15 November 2024

Updated guidelines for use of third party tracking pixels

This article is not written, or presented as legal advice nor opinion.
Readers should neither act, nor rely on opinion(s) in this, article and linked materials without seeking legal counsel.

Whilst Australian Privacy legislation changes have been pushed back, this has not limited the change in interpretations of existing laws by the Office of the Australian Information Commissioner (OAIC). The most recent “guidelines” offer an OAIC interpretation of how existing legislation should be considered by organisations relating to the use of pixels and the passing of personal information by businesses to online platforms.

“The Office of the Australian Information Commissioner has powers under the Privacy Act 1988 and other legislation to make or approve legally binding rules and guidelines. These are legislative instruments and are generally required under the Legislative Instruments Act 2003 to be registered and published on the Federal Register of Legislative Instruments and tabled in the Parliament.

To assist agencies and organisations, the OAIC also issues non-binding guidelines.”

Inaction is not an option

The publication of these guidelines marks a substantial shift in the level of detail provided by the OAIC - giving specific guidelines relating to the use of, and the broader business considerations, and privacy impacts to both End Advertisers, and their Agencies.

This shift is a validation of many of the recommendations (see owning your own tech stack) that Louder have provided over recent years relating to critical considerations the End Advertisers (website, app and business owners) in their marketing activities.

Informed user consent and an adoption of many of the “data use” principles that Louder recommends to clients’ are referenced directly in these guidelines. Louder currently work with client (Independent Agency AND End Advertisers) stakeholders data teams to consult and support as specialist experts relating to the use of First Party Data in marketing and advertising contexts.

The inclusion of “the use of personal information” under the Direct Marketing advice APP 7, means that any CAPI, Customer Match, Audience Creation may be impacted by these changes - this will inevitability result in changes to marketing performance and measurement in digital channel.

These guidelines provide specific clarity on topics which have been more open to interpretation previously. This is a welcomed change and expected shift since the appointment of Carly Kind to the OAIC who’s extensive expertise in legal and privacy roles in Europe, including

Notable takeaways

• Consent management is here, now. Cookie opt-out or firewalls will impact measurement, performance, media effectiveness (targeting, segmentation, personalisation) potentially very swiftly

• This affects any third party tool that relies on a third party code, regardless of whether it is deployed as a first party code on the server-side or client-side in the browser

• The concept of data collection should not be collecting everything, to take slices or views of what you require, but only collecting what you need (data expiry and deletion)

• This could impact and is not limited in its application to web analytics, web measurement, personalised experience tools, CRM and ERP systems, affiliate measurement, as well as loyalty and voucher schemes

• Sensitive information collection is specifically mentioned, with consent from the user

• Covert data collection is presented as a non-compliant with the guidelines. Examples may include but are not limited to device, browser, user fingerprinting, app tracking, cross device, cross site, CDP or data enrichment tools

• The definition of primary purpose unless exception applies - off owned and operated use or data sharing may be limited by this

• Data sovereignty is raised as a concern from a data perspective. We have seen similar actions in the US, but conversation APIs and custom/customer audiences are likely impacted for both targeting and attribution 

• Clarity on the use of data for targeting individuals is now classified as direct marketing, resulting in the clear application of existing legislation and other guidelines

• Consider informed opt in consent for sensitive information and a data minimisation for any collection of personal information

• Ensure transparency when using use of personal information with third party pixels or services 

• This is not a set and forget situation. Impact assessments should be regular and ongoing, vs a framework to follow and obligations are clear that this relates to the company whose assets are being tagged, not their agency.

Some considerations for Australian businesses

End advertisers

• Own your technology, data and marketing assets and apply whole of organisation governance to these including for your third party providers, such as agencies or partners

• Sharing of Personal Data with any publishers, technologies or marketing partners should only be considered after conducting a robust privacy impact assessment - considering data minimisation, user informed consent, data destination sovereignty, and the data destinations’ own APP compliance for the resulting the use of datas

• This OAIC guidance doesn’t cover “all” privacy considerations, but provides a view into how many Advertisers are using customer data (both pixel based and personal information) in digital marketing and advertising environments

• Due diligence and impact assessment of deployment of third party pixels or code should be conducted ongoing, rather than as a one-time activity to ensure compliance with both the Australian Privacy Act and the Australian Privacy Principles 

• Don’t blanket collect everything, could be as impactful to tools such as Google Analytics, Adobe Analytics or Snowplow where views are created as a subset of a master dataset

Agency and partner considerations

• It is Louder’s interpretation that an agency would be responsible for and restricted by these guidelines by the end client obligations of compliance with these guidelines for any data collection or tag deployment, and any sharing of personal data on behalf of any client. Louder encourages agencies to take their own legal advice on this topic, as to their liabilities and the clarity of the expectations that may now apply to the use of these datas in the agency owned technologies and tools.

• The implication on tracking transparency will now be a major compliance hurdle for agencies and brands, if not already. Providing clear and concise information around data collection and the involvement of third parties will be crucial. Key understanding will be required on what data is being collected and how to further shape consent management.

• Ownership of technology stack is imperative to ensure governance in the form of access to data and future proofed implementation across owned and operated properties. Given the significant penalties for non-compliance, it is incumbent on clients and agencies to have a fully governed stacks that considers data minimisation practices, consent and tracking transparency. Advertising within a blended agency run buying platform, where multiple advertisers are crossing over within one stack, will no longer be the norm.

• Consent is coming and will play a major role in the shaping the Australian digital economy. The election looms as a marker for these changes to be full realised, yet all clients should be planning for ‘fair and reasonable’ tests and various levels of consent as a value exchange with existing and future customers.

This article is not considered to exhaustive, but provides an initial, and immediate response to the OAIC’s publication of these guidelines, and shares Louder’s initial interpretation and application to the context of Marketing, Media and Advertising landscapes. These views may of course be subject to change over time, and with further guideline definition.

Resources

• POAIC privacy guidelines on tracking pixels and privacy obligations [Published 4th November]

• Australian Privacy Principles Guidelines

• The (Australian) Privacy Act 1988 - Rules and Guidelines