Why Australian Businesses Need to Manage Web Privacy Risk

There's a comfortable misconception floating around Australian boardrooms: that privacy risk management is an American and European problem.
In the United States, class-action lawyers are chasing eye-watering settlements, twisting the patchwork of decades-old statutes to fit the modern web. Meanwhile, the European Union has the General Data Protection Regulation (GDPR)’s comprehensive set of obligations, enforced by regulators empowered to levy fines of up to 4% of global revenues.
Australian businesses, the traditional thinking goes, can afford to relax.
But that myth is starting to crack, and the pressure is arriving on two fronts.
The first front is domestic. Australian regulators have begun actively pursuing businesses over the everyday web-tracking technologies that millions of sites run without a second thought.
The second is international. Australian businesses with US customers face a fast-growing threat from private actions targeting businesses that operate across state lines and, increasingly, international borders. Fuelled by litigation funding, the prolific plaintiffs' bar is much more active in the US than regulators are in Europe.
For any business with a website (which is to say, nearly all of them), both fronts now deserve attention.
Front One: Australian Regulators Are Circling
In June 2026, the Australian Privacy Commissioner handed down two determinations finding that health service providers Medmate and Monash IVF “interfered with the privacy of individuals whose sensitive information was collected through third-party tracking pixels."
The year-long investigation examined how the two providers, telehealth and fertility services respectively, collected data on their websites and used it to retarget visitors with advertising on social media.
Using tracking pixels to follow visitors on a health-related website, then retargeting them with ads, amounts to collecting sensitive information. Businesses that choose to do so must collect consent under the Privacy Act 1988.
As the Commissioner put it, the advanced technology used for online tracking "still has to be used in compliance with the Privacy Act." The regulator also pointed to research showing 9 in 10 Australians consider it neither fair nor reasonable to be targeted based on their sensitive health data.
Published alongside the determinations was a broader report, Your life, pixelated, based on an analysis of 50 health provider websites. Interestingly, a similar report into pixels on US healthcare websites prompted a wave of litigation against US healthcare entities.
Clearly, healthcare entities in Australia should be actively mitigating the risk of being next in line, but this theory that web activity constitutes sensitive information could be used elsewhere. For example, an online retailer might sell mostly innocuous products, like pasta and avocado, but also sell sensitive products like pregnancy tests.
Front Two: The Litigation Wave from the US
The second front is the US, where web privacy litigation has become an industrialised model. Coalition's State of Web Privacy report found that 77% of wrongful collection claims originated from website tracking.
The report found the technologies at the centre aren't exotic: the Meta Pixel (named in 43% of analytics-related allegations), Google Analytics, and the chatbots and analytics scripts that are running on millions of sites.
Just four law firms drove 72% of all web privacy claims, largely through mass-produced demand letters engineered to extract quick settlements.
Geography is no shield. Just 20% of claims alleging breaches of California law were brought against California-based companies, because privacy rights attach to the resident, not the business. An Australian business serving US customers, or simply running the same standard marketing stack, could find itself squarely in scope.
Australian businesses are not too small to be targeted. Plaintiffs’ law firms rely on templated demand letters that are cheap to file. Just four law firms drove 72% of all web privacy claims, largely through mass-produced demand letters engineered to extract quick settlements. Consequently, nearly 60% of claims hit businesses with under USD $100 million in revenue.
Coalition has already received claims from non-US policyholders based on allegations that web trackers violated US laws. Market insights inform us that these claims have impacted Australian businesses too.
Practical Steps for Reducing Privacy Risk
The good news: web privacy risk can be manageable if treated with the same continuous focus as cyber risk rather than as a one-off compliance task.
Get visibility into your exposure. You can't fix what you can't see. Coalition's Active Privacy Protection, inside Coalition Control®, and our Cyber Risk Assessment surface the tracking technologies running on your sites, audit your consent mechanisms, and parse your disclosures. This helps give risk managers a clear, real-time picture of where the organisation may be vulnerable before a regulator or a demand letter can identify an issue first.
Web privacy risk can be manageable if treated with the same continuous focus as cyber risk rather than as a one-off compliance task.
Use practical resources. Coalition has published a suite of advisory materials, including a checklist of privacy best practices for small and midsize businesses and an international privacy policy template. These assets are particularly useful if you're building disclosures that need to satisfy US and European requirements at once.
Make sure you're covered. Even strong compliance programs have gaps due to cat-and-mouse marketing teams, sprawling domains, and diverse global regulations. A comprehensive cyber policy offering broad privacy coverage, plus access to an experienced claims team, is a necessary backstop to help protect your organization.
The era of Australian complacency on web privacy is ending. To prepare for this growing threat, businesses should identify their risks, tighten privacy controls, and use insurance to help manage any remaining liability.
ACCESS PRIVACY RISK INSIGHTS FOR YOUR BUSINESS
Coalition Control
Take control of your privacy risk >
