factors (like sexuality or political opinions).
Neither website obtained consent to collect sensitive information
The OAIC found that consent was not obtained from individuals who visited either the Medmate or Monash websites in respect to the collection of their sensitive information through tracking pixels and, therefore, that both organisations acted in breach of APP 3.3.14
While cookie consent pop ups were implemented, the OAIC acknowledged that these did not refer to tracking pixels, and that individuals were thus unlikely to be sufficiently informed of the implications of providing consent.15 Furthermore, the OAIC noted that cookies are distinct from tracking pixels in that the latter sends data to pixel providers and can track individuals across multiple devices16
Where sensitive information is collected (including through tracking pixels), the OAIC is clear that the threshold for valid consent is high. This is not surprising, especially in light of the OAIC’s recent determination against IRE Pty Ltd17, which finds that consent must offer users “the ability to exercise effective control over how their personal information is used"18 and that practices like bundled consent may “result in users inadvertently consenting to their personal information being used in ways they do not want".19
Neither website took reasonable steps to notify individuals of the matters required under APP 5.2
The OAIC found that neither Medmate nor Monash’s privacy policy contained sufficient disclosures around both organisations’ use of tracking pixels on their websites. While there were references to the use of cookies, as explained above, this is not sufficient to cover the use of tracking pixels. Both policies stated that personal information could be used for direct marketing purposes, but not in a way that recognised the reality of pixel-based ad tracking.
The OAIC acknowledges that privacy policies are one way of sufficiently notifying individuals of the matter set out in APP5.2.20 Interestingly, they suggest that, in addition to this, organisations should also deploy a more point-in-time notification. For example, they may choose to deploy a banner or pop-up (akin to a cookie banner), which provides specific information under APP 5.2 (or directs individuals to more detailed information) in relation to the use of tracking pixels.21 In the Medmate and Monash Determinations, both privacy policies were deficient, so we are curious as to whether a more comprehensive privacy policy – without including a banner or pop-up – would meet an organisation’s obligations under APP 5.2.
Conclusion
While the OAIC adopts a novel application of “reasonably identifiable” in the context of tracking technologies, the commissioner’s broad and expansive view of “sensitive information” makes evident the increased responsibility and onus that is now expected and placed on websites, who ultimately bear responsibility for “collecting” personal information through such technologies.
1 This is a summary online: for full list of standard and custom events, please see paragraph [42] of “Commissioner Initiated Investigation into Monash IVF Pty Ltd” (Privacy) [2026] AICmr 40 (11 June 2026) (the Monash Determination).
2 Office of the Australian Information Commissioner, “Chapter 3: APP 3 Collection of Solicited Personal Information” (13 May 2026) <Chapter 3: APP 3 Collection of solicited personal information | OAIC>.
3 The Monash Determination (n 1) [54]; “Commissioner Initiated Investigation into Medmate Australia Pty Ltd” (Privacy) [2026] AICmr 41 (11 June 2026) [55] (the Medmate Determination).
4 “Commissioner Initiated Investigation into Medmate Australia Pty Ltd” (Privacy) [2026] AICmr 41 (11 June 2026) [7] (the Medmate Determination).
5 Privacy Act 1988 (Cth) s 6.
6 The Monash Determination (n 1) [65]; The Medmate Determination (n 3) [66].
7 The Monash Determination (n 1) [66]; The Medmate Determination (n 3) [67].
8 The Monash Determination (n 1) [73]; The Medmate Determination (n 3) [72].
9 Explanatory Memorandum 2012 to changes in Privacy Act.
10 Australian government, “Government Response” | Privacy Act Review Report (2023).
11 See Office of the Australian Information Commissioner, “Key Concepts” (21 December 2022).
12 Privacy Act 1988 (Cth) s 6. 13 Office of the Australian Information Commissioner, “Tracking pixels and Privacy obligations” (4 November 2024).
14 The Monash Determination (n 1) [90]-[93]; The Medmate Determination (n 3) [90]-[94].
15 The Medmate Determination (n 3) [93].
16 Ibid.
17 “Commissioner Initiated Investigation into IRE Pty Ltd (Privacy)” [2026] AICmr 24 (1 April 2026).
18 “Commissioner Initiated Investigation into IRE Pty Ltd (Privacy)” [2026] AICmr 24 (1 April 2026) [116].
19 Ibid.
20 The Monash Determination (n 1) [110]; The Medmate Determination (n 3) [111].
21 The Monash Determination (n 1) [115]; The Medmate Determination (n 3) [118].
