Privacy Commissioner Carly Kind published two determinations on 24 June 2026 that should be read by every Australian CMO, CTO, and general counsel before the end of the week. Medmate, an online pharmacy and telehealth provider, and Monash IVF, one of the country's largest fertility groups, were both found to have breached the Privacy Act through tracking pixels embedded in their websites.
The pixels are not exotic. They are the same Meta Pixel and TikTok Pixel used by a large proportion of the Australian SaaS, ecommerce, healthtech, and professional services market. The breach was not built on edge-case behaviour. It was built on the default configuration that thousands of marketing teams ship without legal review.
That is what makes these determinations the most consequential privacy enforcement of the post-reform period. They convert a piece of standard martech plumbing into a regulated activity, and they do it with named companies, specific URL strings, and the kind of factual record that other regulators and class action lawyers will quote for years.
What the OAIC Actually Found
In the Medmate matter, the regulator established that the Meta Pixel and TikTok Pixel embedded across the company's website transmitted full URL strings to Meta and ByteDance. Those URLs exposed searches and product pages for contraception, urinary tract infection treatments, and bacterial vaginosis assessments. The Commissioner ruled that information of this nature constituted sensitive health information under the Privacy Act, that its transmission to third parties without specific consent was a breach of Australian Privacy Principle 6, and that Medmate's general cookie banner did not meet the consent threshold the legislation requires.
In the Monash IVF matter, the regulator examined the use of Meta's Custom Audiences feature. Customer names and contact details were uploaded to Meta to support advertising targeting. Even where the data was hashed before upload, the Commissioner ruled that the practice was a disclosure of personal information to an overseas recipient and required notice and consent that Monash IVF had not obtained. Cross-border disclosure obligations under APP 8 were also engaged.
Both companies argued that their cookie banners, privacy policies, and general consent flows were adequate. The Commissioner disagreed on each ground. The banners did not name Meta or TikTok. They referred only to cookies, not pixels. They did not describe the categories of information being transmitted. They did not give users a meaningful choice before the pixels fired.
This is the line the OAIC drew: a generic banner is not consent for a pixel that transmits health-adjacent browsing data to a foreign advertising platform.
Why These Determinations Will Be Cited for Years
Two features of the rulings give them unusually long reach.
The first is the breadth of the practices in scope. Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Google Ads remarketing tags, and the Custom Audiences upload pattern are present on the majority of mid-market Australian websites. The behaviour the OAIC pulled apart in Medmate's case (full URL transmission, no named third party in the banner, no opt-in before firing) is the default state of a Shopify, Webflow, WordPress, or HubSpot site that has been wired up by a digital agency in the last five years. Most marketing stacks were not designed with APP 3, APP 6, and APP 8 as constraints. They were designed for conversion attribution.
The second is the regulator's interpretation of what counts as sensitive information. Medmate did not transmit medical records. It transmitted the URLs of pages a user had looked at. The Commissioner ruled that the inferences those URLs allowed Meta to draw, particularly around reproductive and sexual health, were enough to bring the data within the sensitive information regime. That reading travels well beyond pharmacy and IVF. Mental health apps, addiction services, oncology pathways, queer health resources, fertility tracking, weight management, and a wide range of allied health workflows now sit inside the same risk envelope.
Once browsing context against a sensitive health URL is itself sensitive information, the consent bar rises sharply, and the legal status of pixel firing changes from a marketing question to a privacy compliance question.
The Reform Backdrop That Made This Possible
The 2024 amendments to the Privacy Act gave the OAIC stronger enforcement tools, lifted maximum civil penalties to the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover, and created a statutory tort for serious invasions of privacy. The Office's published 2026 regulatory priorities named online tracking technologies, sensitive information handling, and third-party data sharing as focus areas.
Carly Kind, appointed Commissioner in early 2024, has consistently signalled that the Office intends to test enforcement against operationalised industry practices rather than only against outlier breaches. Medmate and Monash IVF are exactly the kind of cases that signal extends to: established companies, standard tooling, no malicious intent, and yet a finding of breach.
For boards, the lesson is direct. The compliance frontier has moved from breach response to product, marketing, and platform configuration. The penalty regime is now large enough that the audit committee question is no longer hypothetical.
