Use tracking pixels? You could be breaching privacy laws

Tracking pixels, those tiny, invisible images embedded in websites and emails, have become a ubiquitous tool for businesses to gather data about user behaviour.  

Your business is probably using them right now as it keeps tabs on where your customers are and chasing them with products they briefly glanced at on your website. But the question is, are you using them legally? 

Recent guidance from the Office of the Australian Information Commissioner (OAIC) has shed light on how Australia’s privacy laws apply to these powerful tools.  

If you’re using tracking pixels, the onus is on you to ensure you have a valid legal basis for collecting and using data. And this new guidance from the OAIC calls for transparency about their use.  

So where to start? 

What are tracking pixels and how are they used? 

Tracking pixels, also known as web beacons or pixel tags, are essentially lines of code that trigger the download of a tiny, invisible image when a user opens an email or visits a webpage.

This seemingly innocuous action can reveal a surprising amount of information, including: 

User activity: When the pixel loads, it can confirm that an email was opened or a webpage was visited. 

Device information: It can collect details about the user’s device, such as IP address, browser type, and operating system. 

Location data: Sometimes, the pixel can approximate the user’s location. 

Behavioural insights: Combined with other data, tracking pixels help build detailed user profiles, including interests, preferences, and online habits. 

You can leverage this information for: 

Measuring campaign effectiveness: Tracking email open rates and website visits. 

Retargeting ads: Showing users ads for products or services they’ve previously viewed. 

Website traffic analysis: Understanding user behaviours to refine website design. 

Personalising content: Tailoring content based on user preferences. 

The OAIC’s guidance: transparency and consent  

While the Privacy Act does not prohibit the use of pixels, the OAIC’s guidance underlines the importance of being transparent about how they are using personal information. This includes informing individuals about what information is being collected, how it will be used, and who it will be shared with. 

This means you must: 

1. Provide clear information on pixel use: Make details on tracking pixels accessible to users, such as through privacy policies or cookie notices.
2. Obtain valid consent: For the collection of sensitive information, consent must be freely given, specific, informed, and unambiguous. This may require businesses to provide a clear choice to opt-in to tracking pixels.
3. Limit usage to collected purposes: Data collected by tracking pixels should only be used for the stated purposes. If businesses want to repurpose the data, further consent is necessary.

Data minimisation: a crucial principle 

The OAIC also highlights the importance of data minimisation meaning organisations should only collect the personal information they need for a specific purpose. You should avoid collecting information that is not necessary for their purpose. 

For example, if you use tracking pixels to measure email open rates, you may not need to collect device details or location data. Being mindful of the necessity of data points can prevent privacy infringements. 

Implementing a cookie management platform (CMP) for compliance 

With privacy regulations tightening globally, adopting a Cookie Management Platform (CMP) is a proactive step for businesses looking to ensure compliance beyond Australia’s borders. CMPs help organisations manage user consent for cookies and tracking technologies, providing a structured approach to obtaining and recording consent as required under laws like the General Data Protection Regulation (GDPR) in the European Union. 

A CMP can offer significant benefits: 

• Simplified consent management: CMPs streamline consent collection and logging, helping businesses meet transparency and consent requirements across different jurisdictions. 
• Enhanced user control: By giving users clear choices to opt in or out of tracking pixels, CMPs contribute to a more privacy-focused user experience. 
• Future readiness for Australian privacy changes: The next round of amendments to the Australian Privacy Act, expected next year, is anticipated to strengthen requirements for consent and transparency, making CMPs an invaluable tool to stay ahead of regulatory changes. 

Penalties for non-compliance 

Non-compliance with Australian privacy laws can carry significant penalties. The OAIC can impose fines of up to $2.2 million for serious or repeated breaches, making it crucial for all of us to take these guidelines seriously. 

Best practices for using tracking pixels 

To ensure compliance with Australian privacy laws, adopt these best practices: 

• Conduct a Privacy Impact Assessment (PIA): This assessment helps identify and mitigate any privacy risks associated with tracking pixels.
• Be transparent about pixel use: Provide clear, concise information about the data being collected, its purpose, and any third parties involved.
• Obtain valid consent: Make sure users actively consent to data collection through tracking pixels. 
• Implement data minimisation: Only collect personal information necessary for your purpose. 
• Regularly review practices: Stay updated with the OAIC’s latest guidance and adjust practices to stay compliant. 

Tracking pixels can be a valuable tool for businesses but using them responsibly and in line with Australian privacy laws is essential.

By implementing a Cookie Management Platform and following the OAIC’s guidance, businesses can safeguard their customers’ privacy, ensure compliance, and stay prepared for future legislative changes. 

Richard Taylor is the managing director of Digital Balance.

Got a tip?

topics Digital Balance OAIC Office of the Australian Information Commissioner Richard taylor tracking pixels

Share Tweet Share

Comments: 2

Privacy Advice is the new "Anti Virus" industry 13 Nov 24

The most fundamental aspects of the guidance in relation to existing Australian Privacy Principles are entirely absent from what is clearly an automated summary of the hard work the OAIC put into their much needed guidance. It’s concerning that the internet advertising industry is increasingly claiming technical privacy expertise with generated articles like this, without demonstrating real understanding of the legal issues they themselves have perpetuated with these technologies. It’s reminiscent of an antivirus business creating the very viruses they then sell solutions for.
It’s not just this article that I see as problematic. Someone in our commercial team sent us another article from the Internet Advertising Bureau Australia’s blog itself last month that was a similar “technical sales pitch under the guise of ‘Privacy Advice'”, clearly generated using ChatGPT without any subject matter expertise.
Even at a technical level above, the conflation of Cookie Management with Consent Management demonstrates the dangers of using ChatGPT without subject matter expertise to validate the output on such a nuanced topic that seems simple at the surface level.
I apologise if I sound frustrated, but privacy isn’t just a new revenue stream – it’s a field where many of us have invested 15+ years developing expertise across all areas before it became fashionable with the internet industry. I’m not saying that LLMs are bad for productivity, and I welcome others learning about privacy. I’m just saying that like a ‘license to operate machinery’, editors need to start demanding to see the ‘subject matter license’ and ‘years of operating experience’ from anyone submitting opinion pieces generated like this using LLMs.

5

User ID not verified.

Bernard Zimmermann 12 Nov 24

Very few tracking pixels that I have researched actually provide user location data, though I wish they did as it would be a valuable indicator of readership.

For example, if I send an email newsletter and receive 10 opens without this type of information, I cannot determine whether one person opened it 10 times or whether someone received it and forwarded it to 9 other people.

Let me share a real example: I once sent a newsletter containing confidential information. I believe it was forwarded to a competitor, and I only discovered this through analyzing the unusual patterns of opens.

Only with this info can I establish how my newsletters are being distributed and read.

---