Most business websites collect more data than their owners realise. Even a simple lead generation site might use Google Analytics, Meta Pixel, Google Ads conversion tags, CRM integrations, newsletter signups, call tracking, booking tools, chat widgets and remarketing audiences. That is not just marketing data. Depending on the business and what the user enters, it can include personal information and sometimes sensitive information.

Australian privacy law is shifting toward stronger transparency, stronger enforcement and more accountability. The Privacy and Other Legislation Amendment Act 2024 is the first major tranche of reform and more changes are coming. Businesses that rely on tracking, forms and retargeting need to understand what this means for their websites. Our Melbourne SEO guide covers how tracking and analytics fit into the broader SEO picture. This article focuses on the privacy side of that setup.

If your website collects enquiries, tracks visitors, retargets people or sends marketing emails, privacy is no longer someone else's problem.

Warning: This is general information, not legal advice

This article explains privacy law changes in plain English as they relate to business websites. It is not legal advice. If your business handles sensitive data, operates in a regulated industry or needs specific compliance guidance, get professional legal advice.

The Short Answer: What Does a Business Website Need to Change?

Action: Quick answer

Most business websites should review: their privacy policy, cookie and tracking notices, analytics setup, remarketing pixels, Meta and Google and TikTok tags, contact forms, lead magnets, newsletter signups, CRM and booking integrations, call tracking, data retention settings, consent for email and SMS marketing, automated decision making disclosures where relevant, third party sharing disclosures and child or young person data risks where relevant.

The OAIC's tracking pixel guidance says organisations should conduct regular, ongoing reviews of website tracking technologies and comply with APP 7 (direct marketing) when using tracking pixels for targeted online ads, including providing a simple opt out.

The fix is not 'add a cookie banner and forget it'. The fix is knowing what your website collects, why it collects it and whether you can explain it honestly.

What Changed in Australia's Privacy Law

Here is what has already happened and what is coming next.

Change

Status

Website action

Privacy and Other Legislation Amendment Act 2024

In effect from 10 December 2024

Review and update privacy policy, data practices and governance

Statutory tort for serious invasions of privacy

In effect from 10 June 2025

Avoid misuse of private information. Review sensitive data collection

Expanded OAIC enforcement powers

In effect

Improve documentation, data governance and compliance readiness

OAIC tracking pixel guidance

Current guidance

Audit pixels, provide opt outs, review third party data sharing

Automated decision making transparency

Starts 10 December 2026

Review automation tools, update privacy policy before deadline

Children's Online Privacy Code

To be developed by 10 December 2026

Review if website collects data from children or young people

Small business exemption changes

Proposed, not yet enacted

Prepare early. Do not use the exemption as a reason to ignore privacy

The Privacy and Other Legislation Amendment Act 2024

This is the first tranche of major privacy reform. It received Royal Assent on 10 December 2024 and progresses 23 proposals from the Government Response to the Privacy Act Review. The Attorney General's Department has published details on what the Act covers and what further reforms are expected.

Statutory Tort for Serious Invasions of Privacy

This commenced on 10 June 2025. It gives individuals an additional route to seek redress in court for serious privacy invasions, covering both intrusion upon seclusion and misuse of private information. The OAIC notes that it provides individuals an avenue beyond the existing complaint process. Importantly, this applies more broadly than just APP entities in some situations.

Stronger OAIC Powers

The reforms expanded the OAIC's enforcement and investigation powers, including new civil penalty tiers and infringement notices. This means the regulator has more tools to act on non compliance.

Automated Decision Making Transparency

From 10 December 2026, APP entities that use personal information in automated decisions that may significantly affect an individual's rights or interests will need their privacy policies to explain the kinds of personal information used and the kinds of decisions made. If your website or CRM uses automation to qualify, score, route or prioritise leads, this is relevant.

Small Business Exemption

The current small business exemption (for businesses with under $3 million annual turnover) has not been removed yet. But the Privacy Act Review raised recalibrating this exemption and the Government response indicated further consultation. This is a future risk, not current law. However, if your website collects meaningful customer data, preparing now is the sensible move regardless of your turnover.

The direction is clear: more transparency, stronger enforcement and less tolerance for vague data practices.