What an Australian Pixel Audit Actually Looks Like
The teams that get ahead of this will run a structured review across three layers: what is firing, what is being transmitted, and what consent has been collected.
A defensible audit covers each of the following questions, with answers documented and signed off by privacy counsel:
- Which third-party tags, pixels, SDKs, and server-side conversion endpoints are active across every public-facing property, including marketing microsites, landing pages, and partner-managed funnels?
- What data fields does each tag transmit, including URL strings, query parameters, form fields, hashed identifiers, and behavioural events, and to which jurisdictions does that data flow?
- Where the website serves content that could reveal sensitive information about a user, including health, sexuality, religion, race, union membership, or political opinion, is any third-party tag able to capture the URL or the event?
- Does the consent flow name each third party by entity, describe the category of data being shared, and require an affirmative opt-in before the tag fires, with the default state set to no transmission?
- For Custom Audiences and equivalent upload-based ad targeting, is there a documented lawful basis for the disclosure to an overseas recipient under APP 8, with notice and consent collected at the point of data capture?
- Is there a periodic review cadence that catches new tags added by marketing teams, agencies, or third-party platforms between formal audits?
Most Australian organisations will fail at least three of those questions today. That gap is the actionable output of the Medmate and Monash IVF determinations.
The Healthtech Sector Has the Sharpest Exposure
Healthtech is the segment most directly affected, and the segment with the least time. Telehealth providers, pharmacy platforms, mental health apps, fertility services, allied health booking systems, and clinical SaaS vendors all routinely operate marketing funnels that pass health-adjacent URLs through standard advertising pixels.
The Commissioner's interpretation makes the URL itself the regulated artefact. A platform that routes a user from a homepage to a page titled "/services/depression-treatment" or "/conditions/ulcerative-colitis" is, on the OAIC's reading, transmitting sensitive information the moment the Meta Pixel fires on that page.
The remediation patterns are well understood. Server-side tagging through a controlled gateway can strip sensitive query parameters before they reach Meta or TikTok. Conditional pixel firing can be wired to consent state. Sensitive paths can be excluded from third-party tag triggers entirely. Custom Audiences uploads can be replaced with on-platform retargeting based on consented cohorts only.
None of these patterns are exotic. The reason most teams have not implemented them is that the commercial cost of losing some conversion attribution has, until now, been higher than the regulatory cost of leaving the pixels in place. The Medmate ruling inverts that calculation.
The SaaS and Martech Stack Implications
The exposure is not confined to healthtech. Any Australian SaaS or B2B business that captures lead data through a website, runs Meta or TikTok advertising, uses Custom Audiences for retargeting, or operates a marketing automation stack with third-party enrichment now needs to evaluate its consent architecture against the Commissioner's standard.
Three patterns deserve particular scrutiny.
Marketing automation platforms with native social audience syncs (HubSpot, Marketo, Salesforce Marketing Cloud, Braze) routinely push hashed customer lists to Meta, Google, and LinkedIn for ad targeting. Each of those flows is a disclosure to an overseas recipient under APP 8, requiring documented consent and disclosure to the data subject.
Embedded analytics and session replay tools (FullStory, Hotjar, Microsoft Clarity, LogRocket) capture detailed user behaviour, including form field interactions. Where those interactions cover health, financial, or other sensitive contexts, the same standard the OAIC applied to Medmate's URLs applies to the recorded session data.
Vendor-provided chatbots, support widgets, and conversion optimisation tools frequently load third-party scripts that fire pixels independently of the host website's consent management platform. The audit needs to capture those tags, not just the ones the marketing team is aware of.
A SaaS company shipping its product to Australian customers must also account for the pixels and tags that fire inside the authenticated application, where users may reasonably expect a higher consent standard than on a marketing site.
What Boards Should Ask This Quarter
Three questions belong on the next board agenda.
The first concerns inventory. Does the organisation have a current, authoritative list of every third-party tag, pixel, and SDK active across its digital estate, including the data fields each transmits and the jurisdictions involved? If not, the answer is to commission one immediately, with privacy counsel oversight.
