Privacy Commissioner publishes investigation into Medmate Australia. The use of tracking pixels to collect and use personal information.
June 28, 2026 |
The Privacy Commissioner recently completed an investigation into Medmate Australia. The issue was the use of tracking pixels and their use of collecting information without consent between April 2021 and 9 December 2024. It is a very detailed analysis of a means of data collection which has not been the subject of consideration by the regulator before.
FACTS
Medmate is a:
- corporation which was registered in Australia in 2018.
- wholly owned subsidiary of Medmate Group Pty Ltd (ACN 628 464 255).
- provider of a wide range of health services including:
- telehealth consults,
- online prescriptions, medical certificates, mental health support and weight loss program. Medmate owns and operates the Website, which advertises and details the services it offers and provides a means by which individuals may request telehealth appointments or purchase prescriptions.
The OAIC’s published its guidance on the application of the Privacy Act to tracking pixels in November 2024 and then undertook a preliminary scan of 50 health service provider websites and their use of tracking pixels [20]. That is both good policy and good practice.
On 9 December 2024, the Commissioner commenced an investigation under s 40(2) into Medmate’s use of tracking pixels on the Website for the period of April 2021 until 9 December 2024.
Regarding its use of pixels Medmate:
- commenced use of:
- engaged external media agencies to manage its use of tracking pixels on its Website [37].
- did not undertake any privacy impact assessments prior to the deployment of tracking pixels [38].
- utilised tracking pixels for :
- advertising and analytics;
- tracking the success of campaigns and conversions;and
- identifying user behaviour trends to streamline operations, improve patient engagement and enhance the provision of healthcare services through website and app improvements [39].
- as of 9 December 2024, Medmate had 2 active tracking pixels on the Website;
- the Meta Pixel – page view, which tracks when an individual views a page on the Website (and includes Base Pixel Data). Purchase, which tracks when an individual completes a purchase on the Website, parameters also included order ID, value and currency.
- TikTok Pixel [40] – Page view tracks when an individual views a page on the Website (and includes Base Pixel Data). View content tracks when an individual views content or a specific product including telehealth, express consult and medical certificate. It enables full URLs, hashed email address and phone numbers to be transmitted to TikTok when individuals browse the Website. The full URLs transmitted via the TikTok Pixel included, in some circumstances, health conditions or medication sought, based on an individual’s actions.
DECISION
A tracking pixel is a tracking tool that permits granular user surveillance across the internet and social media platforms. It allows brands to pay a premium to third-party platforms to deploy the right ad to the right person at the right time [4].
The use of tracking pixels without appropriate due diligence risks contravention of the Privacy Act and the APPs [8].
Tracking pixels take various forms including tiny, transparent images that can be embedded by entities on webpages via a broad range of HTML and JavaScript code [9] which function to collect information about individuals’ activities on a webpage.
Social media platforms offer entities platform specific tracking pixels for integration and use [10].
A tracking pixel operates by:
- by serving as an external channel to the Pixel Provider; with
- having HTML or JavaScript code containing a URL pointing to the Pixel Provider’s server so that when an individual loads a webpage containing a tracking pixel, their browser triggers a request to the Pixel Provider’s server; and then
- having the request transmit information collected by the tracking pixel to the Pixel Provider’s server;
- the Pixel Provider’s server records the information in its log files [11].
Entities that embed a Pixel Provider’s tracking pixel on their website have aggregate data about individuals’ website activity through a dashboard or interface. The Pixel Provider Dashboard enables entities to:
- create, test and deploy tracking pixels, configure tracking pixel settings and
- adjust parameters of information collected,
- create ad campaigns to retarget ads to individuals who visited their websites on the Pixel Provider’s social media platform
- measure the success of such campaigns [12].
- match Base Pixel Data or Customised Pixel Data to individuals on their platforms through cookies enabled in the tracking pixel. If an individual has the Pixel Provider’s cookies on their device the Pixel Provider will match their social media profile with the information collected by the tracking pixel [15].