Why This Matters for SEO, Analytics and Websites

SEO and website work routinely involves tools that collect or disclose personal information. Most businesses do not think of their marketing stack as a privacy issue, but it is.

Common tools that handle personal information:

  • GA4 and Google Analytics (page views, device data, event tracking)

  • Google Tag Manager (fires tags that send data to third parties)

  • Google Ads conversion tracking (links website actions to ad campaigns)

  • Meta Pixel (sends behavioural data to Meta for ad targeting)

  • TikTok Pixel, LinkedIn Insight Tag, Microsoft Ads tags

  • Hotjar, Microsoft Clarity or similar heatmap and session replay tools

  • Call tracking services (dynamic number insertion, call recording)

  • CRM integrations (form data sent to HubSpot, Salesforce, etc.)

  • Email capture and newsletter platforms (Mailchimp, ActiveCampaign, etc.)

  • Remarketing audiences built from website visitor data

  • Booking and payment tools (Calendly, Square, Stripe, etc.)

The OAIC released tracking pixel guidance in 2024 specifically to help businesses meet their Privacy Act obligations when using third party tracking pixels. This is not theoretical. The regulator is paying attention to how websites share data with advertising platforms.

Understanding what your site tracks is also relevant to how you measure SEO performance. Our article on zero click search strategy covers the shift from 'track everything' to 'track what matters'. Privacy reform is pushing in the same direction: track less, but track better.

Tracking is useful. Invisible tracking with no review, no explanation and no opt out is where businesses get into trouble.

The Website Privacy Audit: What to Check First

Before you change anything, you need to know what your website is actually doing with data. Here are the five checks every business should start with.

Check 1: What Data Does the Website Collect?

List everything your website asks for or captures automatically.

  • Name, phone number, email address

  • Physical address or suburb

  • IP address, device type, browser data (captured automatically by analytics)

  • Form message content (enquiry details, sometimes including sensitive information)

  • Health, legal or financial details (common in medical, legal and finance intake forms)

  • Booking details (dates, times, service types)

  • Payment details (card numbers, billing info via payment gateways)

  • Behavioural data (pages visited, time on site, scroll depth, clicks)

  • Advertising identifiers (used by pixels and remarketing tags)

Check 2: Where Does the Data Go?

Map where each type of data ends up. For many businesses, this list is longer than they expect.

  • Email inbox or shared inbox

  • CRM (HubSpot, Salesforce, Zoho, etc.)

  • Google Analytics

  • Meta (via Pixel)

  • Google Ads (via conversion tracking)

  • Call tracking provider

  • Booking system

  • Newsletter platform

  • Payment processor

  • Web hosting provider

  • Spreadsheet or shared drive

  • Automation tools (Zapier, Make, etc.)

Check 3: Is the Privacy Policy Accurate?

Your privacy policy should explain what is actually happening, not what a generic template says. Under APP 5, an entity collecting personal information must take reasonable steps to notify the individual of certain matters at or before collection.

Check whether your policy explains:

  • What personal information is collected

  • Why it is collected

  • Who it is shared with (including third party platforms)

  • Whether information is disclosed overseas

  • How analytics, tracking and remarketing are used

  • How individuals can access, correct or complain about their data

  • Automated decision making, where relevant

Check 4: Are Forms Asking for Too Much?

Collecting more data than you need is a risk, not a benefit. Common examples of over collection on business websites:

  • Asking for date of birth when it is not needed

  • Asking for medical or legal details in a general enquiry form

  • Asking for full address when suburb is enough

  • Asking for budget when it is not necessary for the enquiry

  • Collecting sensitive information without a clear and specific reason

Check 5: Are Tracking Pixels Still Needed?

Audit every pixel and tracking tag on your website. It is common to find old pixels, unused tags and tools that were added for a campaign three years ago and never removed.

  • Meta Pixel

  • TikTok Pixel

  • Google Ads conversion tags

  • LinkedIn Insight Tag

  • Hotjar or Microsoft Clarity

  • Abandoned cart retargeting tools

  • Chat widgets that collect user data

The OAIC says organisations should conduct regular, ongoing reviews of tracking technologies deployed on their websites. If a tag is not actively used for something you can explain, remove it.

