24 June 2026

Pixels, consent and accountability: the OAIC’s latest warning

This article is not written, or presented as legal advice nor opinion. Readers should neither act, nor rely on opinion(s) in this article and linked materials without seeking legal counsel.

In summary

• The OAIC has found that Medmate and Monash IVF interfered with individuals’ privacy through the use of third-party tracking pixels.
• The determinations establish that organisations remain accountable for the data collected through technologies deployed on their websites.
• Privacy obligations extend beyond legal and compliance teams.
• Accountability for customer data cannot be outsourced to agencies, vendors or technology platforms.
• Organisations should review their technology stacks, consent frameworks and data governance processes before regulators do it for them.

Consent and Privacy just officially left the footer

The Office of the Australian Information Commissioner’s latest determinations against Monash IVF and Medmate are being reported as tracking pixel cases.

Importantly, The OAIC has reinforced that organisations are accountable for the data they collect, where it is shared and whether consumers have genuinely consented. More importantly, it has demonstrated how those obligations will be enforced.

We’ve previously argued that OAIC guidance is no longer theoretical and that privacy is rapidly becoming a governance issue rather than a box-ticking exercise.

While the findings focus on sensitive health information collected through third-party tracking pixels, the implications extend much further. The responsibility for privacy, consent and data governance no longer sits solely with legal, risk and compliance teams.

The pixel is yours. So is the liability.

The most important takeaway from the OAIC’s determinations is not that tracking pixels exist.

It is that responsibility remains with the organisation deploying them.

That responsibility extends beyond implementation and includes understanding what data is being collected, where it is being shared, whether consent has been obtained and how compliance is being governed over time.

Many organisations rely on third parties; agencies, platforms, technology vendors and implementation partners to manage increasingly layered and fragmented advertising and measurement ecosystems.

If a technology deployed on your website collects and shares information in a way that creates privacy risk, the organisation remains accountable. As we recently explored in Google Tag Gateway vs Server-Side GTM, ownership and governance of measurement infrastructure is becoming increasingly important.

That principle extends well beyond tracking pixels.

It’s also important to understand what made these cases significant.

The OAIC’s determinations centred on sensitive health information, which attracts stronger protections under the Privacy Act than general personal information.

While the findings were made in a healthcare context, the implications extend to any organisation collecting or activating sensitive information. The technology involved may have been a tracking pixel, but the regulator’s focus was ultimately on the nature of the information being collected and whether appropriate consent had been obtained.

The Commissioner also noted that these obligations are not limited to health information and may apply to other categories of sensitive information, including political opinions, race and ethnicity.

For organisations, the lesson is clear: common industry practice does not automatically equal compliance. Whether data is collected through a pixel, tag, SDK, API, server-side implementation, enhanced conversion framework or clean room environment, the obligation remains the same.

The technology may change. The responsibility does not.

Why this matters to boards

What the OAIC’s determinations reinforce is that organisations can no longer treat privacy, user consent, and measurement as technical tasks to be delegated entirely to marketing agencies, legal teams, or tech vendors.

The regulators findings highlight a gap that exists across many organisations today: many still cannot confidently map or explain how customer data moves through their digital ecosystems. To protect against regulatory risk, boards and executive teams must be able to explicitly answer:

• What technologies are active? Exactly what tags, pixels, Conversational APIs (CAPIs), cookies, or scripts are firing across our digital properties?
• What data is being collected? Is it strictly limited to necessary personal data, or is it capturing or inferring sensitive information?
• Where is it going? Where is the data being transmitted, and do any linked third-party tools share that data unexpectedly?
• Who has access? Who has data access at that destination, are those platforms compliant with the Australian Privacy Principles (APPs)?
• Is consent valid? Does our user consent framework accurately and transparently reflect our live data collection and distribution practices?
• Who owns the governance? Who is internally accountable for ongoing oversight and preventing compliance drift?

These are not simply isolated marketing or legal questions; they are now fundamental organisational governance questions. Privacy is not a point-in-time compliance exercise, but an ongoing governance process.

You can outsource your media buying and you can outsource your technical implementation, but as these determinations prove, you cannot outsource the ultimate responsibility for your customer data. The organisations best positioned for the future will be those that can demonstrate absolute visibility, control, and accountability across their data and measurement ecosystems. Those that move now have a clear opportunity to build stronger governance foundations and greater customer trust; those that wait may find themselves explaining that delay to a regulator.

Louder’s recommendations

We recommend organisations take five immediate actions:

• Audit all pixels, tags, SDKs, APIs and measurement technologies currently deployed across (all) digital properties.
• Conduct a Privacy Impact Assessment to understand where personal information is collected, shared and activated.
• Review consent frameworks to ensure they accurately govern data collection and signal distribution.
• Design and establish clear ownership and accountability for privacy, measurement and data governance
• Regularly review technology configurations to prevent compliance drift as websites, platforms and campaigns evolve.

Get in touch

Get in touch with Louder to discuss how privacy, consent, measurement and data governance obligations may impact your organisation.

Want more Louder content?

Add Louder as a Preferred Source in Google Search to see more of our articles when you search and subscribe to our newsletter to receive the latest industry updates straight to your inbox.