At their most basic tracking pixels track a standard event called a Pageview which consists of data including:
- URL,
- domains visited,
- timestamp,
- language,
- IP address,
- device and browser information of the individual [13]
Tracking pixels can be customised by entities to collect information relating to specific interactions or actions [14] which can be enhanced where there is an Advanced Matching. This enables tracking pixels to collect hashed personal information input by an individual on webpages. Data transmitted via the tracking pixel to the Pixel Provider can be matched with individuals’ social media profile, even where the individual is not logged on [16].
Individuals may receive retargeted ads on the Pixel Provider’s platform where information collected by a tracking pixel has been matched with that individual’s social media profile [17].
Pixel Providers may also use the information returned by the tracking pixel to further build a profile of the individual’s preferences or characteristics which is monetised by developing a personalised advertising profile which retarget the individual with other advertising or content [17].
The Commissioner undertook a step by step analysis.
Did Medmate collect information?
An entity ‘collects’ personal information only if the entity collects the personal information for inclusion in a record or generally available publication [51].
Collection involve practices that include:
- gathering,
- assembling,
- accumulating or
- making a collection [52].
Where personal information is not gathered for inclusion in a record or generally available publication, it is not ‘collected’ [52].
Section 6(1) of the Privacy Act defines ‘record’ to include a ‘document’ or ‘an electronic or other device’.
Information is collected for inclusion in a record where it is collected for inclusion in any record of information, including information stored or recorded by means of a computer; and including any other electronic or other device [53].
An embedded tracking pixel triggers a request that transmits Medmate Pixel Data directly to the relevant Pixel Provider’s server when an individual visits the Website. That enables the collection of information in the Pixel Providers’ servers. The servers constitute an ‘electronic device’ which is a ‘record’ for the purposes of the Privacy Act [55].
The Commissioner found that Medmate is the entity who has control and authority over whether Medmate Pixel Data is collected as:
-
- the collection of Medmate Pixel Data for inclusion in a record would not have occurred if Medmate had not actively commissioned the tracking pixels through its selected Pixel Providers;
- Medmate exercised control over the deployment and embedment of tracking pixels on the Website; and
- after the initial set up of the tracking pixel, Medmate could customise the tracking pixel to adjust the information collected [56].
As a consequence a collection has been undertaken by Medmate by way of control over the deployment and customisation of tracking pixels on the Website [57]
Is the information collected personal information?/P
Personal information is defined under s 6 of the Privacy Act as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
-
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.’[60]
Is the information ‘about’ an individual’?
Information is ‘about’ an individual where there is a connection between the information and the individual. Information will also be ‘about’ someone where it reveals or conveys something about them [61].
Pixel Providers match data transmitted via tracking pixels with data they hold about existing users of the Pixel Providers’ platform using cookies which enabled Medmate to collect more detailed information about logged-in account holders, which in some circumstances, included health conditions or medication sought [62] – [63].
The Privacy Commissioner found that the pixel date is about the individuals who visited the Website as it tracks the behaviour of those individuals &, using the phrasing of the Privacy Commissioner v Telstra Corporation Limited, the subject of the information is the individual’s behaviour [64].
Second limb: Is the individual reasonably identifiable by the information?
Under the APP Guidelines whether an individual is ‘reasonably identifiable’ from particular information will depend on considerations that include:
-
- the nature and amount of information;
- the circumstances of its receipt;
- who will have access to the information;
- other information either held by or available to the APP entity that holds the information; and
- whether it is possible for the individual or entity that holds the information to identify the individual, using available resources [65].
The definition of personal information does not expressly require that an individual be specifically identifiable, or identifiable by direct identifiers such as their legal name, passport or driver’s licence number, or date of birth [67].
Regarding the definition of personal information:
- Privacy Commissioner v Telstra Corporation Limited, concerned a previous definition of personal information which adopted a construction of personal information that referred to situations in which an individual’s ‘identity is apparent or could reasonably be ascertained’.
- the definition was amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) refer to ‘reasonably identifiable’. [68]
- the Explanatory Memorandum to the 2012 Act notes that ‘[i]t is important that this key definition be sufficiently flexible and technology-neutral to encompass changes in the way that information that identifies an individual is collected and handled.’ [71]
- new technologies provide entities with new ways to affect the privacy of individuals by collecting, using and disclosing a range of types of information. Technology has evolved to make it possible for entities to use such information to track and target individuals, both in online and offline environments, our understanding of ‘identifiability’ has evolved in parallel [72].