Most websites do not need less data because privacy is scary. They need less data because half of what they collect is never used.

Analytics and Conversion Tracking: What Needs to Change

Good tracking does not mean tracking everything. Good tracking means tracking the actions that matter without collecting more personal information than you need.

GA4 and Analytics

  • Use sensible data retention settings (not the maximum by default)

  • Avoid sending personal information in URLs or event parameters

  • Review form tracking events to ensure you are not capturing sensitive enquiry text

  • Document what is tracked and why

  • Use clear privacy policy language that explains analytics use

Google Tag Manager

  • Audit all active tags and remove anything unused

  • Name tags clearly so anyone can understand what each one does

  • Document triggers and where data is sent

  • Restrict who can publish changes to the container

  • Review tags on sensitive pages (medical, legal, financial intake)

Call Tracking

  • Disclose call recording to callers if you record calls

  • Disclose the use of call tracking where appropriate

  • Avoid recording sensitive calls unless it is necessary and compliant

  • Review how long call recordings and metadata are retained

Heatmaps and Session Replay

  • Mask form fields so text inputs are not recorded

  • Suppress recording on sensitive pages (medical, legal, finance)

  • Avoid using session replay on enquiry flows that capture detailed personal information

  • Explain heatmap and session replay use in your privacy policy

Remarketing, Pixels and Ad Platforms

Tracking pixels are one of the highest risk areas for business websites because they can disclose personal information to third party advertising platforms, often without the website visitor fully understanding what is happening.

The OAIC's tracking pixel guidance says organisations using pixels for targeted online ads must comply with direct marketing obligations under APP 7 and provide a simple opt out mechanism.

What Businesses Should Do

  • List every pixel and ad tag on your website

  • Remove unused pixels (check Google Tag Manager for old or inactive tags)

  • Check what events are firing and what data is included

  • Avoid firing pixels on sensitive pages where possible

  • Use Google Consent Mode or a consent management tool where appropriate

  • Update your privacy and cookie notices to explain pixel use

  • Provide a clear opt out pathway for remarketing

  • Document which platforms receive data and what that data includes

Higher Risk Industries

Some industries need extra care with remarketing pixels because the data context is inherently sensitive.

Industry

Why remarketing pixels carry extra risk

Medical and allied health

Visiting a page about a specific condition or treatment can reveal health information. Remarketing from those pages can disclose that information to ad platforms.

Legal services

A visit to a page about family law, criminal defence or employment disputes can reveal sensitive personal circumstances.

Finance and insurance

Pages about debt, insurance claims or loan applications involve financial data that requires extra care.

Counselling and psychology

Mental health enquiries are highly sensitive. Remarketing from these pages raises significant privacy concerns.

Children's services

Data from children or young people carries specific obligations, including the upcoming Children's Online Privacy Code.

Remarketing can be powerful, but following someone around the internet after they visited a sensitive service page is not always a good idea.

Cookie Banners: Do Australian Websites Need Them?

This is one of the most common questions and the answer is more nuanced than a simple yes or no.

Australia does not have the exact same cookie consent model as the EU under GDPR. There is no specific Australian law that says 'you must show a cookie banner before any tracking occurs'. However, transparency and consent obligations still matter depending on what you collect and how you use it.

When a basic notice is not enough:

  • If you use third party pixels that share data with advertising platforms

  • If you run behavioural remarketing based on website visits

  • If you build audience profiles for targeted advertising

  • If you use session replay or heatmap tools on sensitive pages

The OAIC's guidance on targeted online marketing explains how cookies and similar technologies can build profiles and target advertising. The tracking pixel guidance sets specific expectations around transparency, opt outs and ongoing reviews.

The better question is not 'Do I need a cookie banner?' It is 'Can I explain my tracking clearly and can people make a meaningful choice?'

Forms, Lead Magnets and Email Marketing

Contact Forms

Every contact form on your website is a data collection point. Under APP 5, you need to take reasonable steps to notify individuals about what you collect and why, at or before the time of collection.

Check:

  • Are required fields limited to what you actually need?

  • Is there a collection notice near the form (even a short sentence with a privacy policy link)?

