Key Takeaways
- On 11 June 2026 the Office of the Australian Information Commissioner (OAIC) made determinations that Medmate (an online pharmacy and telehealth service) and Monash IVF interfered with patient privacy by using third-party tracking pixels to collect sensitive health information and disclose it to advertising platforms without consent. The determinations were announced publicly on 24 June 2026 (citations [2026] AICmr 41 and [2026] AICmr 40).
- A companion OAIC report, "Your life, pixelated", scanned 50 health service provider websites: 96% used some tracking technology, 52% used a third-party tracking pixel, and of those, 77% did not mention tracking pixels in their privacy policy.
- Of the 12 sites the OAIC inspected closely, all used the Meta pixel, 50% used the TikTok pixel and 25% used the Snapchat pixel, yet only 4 referred to tracking pixels in their privacy policy at all.
- The OAIC found breaches of APP 3.3 (collecting sensitive information without consent), APP 5 (notifying individuals about collection) and APP 7 (using or disclosing personal information for direct marketing). Health information is "sensitive information" and can generally only be collected with consent.
- Both providers were ordered to stop the non-compliant collection, destroy or de-identify the affected data where lawful, and put valid consent and notice in place before resuming. No financial penalty was imposed in either determination.
- Privacy Commissioner Carly Kind said that "nine in 10 Australians consider it neither fair nor reasonable to be targeted on the basis of their sensitive health data", and that the technology used for online tracking "still has to be used in compliance with the Privacy Act".
- Health service providers cannot rely on the small business exemption: every clinic is an APP entity under section 6D of the Privacy Act 1988 (Cth), regardless of turnover. The OAIC urged all organisations to review their use of third-party tracking pixels.
On 11 June 2026 the OAIC determined that two health providers, Medmate and Monash IVF, breached the Privacy Act by using website tracking pixels to send patients' sensitive health information to advertising platforms without valid consent. The determinations, announced on 24 June 2026, put every health practice running pixels on a booking widget, contact form or symptom checker squarely on notice.
This is not an obscure technical ruling. The OAIC paired the determinations with a sweep of 50 health-provider websites and found the problem is widespread. If your practice website carries a Meta pixel, Google tags, a TikTok pixel or any "conversion tracking" snippet, this ruling is about you. Here is what the regulator found, why a few lines of code can amount to collecting health information, and the concrete steps to take before you become the next case study.
What did the OAIC actually find?
The OAIC made two separate determinations. It found that Medmate and Monash IVF each used third-party tracking pixels on their websites to collect and disclose patients' sensitive information without consent, interfering with privacy under the Privacy Act 1988 (Cth).
A tracking pixel is a small piece of code, generated by a third party such as Meta or TikTok, that an organisation embeds in its website. When a person loads a page, the pixel fires and sends data about that visit back to the third party's servers, often to build advertising audiences and measure ad performance. According to the determinations, Medmate's pixels transmitted page URLs that revealed the conditions and medicines patients were viewing, and Monash IVF used the Meta pixel and uploaded customer contact lists to build advertising audiences covering visitors to fertility, egg-freezing and appointment-booking pages.
The OAIC found this conduct breached three of the Australian Privacy Principles: APP 3.3, APP 5 and APP 7. The table below maps each principle to the failure the regulator identified.
| Australian Privacy Principle | What it requires | The tracking-pixel failure |
|---|---|---|
| APP 3.3 | Sensitive information, including health information, may only be collected with the individual's consent and where reasonably necessary | Pixels collected patients' health information through their page visits, without valid consent |
| APP 5 | Notify individuals about the collection of their personal information at or before the time it happens | Patients were not told that pixels were collecting their data and sending it to third parties |
| APP 7 | Do not use or disclose personal information for direct marketing without a valid basis | Sensitive health data was disclosed to advertising platforms to target marketing |
Importantly, the OAIC's tracking-pixel guidance is not new. The regulator published guidance on tracking pixels in November 2024. These determinations enforce that existing guidance, which means "we did not realise" is not a defence available to a practice in 2026.
Why does a tracking pixel collect "sensitive information"?
Under the Privacy Act, sensitive information is a special category of personal information that includes health information, and it attracts the highest level of protection. The general rule in APP 3.3 is that you can only collect sensitive information with the individual's consent and where it is reasonably necessary for your functions.