- the phrase ‘reasonably identifiable’ ought to be interpreted as applying to circumstances where information facilitates ‘individuation’, that is to say, the information permits an entity to ‘single out’ or ‘distinguish’ an individual from others in a way that affects an individual’s rights or interests [73]
- In part, the purpose of the ‘identifiability’ element of the definition of personal information operates to ensure that the Privacy Act does not capture information about a person in circumstances in which the collecting entity cannot use the information about an individual in any meaningful way that would affect an individual’s rights or interests
- if there is a reasonable prospect that information about an individual held by an entity may be used by the entity to affect that individual’s rights or interests, the information is personal information [74].
- this interpretation of ‘reasonably identifiable’ is a logical progression of the legislative interpretation of the Privacy Act. Given that the Privacy Act is a principles-based legislative instrument and the APPs are technology neutral, this interpretation allows concepts to adapt to changing technologies and evolve with the times [75].
Whether Medmate Pixel Data made individuals reasonably identifiable
Entities that use tracking pixels can retarget ads to individuals through Pixel Provider platforms with bespoke content in personalised ways by allowing Pixel Providers to pair information obtained through the tracking pixel with information held by the Pixel Provider [77]. Medmate:
- retargeted ads to logged-in account holders based on their interactions with the Website [78]
- through the Meta Pixel Advanced Matching feature was able to collect more granular information about individuals such as name, email addresses and phone numbers and matching to user accounts on the Meta platform, regardless of whether the individual is logged in [79].
The Privacy Commissioner found that as the information collected by Medmate using tracking pixels was about individuals and that the individuals were reasonably identifiable. The APPs apply to the information [81].
Is the personal information collected sensitive information?
Sensitive information is defined to include health information about an individual. Health information is defined under s 6FA of the Privacy Act as information:
(a) information or an opinion about:
(i) the health, including an illness, disability or injury, (at any time) of an individual; or
(ii) an individual’s expressed wishes about the future provision of health services to the individual; or
(iii) a health service provided, or to be provided, to an individual;
that is also personal information.
Medmate configured the tracking pixel to record when an individual visited certain sub-domains. Engagement with a health service provider’s website:
- revealed and individual’s health information, or
- allowws an inference or opinion be made about an individual’s health,
as it demonstrated an individual’s interest in the provision of a particular health-related service.
The fact that Medmate used the information collected via tracking pixels to retarget ads relating to health services to individuals that visited the website indicates that Medmate had formed an opinion about the individual’s health [83].
The Privacy Commissioner found that the information collected by Medmate using tracking pixels included health information which is sensitive information [84].
APP 3– Collection of personal information
APP 3.3 states that an APP entity must not collect sensitive information about an individual unless:
(a) the individual consents to the collection of the information and:
…
(ii) if the entity is an organisation—the information is reasonably necessary for one or more of the entity’s functions or activities; or
(b) subclause 3.4 applies in relation to the information.[88]
Did Medmate obtain consent to collect sensitive information?
Consent is defined under s 6(1) as express consent or implied consent.
For consent to be valid, it must be:
- informed,
- voluntary,
- current and specific and
- given by individuals who have the requisite capacity.
- sough from an individual before handling sensitive information [90]
The Commissioner:
- found no evidence that express consent was sought, or obtained by Medmate.
- was not satisfied that individuals who visited the Website could be taken to impliedly consent by virtue of tracking pixels being designed to be ‘invisible’ and the lack of specific information and notices on the Website [91]
- found that the cookie consent pop up, between 15 November 2024 and 9 December 2024, did not constitute consent to the collection of their sensitive information through Medmate’s tracking pixels as:
- individuals were not adequately informed as:
- the cookie consent pop-up did not refer to tracking pixels or Meta and TikTok.
- there was not adequate information about the implications of providing consent, or the collection, use or disclosure of their personal information via tracking pixels;
- cookies are distinct from tracking pixels, the latter of which sends data to Pixel Providers servers and can track individuals across multiple devices.
- consent was not specific. With sensitive information the level of specificity required is higher and individuals should have been informed of the proposed collection, use or disclosure of their personal information.