  • Does the form warn users before they enter sensitive information?

  • Is marketing consent separated from the enquiry itself?

  • Where does the submitted data go (inbox, CRM, spreadsheet)?

  • How long is the data retained?

Lead Magnets

If your website offers a downloadable guide, checklist or template in exchange for an email address, check whether marketing consent is clear and separate.

  • Is the download genuinely useful or is it just a data collection mechanism?

  • Is consent for marketing emails clearly explained before the user submits?

  • Is marketing consent bundled with the download or is it a separate opt in?

  • Can people easily unsubscribe from marketing emails after downloading?

Email and SMS Marketing

The Australian Communications and Media Authority (ACMA) requires businesses to have consent before sending commercial electronic messages. Messages must identify the sender, include contact details and make unsubscribing easy. ACMA recommends express consent based on clear terms that explain what the marketing is for, who will use the consent, how long it applies and how to withdraw it.

A form submission is not automatically permission to market forever.

Automated Decision Making: What Websites Should Prepare For

From 10 December 2026, APP entities that use personal information in automated decisions that may significantly affect an individual's rights or interests will need their privacy policies to include information about the kinds of personal information used and the kinds of decisions made.

Automated decision making on websites may include:

  • Loan or finance pre qualification tools

  • Insurance quote flows

  • Recruitment screening or eligibility checks

  • Dynamic pricing or personalised offers

  • Customer segmentation or lead scoring in CRM

  • Booking triage that prioritises certain enquiries

  • AI chatbots that route, qualify or classify users

Practical steps now:

  • Identify any automated decisions your website or CRM makes

  • Document what personal information is used in those decisions

  • Document how the decision affects users (approval, prioritisation, rejection, quoting)

  • Update your privacy policy before the December 2026 deadline

  • Review AI, chatbot and CRM tools for automated decision making

  • Avoid opaque lead qualification in high risk contexts

If your website or CRM uses automation to decide who gets approved, prioritised, rejected, quoted or contacted, start documenting it now.

Industry Specific Privacy Risks

Privacy risk is not only for banks and hospitals. A small business can still collect surprisingly personal information through a normal website form.

Medical and Allied Health

Medical websites are higher risk because appointment forms, patient enquiry fields and service pages can capture or imply sensitive health information. Remarketing from a page about a specific condition can effectively disclose that information to advertising platforms. For the broader SEO picture for medical businesses, see our guide on SEO for medical practices in Australia.

Legal Services

Legal intake forms often capture confidential details. Service pages for family law, criminal defence or employment disputes can reveal sensitive personal circumstances. Call recording and remarketing from legal issue pages both carry risk. See our guide on SEO for lawyers in Melbourne for more context.

Ecommerce

Abandoned cart tracking, behavioural profiling, loyalty programs, product recommendations, customer segmentation and payment and shipping data all create privacy touchpoints. Each one should be disclosed and managed.

Professional Services

Quote forms that ask for financial or business details, lead scoring in CRM, email nurture sequences and automated follow ups can all involve personal information that needs proper handling.

Tradies and Local Services

Quote forms, call recording, SMS and email marketing, remarketing from service pages and job photos that include identifiable people or properties are all areas to review.

What to Update on Your Website

You cannot explain your data practices if you do not know your own data stack. Here is the practical change list. If your website was built by a web design team, involve them in this process. They will know where the tags, forms and integrations live.

Update 1: Privacy Policy

Review and update your privacy policy to accurately reflect what happens on your website. Add or review sections covering analytics, pixels, remarketing, CRM and form destinations, call tracking, overseas disclosures, automated decision making (where relevant), access and correction rights, complaint process, data retention and third party processors.

Update 2: Collection Notices Near Forms

Add a short notice near each form explaining what is collected, why and where to find the full privacy policy. If the form might capture sensitive information, add a specific warning. Separate marketing consent from the enquiry itself.

Update 3: Cookie and Tracking Notice

If you do not have one, add a clear notice explaining what cookies and tracking technologies your site uses, broken down by category (essential, analytics, advertising). Include opt out choices and consent settings where appropriate.

