More OAIC Guidance… This Time On Pixels

The privacy issues associated with the use of cookies in Australia has arguably been unclear for some time.   This has been addressed by the release by Office of the Australian Information Commissioner (OAIC) of new guidance for organisations when using third-party tracking pixels on their website

The OAIC has been busy, with this new publication adding to the guidance it has released in the last few months covering:

• Guidance on AI for developers, see our blog post here;
• Guidance on AI for users, see our blog post here; and
• Guidance on privacy issues for not-for-profits, see our blog post here.

This new Guidance shouldn’t present any real surprises to privacy professionals, for example, it doesn’t advocate for separate consent banners though it does highlight the importance of transparency. It does list the types of data collected that could be considered personal information, such as network information, URL information, pages visited etc, which is handy.

It is perhaps of most interest as potentially flagging an area that the OAIC may become more active in. Doing a website sweep for cookies and then checking against the disclosure in your privacy policy is the sort of automated task that regulators could easily undertake (and which has already been done to good effect by organisations like NOYB in the EU – more here).

This blog post provides a short summary of the new guidance.

What are pixels?

A tracking pixel is a piece of code generated by a third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.

Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms. They can be important to business for analysis, advertising and measurement of return on investment. However, they can also be invasive and hidden, collecting and sharing personal information about your online behaviours usually without your knowledge.

Key points about Pixels

• Compliance with Privacy Act: Conduct appropriate due diligence before using pixels on your website (perhaps a Privacy Impact Assessment?) to make sure you comply with the Privacy Act
• Data minimisation: Adopt a data minimisation approach and configure pixels to limit the collection of personal information to the minimum necessary 
• Sensitive Information: Don’t collect or disclose sensitive information through tracking pixels (you probably need consent)
• Transparency: Ensure your privacy policies and notifications contain clear and transparent information about the use of third-party tracking pixels (APPs 1 and 5).
• Purpose limitation: Personal information shared via tracking pixels should be used only for the primary purpose it was collected for, or a secondary purpose with a valid exception 
• Overseas transfers: If information is sent overseas by third-party providers, organisations must ensure the recipient complies with the APPs, unless an exception applies.
• Direct marketing compliance: When using tracking pixels for targeted online ads, organisations must comply with direct marketing rules under APP 7, including offering an opt-out option for individuals.
• Ongoing reviews: Organisations should regularly review the tracking technologies used to ensure continued compliance with privacy obligation

Personal information collected by pixels

The Privacy Act only applies where personal information is collected.  Personal information is information from which an individual is identified or reasonably identifiable.  The application of this definition to pixels has always been contentious, with some arguing that unless you have a name, the information collected about a user can’t be regarded as personal information.

The OAIC disagrees. According to the guidance:

Individuals do not necessarily need to be identified from the specific information being handled to be ‘reasonably identifiable’ under the Privacy Act. An individual can be ‘reasonably identifiable’ where the information collected through a third-party tracking pixel (such as an IP address, URL information, or a hashed email address) is able to be linked or matched with other information held by the third-party platform. In these circumstances, both the organisation and the third-party platform will have privacy compliance obligations in relation to this information.

Types of information collected by tracking pixels that may be personal information for the purposes of the Privacy Act includes:

• Information collected: Form inputs such as name, address, date of birth, email address and phone number
• Information collected: Transaction data such as items viewed and cart additions
• Information collected: Network information (such as IP address) and geolocation data
• Information collected: URL information
• Information collected: Other activity data such as pages visited, content viewed, session duration.

Privacy by design

A recommendation to ensure pixels are deployed properly, particularly third-party tracking pixels where data will be shared with third parties is to take a privacy by design approach, and to do a Privacy Impact Assessment.

Questions to be asked as part of that PIA may include:

• What information will be collected by the tracking pixel (for example, will sensitive information be collected)? How can the pixel be configured to prevent or minimise the collection and disclosure of personal information?
• How will the third-party provider use and disclose the personal information? Will the third-party provider use the data for their own commercial purposes or share it with other entities?
• Will the information be sent overseas? If so, to what countries?
• How will the information be secured and how long will it be retained?
• Does the third-party provider have appropriate processes in place to protect personal information and comply with any obligations it has under the Privacy Act?

(More information from the OAIC on Privacy by design.)

Conclusion

The guidance makes clear that Australia organisation are responsible for ensuring that third-party tracking pixels are configured and deployed on their websites in a way that is compliant with the Privacy Act.

Before deploying a third-party pixel, organisations must understand how they work, identify the potential privacy risks involved and implement measures to mitigate those risks, and not adopt a ‘set and forget’ approach.

Failing to conduct appropriate due diligence can create a range of privacy compliance and other legal risks.