The Privacy Series: Pixels perpetuating privacy concerns

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

Pixels perpetuating privacy concerns

The latest digital marketing mechanism to come under fire since cookie deprecation has stopped making headlines is the pixel. Also well known as a tracking pixel, to date these have been a powerful tool in the digital marketer’s playbook. Their ability to track user behaviour, optimise campaigns and increase ROI is the type of daily activity marketers have become accustomed too. However, growing privacy concerns and the linkages tracking pixels have with third-party platforms have led to their recent scrutiny, and rightfully so amidst privacy reform in Australia. 

In this next edition of the Privacy series, we will unpack what a tracking pixel is, how compliance in pixel deployment is now being aggressively policed, and what implications that has for marketers. 

What are pixels?

As a starting point, a pixel can be best understood as being cookie adjacent. Both are digital marketing tools used for website tracking, however they operate in different ways. A pixel is an invisible image that is embedded within a webpage, email or digital advertisement. Whenever these mediums are loaded, the pixel then sends data back to the server that it is connected to. The data that the pixel captures relates to tracking user actions. This includes actions like page views, conversions, button clicks, form submissions, video views, even scroll-depth – just to name a few. Tracking is the primary purpose of a pixel, in comparison to a cookie which is more concerned with storing data on a user’s device.  

The issue with pixels, as it is with cookies, is that the data captured can include personal information like IP addresses, browsing history, and even form inputs such as name, address, date of birth, email address and phone number, which all raise significant privacy concerns. This is particularly relevant as the server the pixel is connected to and therefore transmits the data to, is a third-party platform. As with all digital marketing tracking tools, organisations are responsible for ensuring that their use of pixels complies with the Privacy Act (1988) and the 13 Australian Privacy Principles (APPs) governing the rights and obligations around the collection, use and disclosure of personal information. 

Source: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/tracking-pixels-and-privacy-obligations 

The Kind enforcer

The first tranche of privacy reform granted stronger enforcement powers to the Office of the Australian Information Commissioner (OAIC). In short, the new tiered penalty structure is designed to capture a broader range of contraventions of the Privacy Act. This is a significant shift away from the existing practice of only penalising practices that constitute a ’serious’ or ‘repeated’ interference with the privacy of individuals. That means the OAIC now has the power to issue substantial fines for infringements and administrative breaches, ranging from $66,000 up to $330,000, and Australia's Privacy Commissioner, Carly Kind, aims to take a more enforced approach with aggressive policing. She expects to use infringement notices in a similar way as both the ACMA and the ACCC.

Ahead of an enforcement crackdown, this month the OAIC published new advice on pixels and personal information. The guidance states that organisations seeking to deploy third-party tracking pixels on their website must ensure these are configured and used in a way that is compliant with the Privacy Act. The Privacy Act does not strictly prohibit the use of third-party tracking pixels. However, ensuring they are used in a way that is compliant with the APPs is essential. 

As part of the crackdown, the OAIC will be paying close attention to ensure businesses utilising pixel tracking are compliant with a handful of particular APPs. The first being APP 3 – collection – whereby data collection must be determined as reasonably necessary, and sensitive information will require explicit consent. The second is APP 6 – use and disclosure – which is concerned that personal information collected via pixels can only be used or disclosed for the original purpose, or a related secondary purpose with consent, or if reasonably expected by the individual. The third is APP 7 – direct marketing – which determines that specific requirements apply to using personal information gathered through tracking pixels for targeted advertising, and that opt-out mechanisms must be provided. And finally, APPs 1 and 5 – transparency – organisations must have clear and up-to-date privacy policies and provide notices informing individuals about the use of tracking pixels and their data. The OAIC Determination in a recent leading homeware supplies retailer matter suggests that the Privacy Commissioner takes a very robust view of APP 1. Businesses lacking any of these provisions will be in breach of the Act and at risk of penalties for non-compliance. The OAIC strongly encourages organisations to err on the side of caution and comply with the Privacy Act when using tracking pixels. 
 

The impact for marketers

As pixels have been used to date to by marketers for purposes such as remarketing, audience targeting, campaign optimisation, conversion tracking and ROI, what are the implications of the OAIC’s crackdown on their use? To put it simply, marketers will need to ensure stringent compliance if they continue to deploy tracking pixels, or risk being issued an eye-watering fine for a breach. 

To avoid a breach and in pursuit of best practice, marketers should complete rigorous due diligence and thoroughly assess the functionality and privacy risks of third-party tracking pixels before deployment. This includes reviewing the provider terms and conditions and ensuring ongoing compliance with regular reviews, moving away from a "set and forget" approach. As part of the due diligence process, marketers should seek data minimisation strategies. Firstly, take the opportunity to shed any unnecessary data you have stored, then configure pixels to collect and share the minimum amount of data necessary. One way of doing this is to consider limiting pixel deployment to specific webpages. Additionally, as sensitive information requires express consent, avoid collecting it through pixels with appropriate configuration. Otherwise, be sure you have auditable record of where express consent to do so was obtained. This leads to the importance of transparency and control. Businesses must provide clear and accessible information about the use of tracking pixels, the types of data collected, and the purposes for which it is used. They must also grant the customer/user greater control and offer simple opt-out mechanisms for direct marketing. Of course, if you are integrating privacy considerations from the outset and potentially conducting Privacy Impact Assessments (PIAs) to identify and mitigate potential harms in a privacy by design approach, you’ll put yourself in the best position possible to avoid any unintended breaches. 

At the very least, businesses should absolutely take this as fair warning to continue preparing for the full privacy reform. This is not the time to take your foot off the gas and become complacent. If breaches are occurring under the existing Privacy Act, then the amended bill in its entirety will most certainly result in non-compliance unless you get your house in order.