Update 4: Tracking Setup

Audit Google Tag Manager, all pixels, event tracking, heatmaps, session replay and any thank you page tags. Remove old or unused tools. Check whether tags are firing on sensitive pages.

Update 5: Forms and CRM

Review required fields, sensitive data handling, storage locations, access permissions, data retention and any integrations that send data to third parties.

Update 6: Email and SMS Consent

Review opt in checkbox wording, consent logs, unsubscribe processes and the distinction between transactional and marketing emails. Make sure lead magnet opt ins are clear about what the person is consenting to.

Update 7: Vendor and Tool Register

Document every third party tool that touches personal information from your website: Google, Meta, CRM, email platform, hosting provider, booking tool, payment gateway, call tracking provider, analytics tools. This register is useful for your legal team, your web team and for compliance reviews. It is also part of good ongoing website maintenance.

30 Day Website Privacy Action Plan

The first privacy win is visibility: know what the site collects before you try to fix everything.

Week

Focus

Actions

Week 1

Map the data

List all forms, pixels, analytics tools, CRM integrations, email and SMS tools, call tracking and booking or payment tools. Document what each one collects and where the data goes.

Week 2

Remove obvious risk

Delete old or unused pixels. Remove unnecessary form fields. Rename sensitive event labels in analytics. Disable session replay on sensitive pages. Remove tools nobody is using.

Week 3

Update notices

Review and update your privacy policy. Add form collection notices. Add or improve your cookie and tracking notice. Separate marketing consent from enquiry forms. Check unsubscribe processes.

Week 4

Document and monitor

Create a vendor register. Start a GTM change log. Set up consent records. Define data retention periods. Schedule a quarterly tracking audit.

This audit pairs well with a broader technical check of your website. Our SEO audit checklist covers indexing, speed, mobile, content and local SEO alongside the tracking and technical foundations.

What Not to Do

The riskiest privacy setup is the one nobody owns. Here are the most common mistakes.

Copying a generic privacy policy. A template policy that does not describe your actual data practices is not compliant. It needs to reflect what your website actually collects and where that data goes.

Assuming the web developer handled it. Your developer built the site. They are not responsible for your privacy obligations unless they were specifically engaged for that purpose. Data governance is the business owner's responsibility.

Assuming GA4 and Meta Pixel are 'just anonymous'. These tools collect device data, behavioural data and identifiers that can be linked to individuals. They are not invisible to privacy law.

Tracking everything because you can. More data is not better if you are not using it. Every unnecessary tracking tag is a risk with no upside.

Putting pixels on sensitive pages without review. A Meta Pixel firing on a mental health enquiry page, a legal intake form or a medical appointment confirmation sends data to an advertising platform. Review what fires where.

Bundling marketing consent into every form. 'By submitting this form you agree to receive marketing emails' buried in fine print is not clear consent. Separate the marketing opt in.

Using AI chatbots to collect sensitive info without a policy update. If your chatbot asks users questions that could reveal health, legal, financial or personal information, your privacy policy should reflect that.

Treating the small business exemption as a reason to ignore privacy. The exemption may change. And even now, good privacy practice builds trust with customers and reduces risk.

FAQs

Do Australian websites need a privacy policy?

If your business is covered by the Privacy Act (and most businesses with over $3 million turnover are, plus health service providers and some others regardless of turnover), you need a privacy policy that explains how you handle personal information. Even if the small business exemption currently applies to you, having a clear privacy policy is good practice and builds trust with customers.

Do Australian websites need cookie consent banners?

Australia does not have a GDPR style cookie consent requirement. However, if your website uses tracking pixels, remarketing, behavioural profiling or shares data with advertising platforms, you should provide clear notice about what tracking is used and offer meaningful opt out choices. The exact requirements depend on what you collect and how you use it.

Do the new privacy laws apply to small businesses?

The small business exemption (for businesses under $3 million annual turnover) has not been removed yet, but removal has been proposed and is under consultation. Some small businesses are already covered regardless of turnover, including health service providers and businesses that trade in personal information. Even if you are currently exempt, preparing now reduces future risk.

What changed in the Privacy Act in 2024 and 2025?

