Pixel perfect privacy: how do your cookies crumble?

05 March 2025

Chantal Tipene
Partner
Sparke Helmore Lawyers

Chantal Tipene
Partner
Sparke Helmore Lawyers
t: +61 2 9260 2542

Chantal is a government law specialist with more than 10 years' experience providing specialist legal advice to the Commonwealth, State and local government. Her experience ranges from major procurement and tendering projects to advising on administrative law matters. She understands the pressures that government departments face from her recent in-house experience as the Deputy General Counsel of the NSW Police Force. In 2011, Chantal was recognised by the Law Society of New South Wales as an Accredited Specialist in Government and Administrative Law.

In today’s digital landscape, cookies and tracking pixels are essential tools for businesses to personalise content and optimise marketing strategies. However, with great data comes great responsibility.

While these tools are integral to modern marketing, they can quickly become a liability if they are used without a valid consent and in ways that are inconsistent with your obligations under the Privacy Act 1988 (Cth) (Privacy Act). This article outlines the privacy compliance issues for organisations using cookies and tracking pixels, offering practical insights to ensure you get the benefit of these tools while also complying with your privacy obligations.

What are cookies and tracking pixels?

Cookies allow you to collect and store user information when users visit your organisation’s website. Cookies increase user-experience because they can remember your login details, customisations and forgotten items in shopping carts. If you’re wondering how that item you left in your virtual basket ended up all over your social media newsfeed, the answer is tracking pixels.

Tracking pixels are a powerful marketing tool provided by third-party vendors, enabling businesses to track user activity on their websites and emails. The data collected by the tracking pixel is sent back to the third-party vendor for analysis and further use, such as targeting ads or measuring campaign effectiveness. The business hosting the pixel is provided an interface to view the user’s engagement, while the third-party vendor can aggregate that data for their own purposes.

What does the Privacy Act have to do with it?

The Privacy Act does not expressly regulate the use of cookies or pixels. However, organisations will have privacy obligations in relation to their use of cookies and tracking pixels where the use of those tools results in the collection, use or disclosure of personal information.

For the purposes of the Privacy Act, 'personal information' means information or an opinion about an individual who is identified or who is reasonably identifiable. An individual may be reasonably identifiable where information about them is matched with other information held by your organisation. For example, if information collected through a third-party tracking pixel (such as an IP address, URL information or an email address) is linked or matched with other information held by your organisation, you may be collecting personal information and be required to comply with the Privacy Act in the handling of that information. We also know that the Commonwealth has flagged as part of its Privacy Act reform agenda a proposed amendment to the definition of 'personal information' which, if commenced, will be expand the definition of personal information to include IP addresses and URL information (see our recent article about Privacy Act reform, tranche 1 – Major changes on the horizon: Privacy Act reform signals more changes to come).

Recognising the widespread use of cookies and tracking pixels and the potential impact on the privacy of users, the Office of the Australian Information Commissioner (OAIC) has recently published guidance which sets out general obligations organisations should pay regard to when using cookies or tracking pixels as part of their business (see Tracking pixels and privacy obligations | OAIC).

In providing its guidance, the OAIC states that “[g]iven the potential privacy risks and significant community concern about the use of tracking technologies, the OAIC strongly encourages organisations to err on the side of caution and comply with the Privacy Act when using third-party tracking pixels on their website.”

Ensuring Privacy Act compliance

To help businesses ensure their use of cookies and tracking pixels comply with the Privacy Act, we encourage businesses to consider the following:

1. Assess whether your cookie or tracking pixel is collecting personal information

The OAIC suggest businesses using cookies and tracking pixels should assume the following data is likely to be personal information (in addition to the users name and email addresses):

transaction data such as items viewed and cart additions
network information (such as an IP address) and geolocation data
URL information, and
other activity data such as pages visited, content viewed, session duration.

On this basis, businesses need to critically review their cookies and tracking pixels and assess whether they are collecting this type of information and, if they are, take steps to ensure the collection and handling of personal information by the tool complies with the Privacy Act.

2. Get a compliant consent

Getting the user to consent to the collection and handling of their personal information by the cookie or tracking pixel can be a good way to ensure your organisation complies with its Privacy Act obligations, especially if you intend to use the data you have collected for direct marketing purposes.

To ensure your consent is valid, it must be informed, voluntary, be given freely and with capacity. For businesses that specifically target children or young persons, you will need to carefully consider whether a parent or guardian needs to give consent for the cookie or tracking pixel (or whether the use of cookies and pixels are appropriate to use in the first place).

In addition to getting a valid consent, the OAIC recommends businesses give users a clear opt-out to receiving targets online ads using tracking pixels. For example, consider using a banner or pop-up when the user first visits your website which provides notice of the third-party pixel for marketing or advertising purposes and provide an opt-out.

3. Understand what data you are sharing with the third-party vendor

An important step for any business deploying cookies or tracking pixels is to assess what information is being sent to the third-party vendor. In undertaking your due diligence, it is essential to configure your tracking pixels to limit the collection of personal information to the minimum amount that is reasonably necessary in the circumstances. Sensitive information, such as a user’s request for online counselling services, or the desire for wheelchair access on a train ticket, must not be disclosed to a third-party unless the user has given their consent for the collection and disclosure of their sensitive information.

Ensure that your contractual arrangement with the third-party vendor adequately covers your Privacy Act obligations and is clear about what the third-party vendor can, and cannot, do with the personal provided to them, and sets out who is responsible for assessing and responding to any notifiable data breach should such a breach occur.

4. Be clear on where the data is going

When negotiating with third-party vendors for use of these tools, it is also important to understand whether the data being collected and handled by the cookie or pixel is being sent—including, for example any part of the data flow that will send data offshore—so your business can take steps to ensure compliance with APP 8, which regulates the sending of personal information outside of Australia.

5. Undertake a Privacy Impact Assessment

Businesses must be transparent about the collection, use and disclosure of personal information and the use of personal information for direct marketing purposes. In its recent decision in relation to the collection of personal information by Bunnings (in the form of biometric information—see Facial recognition practices found to breach the Privacy Act)—the OAIC set out its expectations in relation to compliance with APP 1 including, relevantly, an expectation that businesses will undertake a privacy impact assessment (PIA) to assess the privacy risk associated with the collection of personal information which has the potential to affect the privacy rights of individuals. This decision also highlighted the importance of ensuring a business’s means of collection is proportionate to any intrusion of an individual’s privacy, which re-emphasises the importance of configuring tracking pixels in a minimalist manner.

APP entities must have a clear and up-to-date privacy policy which notifies individuals of the use of third-party tracking pixels and other matters listed in APP 5.2 as are reasonable in the circumstances including, for example, if data collected by the cookie or pixel is routinely disclosed to a third party or sent overseas.

More to come - Watch this space!

The OAIC is keeping a close eye on the use of emerging technologies such as AI, automation, biometrics and tracking tools and the impact of those tools on the privacy of individuals. We recommend businesses carefully assess the use of these tools to ensure the business benefits are balanced against the privacy impact on individuals.

18-12-2025 | 2025 year end cyber reflections

16-12-2025 | Ex tempore decision in Services Australia v Anatoly Kern

11-12-2025 | 12 Days of (Christmas) FOI

08-12-2025 | FOI Secondees – letters 'home' for Christmas

04-12-2025 | Information as to existence of certain documents – s 25 of the FOI Act

03-12-2025 | Case note: Aveo Group Limited and Australian Competition and Consumer Commission (Freedom of information)

Media room