Australia’s privacy watchdog has handed down its first ruling on the use of online tracking pixels, finding searches related to IVF, birth control, and prostate conditions were collected and shared with social media platforms without users’ consent.
In determinations announced Wednesday, Privacy Commissioner Carly Kind found fertility provider Monash IVF and telehealth platform Medmate both “interfered with the privacy of individuals” whose sensitive information was collected using discreet, third-party tracking pixels.
Tracking pixels are snippets of code embedded in websites that record visitor activity.
They can capture searches, button clicks, IP addresses, and, in some cases, data entered into forms.
The technology has become a cornerstone of targeted advertising on platforms including Meta and TikTok.
While tracking pixels are not prohibited under Australia’s Privacy Act, the commissioner found Medmate and Monash IVF breached Australian Privacy Principles by collecting Australians’ sensitive information without consent.
Information Age understands both companies also used the data for direct marketing purposes and failed to adequately inform users about how their information was being collected and shared.
Monash retargeted individuals, ran egg donor campaigns
According to the determination, Monash IVF used Meta’s dedicated pixel for advertising campaigns related to egg donor and freezing, endometriosis, sperm donorship, fertility treatments and IVF services.
The company also maintained ‘Custom Audience’ lists containing information such as dates, first and last names, gender, email addresses, phone numbers and states.
At least some of these lists were uploaded to Meta, allowing Monash IVF to “layer, build and further refine individuals they wish to retarget”.
Monash IVF used tracking pixels on its website between 30 July 2012 to December 2024 – spanning 7 distinct pixels for Meta, Google Ads, Pinterest, and other platforms.
A Monash IVF spokesperson told Information Age the company has been working with the Office of the Australian Information Commissioner (OAIC) since November 2024, when the regulator released guidance on the use of tracking pixels.
“We took action immediately on being informed of the likelihood of an issue by the OAIC to ensure we were complying with the Privacy Act,” they said.
“We have met all requirements from the OAIC including improved privacy notifications for website visitors, deleting any information that was inadvertently collected, and confirming with the OAIC that this has been actioned appropriately.
“Our intent has always been to be clear and transparent about the use of cookies on our website and visitors’ privacy, and we regret the error occurred.”
Medmate fed health conditions to TikTok
Medmate used tracking pixels not only on Facebook and Instagram but also on TikTok.
Kind noted full URLs, hashed email addresses and phone numbers could be transmitted to TikTok through its pixel.
In some cases, those URLs contained information about users’ health conditions, such as urinary tract infections and bacterial vaginosis, or medications sought, such as oral contraceptives and treatments for benign prostatic hyperplasia.
Medmate also used a Meta feature that linked users to their social media profiles, regardless of whether or not they were logged in.
The company was contacted for comment, but did not respond prior to publication.
Medmate began using Meta and Tiktok pixels in April 2021, and ceased use of all tracking pixels on its website as of 1 December 2025
Landmark ruling for online tracking
According to an OAIC report that examined 50 websites, more than half used a third-party tracking pixel, and 77 per cent of these did not mention the practice in their privacy policy.
Kind said nine in 10 Australians considered it “neither fair nor reasonable to be targeted on the basis of their sensitive health data”.
“Australians have become accustomed to pervasive online tracking and targeted advertising, but that doesn’t mean that they’re comfortable with it,” said Kind.
While neither Monash IVF nor Medmate was fined, Kind said the decisions establish that sophisticated online advertising technologies must still comply with Australia's privacy laws.
“That means website providers must obtain consent where they’re using tracking pixels to collect sensitive information, such as data on health, political opinions, race or ethnicity,” she said.
In a statement to Information Age, an OAIC spokesperson said organisations should generally seek “express opt-in consent” if an individual’s sensitive information is likely to be collected and disclosed to third-party platforms through a tracking pixel.
“For consent to be valid, it should be adequately informed, given voluntarily and be current and specific,” they said.
Notably, Kind’s rulings were partly based on the commissioner’s interpretation of when a person is “reasonably identifiable”.
Kind found that a person may be reasonably identifiable where information can be used to single them out from others in a way that affects their rights or interests, even if their name is not directly attached to the data.
The commissioner told The Age this interpretation was likely to be tested in court over the coming years.
Both Monash IVF and Medmate have 28 days to seek a review of the Privacy Commissioner’s decisions through the Administrative Review Tribunal.