Health information is not limited to a clinical record. The fact that an identifiable person visited a particular page can itself be health information about them. When a tracking pixel fires on a page about a fertility treatment, a medication, a symptom checker or an appointment confirmation, and it transmits the page URL together with identifiers such as a hashed email, a device ID or a Meta cookie, the website provider is collecting and disclosing sensitive information about that person. As Commissioner Kind framed it, a person's health information remains sensitive even when it is collected by a few lines of code embedded in a webpage.
That is the trap for practices. Most clinics deployed pixels as a marketing convenience: a tag to measure how many people booked after seeing a Facebook ad. The pixel does not know, or care, that the page is about a sensitive health matter. It collects and transmits the visit regardless. The result is that a routine marketing tool ends up doing something the Privacy Act only permits with the patient's consent.
What is in the "Your life, pixelated" report?
Alongside the determinations, the OAIC published a report titled "Your life, pixelated: how tracking pixels watch your every click". It scanned 50 health service provider websites and inspected 12 of them closely. The findings show this is a sector-wide problem, not two isolated providers.
| "Your life, pixelated" finding | Figure |
|---|---|
| Health service provider websites scanned | 50 |
| Sites using some form of tracking technology | 96% |
| Sites using a third-party tracking pixel | 52% |
| Of those, sites that did not mention pixels in their privacy policy | 77% |
| Sites inspected closely | 12 |
| Of the 12, sites using the Meta pixel | All (100%) |
| Of the 12, sites using the TikTok pixel | 50% |
| Of the 12, sites using the Snapchat pixel | 25% |
| Of the 12, sites referring to pixels in their privacy policy | 4 |
The headline message for practice owners: the regulator has demonstrated it will go looking, the conduct it is targeting is common, and the privacy-policy disclosure most sites rely on does not actually mention the tracking that is happening. The OAIC's four recommendations to organisations were to assess the sensitivity of the data involved and configure pixels accordingly, know what tracking technology is running and where, ensure transparency and valid consent, and adopt privacy by design.
What were Medmate and Monash IVF ordered to do?
The determinations were behavioural rather than financial. The OAIC ordered both providers to stop the non-compliant collection, to destroy or de-identify the affected personal information where it was lawful to do so, and to implement valid consent and notification measures before resuming any use of the pixels. The OAIC also declared that the providers must not repeat or continue the conduct.
Critically, no civil penalty was imposed in either determination. These were Commissioner-initiated investigations resolved by determination, not Federal Court penalty proceedings. That distinction matters: the absence of a fine here does not mean the conduct is low-risk. Serious or repeated interferences with privacy can be pursued as civil penalty matters, where the maximum penalties under the reformed Privacy Act now reach into the tens of millions of dollars. In 2025 the Federal Court imposed the first penalty under the reformed regime, ordering $5.8 million against an entity for serious privacy breaches. The pixel determinations are the regulator establishing the principle; the enforcement teeth exist for those who ignore it.
A patient who is harmed also now has a separate avenue that does not depend on the OAIC at all. The new statutory cause of action for serious invasions of privacy, covered in our guide to Australia's new privacy tort, lets an individual sue directly in court.
Does this ruling apply to my practice?
Almost certainly, if you run a website. Two points make the health sector uniquely exposed.
First, health service providers cannot use the small business exemption. Most businesses with annual turnover under $3 million sit outside the Privacy Act, but section 6D of the Privacy Act 1988 (Cth) carves health service providers back in regardless of size. A sole-practitioner clinic carries the same APP obligations as a large hospital group. Every GP practice, allied health clinic, dental practice, psychology practice and registered NDIS provider is an APP entity.
Second, the marketing tools at the centre of the ruling are everywhere. The OAIC found every closely inspected site used the Meta pixel. If your practice has ever run Facebook or Instagram ads, installed Google Tag Manager, added a "book now" conversion tag, or embedded a third-party chat or symptom-checker widget, you may be collecting sensitive information through pixels right now. The risk is highest on pages that reveal a health context: condition pages, service pages for sensitive treatments, online booking flows, intake forms and appointment confirmations.
This is a different problem from your network and device security. The cyber controls in our cybersecurity compliance checklist for Australian GP practices protect data you hold. Tracking pixels are about data you are actively sending out the front door to advertising platforms, which is why the fix is about consent and configuration, not firewalls.
What should your practice do now?
Treat this as a website privacy audit with a clear owner and a deadline. The steps below map to the OAIC's recommendations.
- Inventory every tag and pixel on your site. List every third-party script: Meta pixel, Google Ads and Analytics tags, TikTok pixel, Snapchat pixel, LinkedIn Insight tag, chat widgets and any booking-platform tracking. Use your tag manager and ask your web developer or marketing agency for a complete list. You cannot manage what you do not know is there.
