The OAIC has named ad tech and tracking pixels a regulatory priority and launched a privacy compliance sweep with penalties up to $66,000 per contravention. Australian marketers relying on loose tracking and vague consent are exposed.
The regulator stopped asking whether you track people. It started asking whether they agreed to it.
The Australian privacy regulator has marketing in its sights, and it is being specific about it. The OAIC has named ad tech, tracking pixels and excessive data collection as regulatory priorities for 2025 to 2026.
This is not a vague warning. In January 2026 the OAIC ran its first privacy compliance sweep across about 60 entities in six sectors. Privacy Commissioner Carly Kind has been blunt about the risk tracking pixels pose to public trust. The expectation now is privacy-by-design, minimal data collection and clear consent. Not consent buried in a policy nobody reads.
Non-compliant privacy policies can draw compliance notices, infringement notices and penalties of up to $66,000 per contravention. Per contravention. If your tracking setup is sloppy across a whole site, the maths gets ugly fast.
Most businesses bolted their tracking on years ago and never looked again. A Meta pixel here, a few tags there, a consent banner that does nothing when you click no. That worked when nobody was checking. Someone is checking now.
Why it matters
This lands hardest on the businesses that finally got serious about measurement. The same pixels that feed your reporting are the ones the regulator is examining. You cannot fix this by tracking less and flying blind again. You fix it by tracking properly, with real consent and a setup you can actually explain. Clean data collection and compliance are the same project, not competing ones.
The maximum penalty per contravention for a non-compliant privacy policy under the OAIC's compliance sweep. Source: OAIC via Maddocks
What to do about it
The regulator is doing the audit you have been putting off. Better to run it yourself first.