Is the Meta pixel legal in Australia?
The short answer
The Meta pixel is not illegal in Australia. Using it on a health website the way most sites currently do can still breach the Privacy Act 1988. The difference comes down to three things: what the pixel collects, whether it fires before the visitor consents, and whether you have told people it is there. On a health site, all three are easy to get wrong.
What the Meta pixel actually does
The Meta pixel, also called the Facebook pixel, is a small piece of code that loads on your website. When someone visits a page, the pixel sends a message back to Meta. That message can include the page they viewed, the actions they took, such as booking, submitting a form, or starting an enquiry, and identifiers that help Meta match the visit to a Facebook or Instagram account. Marketers use it to measure ad performance and to retarget people with ads later. It does its job well. The problem is not that it works. The problem is what it sends, and when.
Why a health website is different
Most websites are not handling sensitive information. A fertility clinic, a mental health service, an online pharmacy, or a sexual health provider is. Under the Privacy Act, health information is sensitive information, and it carries a higher bar than ordinary personal information.
Here is the part that surprises people. On a health site, an ordinary marketing signal can become sensitive information the moment it leaves your site. If someone views a page about IVF, books an appointment for an STI test, or adds a prescription to a cart, and that action is sent to Meta, you may have just disclosed something about that person's health. A page view is not just a page view when the page reveals a condition or a treatment.
What the law expects
Three Australian Privacy Principles are doing the heavy lifting here. We explain each in plain English in the three obligations behind the rulings.
- APP 3.3 says you generally need consent before collecting sensitive information.
- APP 5.1 says you must tell people what you collect, why, and who receives it.
- APP 7.1 says you need consent before using personal information for direct marketing.
A pixel that fires on page load, sends health-related signals to Meta, is not mentioned in your privacy policy, and feeds ad targeting can touch all three at once.
The timing problem
This is the detail that catches almost everyone. A tracking pixel usually fires the instant a page loads. A cookie banner appears a moment later and waits for a click. By the time a visitor accepts or declines, the pixel has often already sent its first message. A banner that asks for consent after the data has left is not really asking for consent. It is describing what already happened.
So a site can have a consent banner, look compliant, and still be sending data before anyone agrees.
What the OAIC has said
In June 2026, the Office of the Australian Information Commissioner handed down its first tracking-pixel determinations. Both involved healthcare providers. The regulator also inspected 50 health-sector websites and found that almost all used tracking technology, more than half ran a third-party pixel, and most did not mention it in their privacy policy. The OAIC's position is that sites handling sensitive information should think very carefully before running these pixels at all, and that consent has to come before collection, not after.
So, is it legal?
The tool is legal. The common setup often is not. If your health website runs the Meta pixel so that it fires before consent, sends signals that can reveal a person's health, or is not disclosed to visitors, you are exposed regardless of how well the campaign performs.
The good news is that this is fixable, and you do not have to choose between marketing and compliance.
What to do next
- Find out what actually fires. Load your site as a first-time visitor and see every tag and recipient before consent. You cannot fix what you cannot see.
- Hold non-essential tags until consent. Proper tag-blocking and consent mode let you keep measuring while removing the before-consent risk. See how to make your banner actually block tags.
- Disclose every recipient. Name Meta and any other third party in your privacy policy, in plain language.
- Keep watching. Sites change every week. A new campaign or a new tag can reopen the gap, so monitor for it.