November 11, 2024 ↘︎

Use tracking pixels? You could be breaching privacy laws

New rules around the use of tracking pixels put the onus firmly on businesses to ensure they are compliant. Could this spell disaster for the pair of shoes that’s been following you around the internet?
Loading the Elevenlabs Text to Speech AudioNative Player...

Tracking pixels, those tiny, invisible images embedded in websites and emails, have become a ubiquitous tool for businesses to gather data about user behaviour.  

Your business is probably using them right now as it keeps tabs on where your customers are and chasing them with products they briefly glanced at on your website. But the question is, are you using them legally? 

Recent guidance from the Office of the Australian Information Commissioner (OAIC) has shed light on how Australia’s privacy laws apply to these powerful tools.  

If you’re using tracking pixels, the onus is on you to ensure you have a valid legal basis for collecting and using data. And this new guidance from the OAIC calls for transparency about their use.  

So where to start? 

What are tracking pixels and how are they used? 

Tracking pixels, also known as web beacons or pixel tags, are essentially lines of code that trigger the download of a tiny, invisible image when a user opens an email or visits a webpage.

This seemingly innocuous action can reveal a surprising amount of information, including: 

  • User activity: When the pixel loads, it can confirm that an email was opened or a webpage was visited. 
  • Device information: It can collect details about the user’s device, such as IP address, browser type, and operating system. 
  • Location data: Sometimes, the pixel can approximate the user’s location. 
  • Behavioural insights: Combined with other data, tracking pixels help build detailed user profiles, including interests, preferences, and online habits. 

You can leverage this information for: 

  • Measuring campaign effectiveness: Tracking email open rates and website visits. 
  • Retargeting ads: Showing users ads for products or services they’ve previously viewed. 
  • Website traffic analysis: Understanding user behaviours to refine website design. 
  • Personalising content: Tailoring content based on user preferences. 

While the Privacy Act does not prohibit the use of pixels, the OAIC’s guidance underlines the importance of being transparent about how they are using personal information. This includes informing individuals about what information is being collected, how it will be used, and who it will be shared with. 

This means you must: 

  1. Provide clear information on pixel use: Make details on tracking pixels accessible to users, such as through privacy policies or cookie notices.
  2. Obtain valid consent: For the collection of sensitive information, consent must be freely given, specific, informed, and unambiguous. This may require businesses to provide a clear choice to opt-in to tracking pixels.
  3. Limit usage to collected purposes: Data collected by tracking pixels should only be used for the stated purposes. If businesses want to repurpose the data, further consent is necessary.

Data minimisation: a crucial principle 

The OAIC also highlights the importance of data minimisation meaning organisations should only collect the personal information they need for a specific purpose. You should avoid collecting information that is not necessary for their purpose. 

For example, if you use tracking pixels to measure email open rates, you may not need to collect device details or location data. Being mindful of the necessity of data points can prevent privacy infringements. 

With privacy regulations tightening globally, adopting a Cookie Management Platform (CMP) is a proactive step for businesses looking to ensure compliance beyond Australia’s borders. CMPs help organisations manage user consent for cookies and tracking technologies, providing a structured approach to obtaining and recording consent as required under laws like the General Data Protection Regulation (GDPR) in the European Union. 

A CMP can offer significant benefits: 

  • Simplified consent management: CMPs streamline consent collection and logging, helping businesses meet transparency and consent requirements across different jurisdictions. 
  • Enhanced user control: By giving users clear choices to opt in or out of tracking pixels, CMPs contribute to a more privacy-focused user experience. 
  • Future readiness for Australian privacy changes: The next round of amendments to the Australian Privacy Act, expected next year, is anticipated to strengthen requirements for consent and transparency, making CMPs an invaluable tool to stay ahead of regulatory changes. 

Penalties for non-compliance 

Non-compliance with Australian privacy laws can carry significant penalties. The OAIC can impose fines of up to $2.2 million for serious or repeated breaches, making it crucial for all of us to take these guidelines seriously. 

Best practices for using tracking pixels 

To ensure compliance with Australian privacy laws, adopt these best practices: 

  • Conduct a Privacy Impact Assessment (PIA): This assessment helps identify and mitigate any privacy risks associated with tracking pixels.
  • Be transparent about pixel use: Provide clear, concise information about the data being collected, its purpose, and any third parties involved.
  • Obtain valid consent: Make sure users actively consent to data collection through tracking pixels. 
  • Implement data minimisation: Only collect personal information necessary for your purpose. 
  • Regularly review practices: Stay updated with the OAIC’s latest guidance and adjust practices to stay compliant. 

Tracking pixels can be a valuable tool for businesses but using them responsibly and in line with Australian privacy laws is essential.

By implementing a Cookie Management Platform such as Usercentrics Cookiebot or OneTrust and following the OAIC’s guidance, businesses can safeguard their customers’ privacy, ensure compliance, and stay prepared for future legislative changes. 

DB logo
DB logo
DB logo