You can't govern what you can't see: The Hidden Privacy Risk on Corporate Websites

Recent findings by Australia's Privacy Commissioner against Monash IVF and Medmate have put a spotlight on a privacy risk that exists on thousands of Australian websites.

Both organisations were found to have used third-party tracking pixels that captured information about what visitors were searching for and shared that data with advertising platforms without appropriate consent. In some cases, the information related to highly sensitive health topics, including fertility treatment, contraception and medical conditions.

The ruling highlights a challenge many organisations face: they often don't have complete visibility into the pixels, tags, cookies and scripts operating across their websites. As marketing technologies accumulate over time, organisations can lose track of what data is being collected, where it is being sent, and whether that activity aligns with privacy obligations and customer expectations.

For privacy, risk and digital leaders, the message is clear: website tracking is no longer just a marketing issue—it is a privacy governance issue.

To reduce exposure, organisations should:

1. Identify all tracking technologies on your website: Create an inventory of all pixels, tags, cookies and third-party scripts operating across your websites and digital platforms.

2. Understand what data is being collected: Assess whether tracking technologies are capturing personal information, search terms, form data, URLs, or other information that could reveal sensitive interests or behaviours.

3. Map where the data is being sent: Determine which third parties receive website data, including advertising platforms, analytics providers and social media companies.

4. Assess privacy and compliance risks: Review whether the collection, disclosure and use of information aligns with the Privacy Act, your privacy policy and any consent obtained from users.

5. Implement controls to manage data flows: Establish technical controls that can control the data flows to third parties via pixels to prevent sensitive data leaving the organisation.

6. Strengthen consent and transparency: Ensure cookie banners, consent mechanisms and privacy notices accurately reflect the tracking technologies being used and the data being shared.

7. Establish ongoing governance: Implement processes to add controls to new website technologies before deployment and controls data flows for existing tracking tools to ensure they remain compliant.

The key takeaway: You cannot manage privacy risk if you do not have visibility of what your website is collecting, where the data is going, and how it is being used. Visibility should be the first step in any website privacy compliance program. For further information on how this can be done please contact us: contact@trustworks360.com