Coalition & Allianz Commercial Expand Strategic Global Cyber Insurance Partnership
Cyber Incident? Call +612 6189 8062

Why Australian Businesses Need to Manage Web Privacy Risk

Coalition Blog AUS Privacy Risks

There's a comfortable misconception floating around Australian boardrooms: that privacy risk management is an American and European problem.

In the United States, class-action lawyers are chasing eye-watering settlements, twisting the patchwork of decades-old statutes to fit the modern web. Meanwhile, the European Union has the General Data Protection Regulation (GDPR)’s comprehensive set of obligations, enforced by regulators empowered to levy fines of up to 4% of global revenues.

Australian businesses, the traditional thinking goes, can afford to relax. 

But that myth is starting to crack, and the pressure is arriving on two fronts.

The first front is domestic. Australian regulators have begun actively pursuing businesses over the everyday web-tracking technologies that millions of sites run without a second thought.

The second is international. Australian businesses with US customers face a fast-growing threat from private actions targeting businesses that operate across state lines and, increasingly, international borders. Fuelled by litigation funding, the prolific plaintiffs' bar is much more active in the US than regulators are in Europe.

For any business with a website (which is to say, nearly all of them), both fronts now deserve attention.

Front One: Australian Regulators Are Circling

In June 2026, the Australian Privacy Commissioner handed down two determinations finding that health service providers Medmate and Monash IVF “interfered with the privacy of individuals whose sensitive information was collected through third-party tracking pixels."

The year-long investigation examined how the two providers, telehealth and fertility services respectively, collected data on their websites and used it to retarget visitors with advertising on social media.

Using tracking pixels to follow visitors on a health-related website, then retargeting them with ads, amounts to collecting sensitive information. Businesses that choose to do so must collect consent under the Privacy Act 1988

As the Commissioner put it, the advanced technology used for online tracking "still has to be used in compliance with the Privacy Act." The regulator also pointed to research showing 9 in 10 Australians consider it neither fair nor reasonable to be targeted based on their sensitive health data. 

Published alongside the determinations was a broader report, Your life, pixelated, based on an analysis of 50 health provider websites. Interestingly, a similar report into pixels on US healthcare websites prompted a wave of litigation against US healthcare entities.

Clearly, healthcare entities in Australia should be actively mitigating the risk of being next in line, but this theory that web activity constitutes sensitive information could be used elsewhere. For example, an online retailer might sell mostly innocuous products, like pasta and avocado, but also sell sensitive products like pregnancy tests.

Front Two: The Litigation Wave from the US

The second front is the US, where web privacy litigation has become an industrialised model. Coalition's State of Web Privacy report found that 77% of wrongful collection claims originated from website tracking. 

The report found the technologies at the centre aren't exotic: the Meta Pixel (named in 43% of analytics-related allegations), Google Analytics, and the chatbots and analytics scripts that are running on millions of sites.

Just four law firms drove 72% of all web privacy claims, largely through mass-produced demand letters engineered to extract quick settlements.

Geography is no shield. Just 20% of claims alleging breaches of California law were brought against California-based companies, because privacy rights attach to the resident, not the business. An Australian business serving US customers, or simply running the same standard marketing stack, could find itself squarely in scope.

Australian businesses are not too small to be targeted. Plaintiffs’ law firms rely on templated demand letters that are cheap to file. Just four law firms drove 72% of all web privacy claims, largely through mass-produced demand letters engineered to extract quick settlements. Consequently, nearly 60% of claims hit businesses with under USD $100 million in revenue. 

Coalition has already received claims from non-US policyholders based on allegations that web trackers violated US laws. Market insights inform us that these claims have impacted Australian businesses too.

Practical Steps for Reducing Privacy Risk

The good news: web privacy risk can be manageable if treated with the same continuous focus as cyber risk rather than as a one-off compliance task.

Get visibility into your exposure. You can't fix what you can't see. Coalition's Active Privacy Protection, inside Coalition Control®, and our Cyber Risk Assessment surface the tracking technologies running on your sites, audit your consent mechanisms, and parse your disclosures. This helps give risk managers a clear, real-time picture of where the organisation may be vulnerable before a regulator or a demand letter can identify an issue first.

Web privacy risk can be manageable if treated with the same continuous focus as cyber risk rather than as a one-off compliance task.

Use practical resources. Coalition has published a suite of advisory materials, including a checklist of privacy best practices for small and midsize businesses and an international privacy policy template. These assets are particularly useful if you're building disclosures that need to satisfy US and European requirements at once.

Make sure you're covered. Even strong compliance programs have gaps due to cat-and-mouse marketing teams, sprawling domains, and diverse global regulations. A comprehensive cyber policy offering broad privacy coverage, plus access to an experienced claims team, is a necessary backstop to help protect your organization.

The era of Australian complacency on web privacy is ending. To prepare for this growing threat, businesses should identify their risks, tighten privacy controls, and use insurance to help manage any remaining liability.


ACCESS PRIVACY RISK INSIGHTS FOR YOUR BUSINESS

Coalition Control

Take control of your privacy risk >


This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.
Insurance cover is issued by Coalition Insurance Solutions Pty Ltd. (“CIS AU”) (ABN 33 657 140 791, AFSL 539846) under a binding authority given by certain insurers. CIS AU may receive compensation from insurers in connection with the sale of insurance cover. Please see licences and disclaimers for more details. This information is of a general nature only and does not take into account any person's particular circumstances. All descriptions of coverage are subject to the terms, conditions, and exclusions of the individual policy.
Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.

Related blog posts

See all articles