The second concerns consent. Does the consent flow on every customer-facing property meet the Commissioner's standard, defined as named third parties, described data categories, default-off transmission, and affirmative opt-in before pixels fire? If the answer is uncertain, the board should commission a remediation plan with a board-reported deadline.
The third concerns sensitive contexts. Are there pages, workflows, or data points anywhere in the digital estate that could reveal sensitive information about a user, and is any third-party tag able to access them? If yes, the remediation is server-side tagging, conditional firing, or sensitive path exclusion, depending on the stack.
The Privacy Act now has the penalty regime to make the answers to those questions material. The OAIC has demonstrated, through Medmate and Monash IVF, that it will pursue the questions even where the conduct is industry standard.
Where Wai and ARC Fit
Wai works with Australian technology, SaaS, healthtech, and enterprise teams on the layers that connect product, marketing, data, and governance. That work increasingly sits at the intersection of consent architecture, server-side data flows, and the public visibility of authority content. Both sides of that intersection are now subject to active enforcement.
ARC is Wai's authority and AI-visibility infrastructure layer. It is built for the world the OAIC has just put a price on: one in which an organisation's digital surface area is read, indexed, and ranked by both regulators and AI retrieval systems, and in which the configuration of that surface area is itself a governance artefact. ARC supports controlled publication, structured attribution, and discoverability inside AI answer engines without the kind of opaque third-party data flows the Commissioner has now ruled non-compliant.
For Australian technology and marketing leaders running a pixel audit and an AI visibility programme in parallel, that combination is the work.
Frequently Asked Questions
What did the OAIC actually rule against Medmate and Monash IVF?
The Privacy Commissioner ruled on 24 June 2026 that Medmate breached the Privacy Act by using Meta Pixel and TikTok Pixel to transmit URLs of pages containing sensitive health information, including searches for contraception and treatments for UTIs and bacterial vaginosis, without specific consent. Monash IVF was found to have breached the Act through Custom Audiences uploads of customer names and contact details to Meta without adequate notice or consent. In both cases the Commissioner ruled that generic cookie banners did not meet the consent standard the Privacy Act requires.
Are Meta Pixel and TikTok Pixel still legal to use in Australia?
The pixels themselves are not unlawful. What is now clearly unlawful, on the OAIC's interpretation, is firing them without a consent flow that names the third party, describes the categories of data being transmitted, sets the default state to no transmission, and requires affirmative opt-in. Australian operators using these pixels need to either upgrade their consent architecture to that standard or restrict firing to non-sensitive contexts using server-side tagging or conditional triggers.
What counts as sensitive information after this ruling?
The OAIC ruled that URL strings revealing a user's interest in specific health conditions or treatments are themselves sensitive health information, even without medical records being transmitted. That interpretation extends to any digital context where a URL, query parameter, or behavioural event could reveal information about a user's health, sexuality, religion, race, union membership, or political opinion. The practical implication is that the audit perimeter is wider than most martech teams have assumed.
What should Australian SaaS companies do this week?
Commission a pixel audit covering every public-facing property, document what each third-party tag transmits and to which jurisdictions, map the consent flows against the OAIC's standard, and identify any pages where sensitive information could be exposed through a pixel. Where gaps exist, prioritise server-side tagging, conditional firing, and consent flow remediation. Boards should treat the work as a Q3 deliverable with named accountability.
Does the ruling affect Custom Audiences and similar ad targeting features?
Yes. The Monash IVF determination established that uploading customer data to Meta for Custom Audiences targeting, even where the data is hashed, constitutes a disclosure of personal information to an overseas recipient and engages APP 8 cross-border obligations. Organisations using Custom Audiences, Match Audiences, Customer Match, or equivalent features need documented consent, clear notice to the data subject, and an assessment of the overseas recipient's privacy framework.
What penalties could apply for similar breaches?
Following the 2024 Privacy Act amendments, maximum civil penalties for serious or repeated breaches are the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover. The OAIC also has expanded infringement notice powers and the ability to seek determinations, undertakings, and compensation orders. The new statutory tort for serious invasions of privacy creates an additional civil exposure that operates alongside the regulator's enforcement.