- Identify where each pixel fires. Flag any pixel firing on pages that reveal a health context: condition and treatment pages, symptom checkers, online booking, intake and contact forms, and confirmation pages. These are the high-risk collection points.
- Turn off tracking on sensitive pages by default. Until you have valid consent, the safest position is to stop pixels firing on health-context pages and to disable features such as automatic advanced matching and customer-list uploads to advertising platforms.
- Build a valid consent mechanism. A cookie banner that simply notifies, or that bundles tracking into "by using this site you agree", is unlikely to be valid consent for sensitive information. Consent must be informed, specific, current, given by someone with capacity and freely given, with a genuine ability to decline tracking and still use the site.
- Rewrite your privacy policy and collection notice. State plainly what tracking technologies you use, what they collect, who receives the data and why. The OAIC found most sites failed exactly here. This connects to your wider privacy-policy obligations, including the automated decision-making disclosures due in December 2026.
- Assign it and set a review date. Make one person accountable (usually the practice manager), record the audit and the decisions, and diarise a recheck, because marketing teams and agencies add new tags over time.
If, despite these steps, sensitive information has already been disclosed without consent, assess whether the incident is a notifiable data breach. Our guide to healthcare data breach obligations walks through the notification test and timeframes.
How is this different from a data breach?
It is worth being precise, because the two are often confused. A notifiable data breach is generally an unauthorised access, disclosure or loss of personal information likely to cause serious harm, often the result of an attack or a mistake. The pixel determinations are different: the disclosure here was deliberate and built into the website, an ongoing collection and sharing of sensitive information for marketing without a lawful basis. It is a compliance failure in how the practice designed its own site, not an external incident. Both can attract OAIC action, but a pixel problem will not fix itself by patching a server. It is fixed by changing what your website collects and obtaining proper consent.
Frequently Asked Questions
Did the OAIC fine Medmate and Monash IVF?
No. The OAIC made determinations finding both providers interfered with privacy and ordered them to stop the non-compliant collection, destroy or de-identify the affected data where lawful, and obtain valid consent before resuming. No financial penalty was imposed in either determination. The determinations were announced on 24 June 2026 (made 11 June 2026). Serious or repeated breaches can still be pursued as civil penalty matters with much larger maximum penalties.
What is a tracking pixel, and how does it collect health information?
A tracking pixel is a small piece of third-party code, such as the Meta pixel, embedded in a website. When a person loads a page, the pixel sends data about that visit (including the page URL and identifiers like a hashed email or cookie) to the third party. When the page reveals a health context, the fact that an identifiable person visited it is health information, so the pixel is collecting and disclosing sensitive information.
Do tracking pixel rules apply to a small GP practice?
Yes. Health service providers are excluded from the Privacy Act's small business exemption under section 6D of the Privacy Act 1988 (Cth), regardless of turnover. A sole-practitioner clinic has the same Australian Privacy Principle obligations as a large group. If your website runs tracking pixels that collect patient information, the obligations in the OAIC's ruling apply to you.
Is it illegal to use the Meta pixel or Google tags on a health website?
Not automatically. The problem the OAIC identified is using pixels to collect sensitive information without valid consent and without proper notice. You can use marketing technology, but where it collects health information you must obtain consent that is informed, specific and freely given, configure the tools to avoid collecting sensitive data, and disclose the tracking in your privacy policy.
What counts as valid consent for tracking pixels?
Valid consent must be informed, specific, current, given voluntarily by a person with capacity, and capable of being withdrawn. A passive cookie banner or an "implied consent" notice bundled into terms of use is unlikely to meet this standard for sensitive information. Patients should be able to understand what is being collected and to decline tracking while still using your website and booking services.
How do I check what tracking pixels are on my practice website?
Start with your tag manager (such as Google Tag Manager) and your marketing agency's records, and ask for a full list of installed tags. Browser developer tools and free tag-scanning tools can also reveal active pixels. Pay particular attention to pixels firing on condition pages, symptom checkers, online booking, intake forms and confirmation pages, which are the highest-risk collection points.
What did the "Your life, pixelated" report find?
The OAIC scanned 50 health service provider websites. It found 96% used some tracking technology and 52% used a third-party tracking pixel, and of those, 77% did not mention pixels in their privacy policy. Of the 12 sites inspected closely, all used the Meta pixel, half used the TikTok pixel and a quarter used the Snapchat pixel, while only four referred to tracking pixels in their privacy policy.