- individuals were not adequately informed as:
The Commissioner was not satisfied that individuals who visited the Website consented to the collection of their sensitive information through tracking pixels [94].
Is the collection of sensitive information via tracking pixels reasonably necessary for one or more of Medmate’s functions or activities?
Whether the collection was reasonably necessary for Medmate’s functions or activities, pursuant to APP 3.3(a)(ii) the relevant factors include:
- the primary purposes of collection;
- how the personal information will be used in undertaking a function or activity of the APP entity; and
- whether the function and activity could be undertaken without collecting that personal information, or by collecting a lesser amount of personal information [96]
Medmate’s Privacy Policy outlines the purposes for which Medmate collects, holds, uses and discloses individuals’ personal information, including:
For analytics market research and business development, including to operate and improve our business, associated applications and associated social media platforms
…
For advertising and marketing, including to send you promotional information about our events and experiences and information that we consider may be of interest to you.
As Medmate provides health services for profit, the Privacy Commissioner accepted that that the collection of Medmate Pixel Data may be reasonably necessary for the performance of Medmate’s functions and activities [99].
The Privacy Commissioner found there was a breach of APP 3.3 as consent was not obtained from individuals who visited the Website in relation to the collection of their sensitive information via tracking pixels and that the exceptions set out in APP 3.4 do not apply [100]
APP 5.1 – Notification as to the collection of personal information
APP 5.1 states:
at or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:
(a) to notify the individual of such matters referred to in subclause 5.2 (APP 5.2 matters) as are reasonable in the circumstances; or
(b) to otherwise ensure that the individual is aware of any such matter
APP 5.1 has two references to ‘reasonable in the circumstances’:
- the first reference in APP 5.1 contemplates whether an APP entity is required to take any steps to comply with APP 5.1,
- the second reference concerns which of the APP 5.2 matters an APP entity might reasonably be required to notify or ensure that individuals were aware of [102]
The obligation to take steps as are reasonable in the circumstances to notify individuals or ensure awareness of the APP 5.2 matters is an objective test that is informed by the circumstances of each case. The non-exhaustive list of circumstances that are relevant include:
The Privacy Commissioner’s considered the following factors for the purpose of APP 5.1:
-
- What were the circumstances relevant to the consideration of whether Medmate is required to take reasonable steps to notify or otherwise ensure individuals were aware of APP 5.2 matters?
- What were the relevant APP 5.2 matters?
- Did Medmate take steps to notify individuals or otherwise ensure individuals were aware of relevant APP 5.2 matters?
- Were those steps reasonable in the circumstances?
The following circumstances were relevant in determining whether it was reasonable for Medmate to take steps to notify individuals or otherwise ensure awareness of the relevant APP 5.2 matters with respect to the Website:
-
- Sensitivity of the personal information collected – Sensitive information should be afforded a higher level of protection than other personal information and more rigorous steps should be taken to inform the individuals when collecting individuals’ sensitive information.
- Possible adverse consequences – Information related to prescription drugs purchased, certain types of telehealth services received and/or association with certain medical or mental health conditions may post heightened emotional and psychological challenges for individuals.
- Nature of the entity – Medmate is a for profit entity. During the relevant period, Medmate spent a substantial amount on ads campaigns on Pixel Provider platforms.
- The practicability, including time and cost involved – The practicability of taking reasonable steps to notify individuals of APP 5.2 matters includes the time and cost involved. It was not impracticable for Medmate to take steps to notify individuals who visited the Website that it is using tracking pixels as:
-
-
- the Website is likely to be the first point of interaction between the individual and Medmate, and Medmate had ample opportunity to notify individuals of the use of tracking pixels on the Website.
- Pixel Providers offer ‘consent mode’, an additional code snippet which can be easily added onto websites embedded with tracking pixels to prevent the firing of tracking pixel before appropriate notice is provided and/or consent is obtained [105].
-
The Privacy Commissioner found it was reasonable for Medmate to take steps to notify individuals who visited the Website of the collection of sensitive personal information via the use of tracking pixels. Accordingly, it was reasonable in the circumstances for Medmate to take steps to notify individuals who visited the Website or otherwise ensure that they were aware of relevant APP 5.2 matters, at or before the time of collection, under APP 5.1 (a) and (b) [107].