The Privacy and Other Legislation Amendment Act 2024 commenced on 10 December 2024. Key changes include a statutory tort for serious privacy invasions (from 10 June 2025), expanded OAIC enforcement powers, new civil penalty tiers and future obligations around automated decision making transparency (from 10 December 2026) and a Children's Online Privacy Code.

What is the statutory tort for serious invasions of privacy?

It is a new legal pathway that allows individuals to sue for serious invasions of privacy, covering both intrusion upon seclusion and misuse of private information. It commenced on 10 June 2025 and operates through the courts, not the OAIC complaint process. This applies more broadly than just APP entities in some circumstances.

Can I use Meta Pixel on my website in Australia?

Yes, but you need to comply with your Privacy Act obligations. The OAIC's tracking pixel guidance says you should disclose pixel use clearly, comply with APP 7 direct marketing obligations, provide a simple opt out and conduct regular reviews. Avoid firing pixels on sensitive pages without careful consideration.

Can I run remarketing ads under Australian privacy law?

You can, but you need to be transparent about it. Disclose remarketing in your privacy policy and cookie notice, provide an opt out, avoid remarketing from sensitive pages and make sure the data you share with ad platforms is disclosed to users. Sensitive industries need extra caution.

What should my contact form say about privacy?

At minimum, include a short notice near the form explaining what information is collected and why, with a link to your full privacy policy. If the form might capture sensitive information, add a specific note. If you want to use the submission for marketing, add a separate opt in checkbox.

Do I need consent for email marketing?

Yes. Under Australian spam laws administered by ACMA, you need consent before sending commercial electronic messages. The consent should be clear and the person should understand what they are signing up for. Every marketing email must identify the sender, include contact details and make unsubscribing easy.

What is automated decision making under the Privacy Act?

It refers to decisions made using personal information where automation plays a significant role. From 10 December 2026, if your business uses personal information in automated decisions that may significantly affect rights or interests, your privacy policy will need to explain the kinds of information used and the kinds of decisions made. This includes CRM lead scoring, chatbot routing, eligibility tools and dynamic pricing.

Should I remove tracking from my website?

No. The goal is not to stop tracking. The goal is to track what you need, explain it clearly, remove what you do not use and provide meaningful choices. Good analytics and conversion tracking are essential for understanding what works. The issue is undisclosed, unnecessary or excessive tracking.

What We Recommend at Elev8d

When we build or audit a website, we look at the tracking stack as part of the project. That means reviewing Google Tag Manager, analytics configuration, pixel setup, form integrations and CRM connections, not just to make tracking work, but to make sure the business can explain what is happening. That approach connects to how we think about trust and E E A T for small businesses. Transparent data practices are part of building a trustworthy online presence.

Privacy compliance is legal advice. But your website tracking stack is something we can help you see clearly. We can show you which tags, forms, events and tools are running, then help your team decide what to keep, change or remove.

For most small businesses, the practical first step is a tracking audit: map what is on the site, remove what is not needed and document the rest so your legal adviser can review the policy with accurate information.

Next Steps: Pick Your Path

Path 1: Run the 30 day audit yourself

Follow the four week plan in this article. Map your data, remove obvious risk, update your notices and document your vendor stack. This is something a business owner or marketing manager can start without external help.

Path 2: Get your tracking stack reviewed

If you are not sure what tags, pixels and integrations are running on your site, we can map the tracking stack for you. We will show you what is there, what is firing where and what might need attention. Get in touch and we will take a look.

Path 3: Get proper legal advice

If your business handles sensitive data, operates in a regulated industry (medical, legal, financial) or needs specific compliance guidance, get professional legal advice alongside the technical review. We can help with the website and tracking side. A privacy lawyer can help with the policy and compliance side.

Your website does not need to become a legal document. But it does need to be more honest about what data it collects, why it collects it, who it shares it with and how people can control it.

Sources and Further Reading

General information only. This article is not legal advice. Privacy law is complex and rules vary by business size, industry, data type and circumstances. If you need compliance guidance, consult a qualified privacy or legal professional.

AK
Written by

Ajay K.

Ajay K is the founder of Elev8d. A psychology grad turned marketer, he writes plain English guides on SEO, ads and web design. Reader, adrenaline seeker & self confessed introverted extrovert.