Key Takeaways
- The OAIC has shown through 2026 that it will act on website privacy. On 11 June 2026 it determined that Medmate and Monash IVF breached the Privacy Act using third-party tracking pixels, and in January 2026 it launched its first compliance sweep of around 60 organisations' privacy policies.
- A non-compliant privacy policy alone can attract compliance and infringement notices of up to $66,000 per infringement under the reformed Privacy Act (Australian Privacy Principle 1).
- Health service providers cannot rely on the small business exemption: under section 6D of the Privacy Act 1988 (Cth), every clinic is an APP entity regardless of turnover.
- The six most common website mistakes are tracking pixels on health pages, third-party widgets, insecure forms, an outdated privacy policy, no valid marketing consent, and cookie banners that ignore health data.
- Health information is sensitive information. It can generally only be collected with consent that is informed, specific, current, voluntary and able to be withdrawn.
- Most fixes are configuration and disclosure, not new technology: audit your tags, turn off tracking on sensitive pages, capture valid consent, and rewrite your privacy policy.
The six website privacy mistakes most likely to draw OAIC attention are tracking pixels on health pages, third-party chat and booking widgets, insecure contact forms, an outdated or missing privacy policy, no valid consent for marketing, and cookie banners that ignore health data. Each breaches a specific Australian Privacy Principle, and each has a straightforward fix.
Your practice website is now a live compliance surface, not just marketing. The OAIC spent 2026 demonstrating that it will inspect health websites, name the providers it finds at fault, and use the stronger penalties it gained in the 2024 Privacy Act reforms. The good news is that the failures are predictable and the fixes are cheap. Here are the six mistakes to check for, the rule each one breaks, and what to do about it.
1. Tracking pixels on health pages
The mistake. A tracking pixel is a snippet of third-party code, such as the Meta pixel or a TikTok pixel, that fires when a visitor loads a page and sends data about that visit back to an advertising platform. On a health website, that data can reveal the condition, treatment or medicine a person was looking at. In its 11 June 2026 determinations, the OAIC found Medmate and Monash IVF collected and disclosed patients' sensitive information this way without valid consent.
The rule. Under Australian Privacy Principle 3.3, sensitive information, including health information, can generally only be collected with consent. The fact that an identifiable person visited a page about a fertility treatment or a medication is itself health information, so a pixel that transmits the page and an identifier is collecting sensitive information the practice had no consent to collect.
The fix. Inventory every tag on your site, then stop pixels firing on health-context pages until you have valid consent. Disable features such as automatic advanced matching and customer-list uploads to advertising platforms. Our companion analysis of the OAIC tracking pixel ruling sets out the determinations and the do-now audit in full.
2. Third-party chat and booking widgets
The mistake. Embedded tools are convenient and invisible in the compliance sense: a live-chat box, a third-party online booking widget, a symptom checker, or a review-collection script. Each one is code from an outside company running on your page, and each can capture what a patient types or which service they select and send it to that company's servers.
The rule. The same collection and disclosure principles apply. If the widget collects health information or personal information and shares it with a third party, you need a lawful basis, notice under APP 5, and consent where the information is sensitive. You remain accountable for a third party's tool running on your site, so "the booking provider handles that" is not a defence.
The fix. List every embedded widget and ask each provider, in writing, what it collects, where the data goes, and whether it is used for any purpose beyond delivering the service to you. Turn off anything you cannot account for, choose providers with a data-processing agreement, and disclose the widgets in your privacy policy.
3. Insecure contact and booking forms
The mistake. A contact form, new-patient intake form or appointment request that submits over an unencrypted connection, emails patient details in plain text, or dumps submissions into an inbox nobody secures. Patients routinely put health details into these forms, so the form is a collection point that needs the same protection as your clinical system.
The rule. APP 11 requires you to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. A form that transmits or stores patient information insecurely fails that test, and a resulting exposure can become a notifiable data breach.
The fix. Serve the whole site over HTTPS, make sure form submissions are encrypted in transit and at rest, and route them into a secure system rather than an unmonitored inbox. Limit who can access submissions and delete them when they are no longer needed. The network and device side of this sits in our cybersecurity compliance checklist for GP practices; if information is ever exposed, our healthcare data breach obligations guide covers the notification test.
4. An outdated or missing privacy policy
The mistake. A privacy policy copied from a template years ago, silent on the tracking and third-party tools the site now runs, or missing altogether. This is the failure the regulator is looking at right now. In January 2026 the OAIC launched its first compliance sweep, a targeted review of around 60 organisations' privacy policies against the Australian Privacy Principles.
The rule. APP 1.3 requires a clearly expressed and up-to-date privacy policy, and APP 1.4 sets out what it must contain, including the kinds of personal information you collect and hold, how you collect it, and the purposes. A non-compliant policy can attract compliance and infringement notices of up to $66,000 per infringement, a power the OAIC gained in the 2024 reforms. The regulator confirmed this focus when it announced the privacy compliance sweep of privacy policies.
The fix. Rewrite the policy to describe what actually happens on your site: the tracking technologies you use, what they collect, who receives the data, and why. Review it on a schedule, not once. The same policy will also need to carry the automated decision-making disclosures due on 10 December 2026, so treat this as one job.
5. No valid consent for marketing
The mistake. Running advertising tracking, remarketing audiences or a marketing mailing list built from website activity without ever obtaining consent that would stand up. Bundling "consent" into the terms of use, or treating continued use of the site as agreement, does not meet the standard for sensitive information.