What were the relevant APP 5.2 matters?
The Privacy Commissioner found it was reasonable for Medmate to notify, or otherwise ensure individuals who visited the Website were aware of, at a minimum, the following APP 5.2 matters:
- APP 5.2(b) – to have notified or otherwise ensured that individuals who visited the Website were aware that by deploying tracking pixels, it was collecting their sensitive information, and the circumstances of that collection.
- APP 5.2(d) – to inform or otherwise ensure that individuals who visited the Website were aware that it was collecting their sensitive information via tracking pixels for the purposes of advertising and retargeting [109].
- APP 5.2(f) – It was reasonable for Medmate to notify or otherwise ensure that individuals who visited the Website were aware that Medmate Pixel Data, from which an individual’s health information could be inferred, was routinely disclosed to Pixel Providers.
Did Medmate take steps to notify or otherwise ensure that individuals were aware of relevant APP 5.2 matters?
The steps taken by Medmate to notify individuals who visited the Website of the collection and purpose of collection of their personal information were :
-
- Privacy Policy 2020 in force between 21 May 2020 and sometime between July and October 2023 which referred to:
- collection of information related to an individuals’ browser session, geolocation data, device and network information, statistics on page views and sessions, acquisition sources, search queries and browsing behaviour, information about individuals’ access and use of the Website, communications with the Website, operating system being used and domain name of the individuals’ internet service provider;
- the purpose of collection of personal information is for analytics, market research and business development, as well as for advertising and marketing;
- the use and disclosure of personal information for analytics, market research and business development, as well as for advertising and marketing; and
- the use of web beacons to monitor a web page’s visitor’s behaviour and collect data about the visitor’s viewing of a web page;
- Privacy Policy 2020 in force between 21 May 2020 and sometime between July and October 2023 which referred to:
- Privacy Policy 2023, in force from sometime between July and October 2023,which set out:
- collection of information related to an individual’s IP address, login data, browser session and geolocation data, statistics as to page views and sessions, device and network information, acquisition sources, search queries, browsing behaviour, access and use of the Website, communications with the Website, purchases or orders, interaction data and marketing and communications data;
- information about use of the Website is collected from analytics and cookie providers and marketing providers;
- purpose of collection is for analytics market research and business development, and advertising and marketing;
- how personal information was collected, including when an individual interacts directly with Medmate, including on their platform, face-to-face, over the phone, over email, or online; when individuals complete a form, such as registering for any events or newsletters, or responding to surveys; or from third parties; and
- that personal information (excluding sensitive personal information) was disclosed to marketing and advertising providers, as well as analytics providers.
3. a cookie consent pop-up implemented on the Website on 15 November 2024, set out:
-
- the Website’s use of cookies to help analyse how the Website is used and to provide personalised ads to the individual using the Website; and
- on clicking ‘Customise’, information about the types of cookies deployed on the Website was presented and noted that the cookies were used for the purposes of marketing and analytics such as Twitter (now known as X), Bing and Google.
The publication of a privacy policy, is a separate obligation under the Privacy Act (APP 1) and though related, would not in isolation meet the notice requirements of APP 5 [113].
Given that tracking pixels’ first point of collection is when an individual first enters the Website and continuously collect data as the individuals interacts with the Website, it would have been reasonable to expect notification of the relevant APP 5.2 matters at the time the individual enters the Website. The cookie consent pop up did not include any reference to Tracking Pixels or direction to more detailed information [116]. It was not sufficient to ensure that individuals who visited the Website were aware of the matters outlined in APPs 5.2(b) and (f). The pop up did not set out, and individuals who visited the Website would not have knowledge of, the fact that Medmate has collected the information and the circumstances of that collection as required by APP 5.2(b), or that disclosures to Pixel Providers routinely occurred as required by 5.2(f) [117].
To meet its obligations under APP 5.1, the following steps might have been reasonable for Medmate to take:
- deploying a banner or pop-up when an individual first visits the Website: which
- provides the required notice of the relevant APP 5.2 matters; or
- directs individuals that visit the Website to more detailed information, or relevant sections of its Privacy Policy which contain the relevant APP 5.2 matters [118].
