All articles
OAIC tracking-pixel determinations

APP 3.3, 5.1 and 7.1 in plain English

Updated 1 July 20266 min read

Why these three matter

In June 2026 the OAIC found that two healthcare providers had interfered with people's privacy through tracking pixels. The findings turned on three Australian Privacy Principles: APP 3.3, APP 5.1 and APP 7.1. If you run a health website, these are the three obligations to understand first. Here they are in plain English.

For the wider context, see is the Meta pixel legal in Australia.

In plain English: you generally need a person's consent before you collect sensitive information about them. Health information is sensitive information.

What it means for your website: if a tag sends a signal that can reveal someone's health, such as a page view on a treatment page, a booking, or a form submission, to a third party like Meta or TikTok, that can be a collection of sensitive information. If it happens before the visitor has agreed, you have likely missed this obligation. This is why the timing of when a tag fires matters so much. Consent has to come first.

APP 5.1: tell people what is happening

In plain English: at or around the time you collect someone's information, you have to notify them. That includes what you are collecting, why, and who you will share it with.

What it means for your website: your privacy policy and your on-page notices need to reflect what your site actually does. If your site sends data to Meta, TikTok, Google and others, those recipients should be named, in language a normal person can understand. A vague line that says "we use cookies" does not meet this. In the OAIC's review of 50 health websites, most sites that ran a third-party pixel did not mention it in their privacy policy. That gap is exactly what APP 5.1 is about.

In plain English: you need consent before you use someone's personal information for direct marketing.

What it means for your website: retargeting is direct marketing. If you feed a visitor's activity into ad targeting so you can show them ads later, you need their consent to do that. On a health site this is doubly sensitive, because the targeting can be based on a health interest the person never agreed to share.

How the three fit together

Think of it as one sequence. First you collect, which is APP 3.3. Then you have to have told people, which is APP 5.1. Then, if you want to market to them based on that data, you need separate consent, which is APP 7.1. A single tracking pixel firing on page load can touch all three at the same time, which is why one small piece of code created such a large problem.

A simple way to put it to your team

Tags wait for consent. The privacy policy names who receives data and why. Tracking data is not fed into ad targeting without consent. If those three things are true, you have addressed the heart of the determinations.

What to check on your own site

  • Do any ad or social tags fire before a visitor consents?
  • Does your privacy policy name every third party that receives visitor data?
  • Is any of that data used for retargeting without consent?

If you are not sure, you are not alone. Most sites cannot answer these from memory, which is why a scan helps.

Free Check-up
Want to know where your site stands? See exactly which pixels fire before consent — in about a minute.
Run a free Check-up