The rule. APP 7 restricts using or disclosing personal information for direct marketing, and where sensitive information is involved the collection needs consent under APP 3.3. Valid consent must be informed, specific, current, voluntary, given by someone with capacity, and capable of being withdrawn. A passive banner does not clear that bar.
The fix. Build a genuine opt-in for any marketing that relies on health-related browsing or personal information, keep a record of what each person agreed to and when, and give a real way to withdraw. If you cannot evidence valid consent for an existing audience or list, stop using it until you can.
6. Cookie banners that ignore health data
The mistake. A cookie banner bought off the shelf that manages advertising cookies in general but does nothing about the sensitive health-data collection happening on your site. Worse, a banner that loads the tracking before the visitor chooses, or that offers only an "accept" button, so the "consent" is meaningless.
The rule. A cookie banner is only as good as the consent behind it. For sensitive information, notice alone is not consent, and pre-firing the pixels before the person decides is collection without consent under APP 3.3. The banner has to actually prevent non-essential tracking until the visitor makes an informed choice.
The fix. Configure the banner so non-essential and advertising tags do not fire until the visitor opts in, give a genuine "reject" option that still lets them use the site and book an appointment, and make sure the categories it describes match the tags that actually run. Test it, because marketing agencies add new tags over time.
How the six website privacy mistakes map to the Privacy Act
Each mistake ties back to a specific obligation. Reading them together shows the pattern: the website is collecting or disclosing information the practice cannot account for.
| # | Mistake | Principle at stake | The fix in one line |
|---|---|---|---|
| 1 | Tracking pixels on health pages | APP 3.3 (consent for sensitive information) | Stop pixels on health pages until you have valid consent |
| 2 | Third-party chat and booking widgets | APP 5 (notice), APP 3.3 (consent) | Account for every embedded tool and disclose it |
| 3 | Insecure contact and booking forms | APP 11 (security) | Encrypt, secure and limit access to form data |
| 4 | Outdated or missing privacy policy | APP 1.3 and APP 1.4 (open and transparent) | Rewrite the policy to match what the site does |
| 5 | No valid consent for marketing | APP 7 (direct marketing), APP 3.3 | Build a genuine, recorded opt-in |
| 6 | Cookie banners that ignore health data | APP 3.3 (consent) | Block non-essential tags until the visitor opts in |
How to fix your website before the OAIC comes looking
You do not need new technology to fix most of this. You need to know what your website collects and to make it match what your privacy policy says. Work through it in order.
- Inventory every tag, pixel, widget and form. Use your tag manager and ask your web developer or marketing agency for a complete list. You cannot manage what you do not know is there.
- Flag the sensitive pages. Identify where each tool fires, and mark condition pages, symptom checkers, online booking, intake forms and confirmation pages as high-risk collection points.
- Turn off tracking on sensitive pages by default. Until you have valid consent, stop pixels firing on health-context pages and disable customer-list uploads and advanced matching.
- Build valid consent. Replace passive banners with a genuine, recorded opt-in that a patient can decline and still use the site.
- Rewrite the privacy policy and collection notice. State what you collect, who receives it and why, and keep it current.
- Assign it and set a review date. Make one person accountable, record the audit and the decisions, and diarise a recheck, because new tags reappear over time.
Remember that a patient harmed by a privacy failure now has a separate avenue that does not depend on the OAIC at all. The new statutory tort for serious invasions of privacy lets an individual sue a clinic directly. Website privacy is worth getting right on both fronts, and the wider healthcare privacy and cyber security knowledge base has the underlying obligations in full.
Frequently Asked Questions
Can the OAIC penalise my practice just for the privacy policy on my website?
Yes. A privacy policy that is out of date, unclear or missing breaches APP 1.3 and APP 1.4, and the OAIC can issue compliance and infringement notices of up to $66,000 per infringement under the reformed Privacy Act. The OAIC's first 2026 compliance sweep targeted organisations' privacy policies specifically, so this is an active enforcement focus, not a theoretical risk.
Does the small business exemption protect a small clinic?
No. Health service providers are excluded from the Privacy Act's small business exemption under section 6D of the Privacy Act 1988 (Cth), regardless of annual turnover. A sole-practitioner clinic carries the same Australian Privacy Principle obligations as a large hospital group, so every one of these website mistakes applies to a small practice.
Are tracking pixels illegal on a healthcare website?
Not automatically. The problem is using them to collect sensitive information without valid consent and without proper notice. You can use marketing technology, but where it collects health information you must obtain consent that is informed, specific and freely given, configure the tools so they do not collect sensitive data, and disclose the tracking in your privacy policy.
What counts as valid consent for collecting health information online?
Valid consent must be informed, specific, current, given voluntarily by a person with capacity, and capable of being withdrawn. A cookie banner that only offers "accept", an implied-consent notice bundled into terms of use, or tracking that fires before the visitor chooses does not meet this standard for sensitive information.
Which is the first website privacy mistake to fix?
Start by inventorying every tag, pixel, widget and form on your site, because you cannot fix what you cannot see. Then turn off tracking on health-context pages until valid consent is in place, since that is the collection the OAIC has already acted on, and rewrite the privacy policy so it matches what the site actually does.
How is a website privacy problem different from a data breach?
A notifiable data breach is usually an unauthorised access, disclosure or loss of personal information, often from an attack or a mistake. A website privacy problem is generally a deliberate design choice, such as a pixel or widget collecting and sharing information without consent. It will not fix itself by patching a server; it is fixed by changing what your website collects and obtaining proper consent.
Part of
Privacy & Cyber Security