The Commissioner found that Medmate breached APP 5.1 and therefore interfered with the privacy of individuals who visited the Website, by failing to take such steps as were reasonable in the circumstances to notify those individuals whose sensitive information it collected via the tracking pixels on the Website about the matters in APP 5.2 (b), (d) and (f) [120].
APP 7 – use or disclosure of personal information for direct marketing
APP 7 applies to an entity where they ‘hold’ personal information. APP 7.1 states that:
If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.
The exceptions to this requirement are set out in APPs 7.2 to 7.4. An organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the sensitive information for that purpose [122].
Did Medmate hold personal information about an individual?
Under section 6 ‘an entity holds personal information if the entity has possession or control of a record that contains the personal information.’ The term ‘hold’ extends beyond physical possession of a record to include a record that an entity has the right or power to deal with [124]
The Privacy Commissioner regarded Medmate:
- as the entity who has control and authority over the collection of Medmate Pixel Data for inclusion in a record.
- as holdingthe personal information as it has the right, or power to the deal with the record created as the result of using tracking pixels.
- providing instruction to, and paid Pixel Providers for advertising services and instructed Pixel Providers to retarget ads on the Pixel Provider platforms, based on particular parameters it set [126].
Even though it does not have physical possession of the record, Medmate has control of the record that contains the personal information collected via tracking pixels and therefore held personal information [127].
Did Medmate use or disclose sensitive information for the purpose of direct marketing?
For the purposes of APP 7.1, an essential element of direct marketing requires that individuals be identified and targeted for marketing communications. Marketing is not direct, if personal information is not used or disclosed to identify or target particular recipients [132].
Medmate’s use of tracking pixels allowed it to retarget marketing communications, being ads, to specific individuals that used Pixel Provider platform [133] and accordingly it used or disclosed sensitive information for the purpose of direct marketing [134].
Exception APP 7.4 – Did Medmate obtain consent from individuals for the use or disclosure of sensitive information for the purpose of direct marketing?
APP 7.4 provides that an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing only if the individual has consented to the use or disclosure of the information for that purpose [135].
The Commissioner was not not satisfied that individuals who visited the Website during the relevant period consented to the use or disclosure of their sensitive information collected via tracking pixels for the purpose of direct marketing [137].
As consent was not sought or obtained for the use or disclosure of sensitive information it held for the purpose of direct marketing and the exception under APP 7.4 did not apply, Medmate contravened APP 7.1 [140].
Declarations
The Privacy Commissioner made the following declarations:
- under s 52(1A)(a) of the Privacy Act, that the acts and practices of Medmate, as outlined at paragraph [1], constitute an interference with the privacy of individuals, and that Medmate must not repeat or continue those acts and practices [2].
- under s 52(1A)(b) of the Privacy Act, that Medmate must:
-
-
- cease collecting individuals’ sensitive information through its use of tracking pixels on the website https://medmate.com.au until such time that it implements the measures specified ; and
- to the extent permitted by law, destroy all sensitive information collected via tracking pixels contained in the Pixel Provider Dashboard.
-
- prior to recommencing the use of tracking pixels on the Website:
-
- implement measures to obtain consent from individuals to collect their sensitive information, in a manner that is not contrary to APP 3;
- implement measures to obtain consent from individuals to use or disclose their sensitive information for the purpose of direct marketing, in a manner than is not contrary to APP 7; and
- take steps reasonable in the circumstances to notify and ensure individuals’ awareness of the relevant APP 5.2 matters, in a manner that is not contrary to APP 5.
- notify the OAIC
-
- within 90 days of the publication of this determination that it has complied with the requirements outlined; and
- prior to recommencing the use of tracking pixels on the Website, of its intention to recommence this use and details of the steps it has taken to comply with the requirements outlined .
ISSUE
This determination is significant as it deals with the complex issue of tracking pixels and the information that is collected by them. The Privacy Commissioner’s analysis from first principles regarding tracking pixels and collection and use of information is new and will be influential. It also highlights the need for organisations to be more specific and appreciative of their privacy obligations when using technology to collect information. Unfortunately the orders made are typically excessively restrained, if not weak.