by The Computing Australia Group | Online Tracking (2025)
A practical 2025 guide for Australian businesses and everyday web users
You search for hiking boots once and they “follow” you around the internet for a week. That’s online tracking at work. This guide explains—clearly and calmly—what’s happening under the hood, how businesses use it, and what both site owners and users can do to keep things transparent, lawful, and respectful.
What is online tracking?
Online tracking (or website tracking) is the process of observing and recording how people interact with websites and apps—pages visited, features used, content viewed, and outcomes such as sign-ups or purchases. Done well, it helps organisations:
- Understand what’s working (and what’s broken)
- Keep accounts secure and fraud out
- Personalise experiences (e.g., saved baskets, location-aware content)
- Fund free content via relevant advertising
Done poorly—without transparency, consent, or restraint—it becomes intrusive and may breach privacy laws.
Why organisations track: legitimate use cases
1. Analytics & UX: Spot friction, crashes, and confusing flows to improve usability.
2. Security & fraud prevention: Detect suspicious logins, bot traffic, or credential-stuffing.
3. Personalisation: Remember preferences, accessibility settings, or past interactions.
4. Marketing & attribution: Measure which campaigns drove visits, leads, or sales.
5. Compliance & auditing: Maintain consent logs and produce privacy records.
Key principle: You don’t need everything. Collect only what’s necessary for a clear purpose—then protect and delete it responsibly.
What data do websites typically collect?
The specifics depend on the service and consent you provide. Common categories include:
- Identifiers: IP address, user IDs, session IDs, mobile ad IDs
- Contact details (if you provide them): name, email, phone, address
- Device & browser: OS version, browser type, screen size, language
- Interaction data: pages viewed, clicks, scroll depth, time on page
- Commerce data: cart contents, wishlist, orders, refunds
- Network & location: rough geo from IP; precise GPS only if you grant permission
- Referrer & campaign: source site or ad (e.g., via UTM parameters)
How tracking works: the main technologies
1. Cookies (first-party & third-party)
Small text files a site stores in your browser.
- Session cookies: temporary; essential for logins and carts.
- Persistent cookies: stick around to remember preferences or sign-ins.
- First-party cookies: set by the site you’re on (e.g., example.com).
- Third-party cookies: set by another domain (e.g., an ad or analytics vendor) embedded on the page. These power cross-site profiling and are being phased out in modern browsers.
User controls: Clear cookies; block third-party cookies; use privacy modes.
2. Local Storage & Session Storage
Browser storage areas websites can write to; larger than cookies and not sent with every request. Good for preferences and performance, but still subject to consent and minimisation.
3. Tracking Pixels & Web Beacons
Tiny (often invisible) images or network requests that load from a server when a page or email is opened. They log events like page views, conversions, device info, IP, and timestamps.
Email marketing routinely uses pixels to measure open rates. Some mail clients now block or pre-fetch images to blunt this tracking.
4. JavaScript Tags & SDKs
Snippets provided by analytics/ads vendors execute in the browser or in an app’s SDK to record events (e.g., “Add to Cart”, “Form Submit”). Powerful—but must be audited to avoid over-collection and performance drag.
5. Browser Fingerprinting
Combines a soup of seemingly generic attributes— fonts, plugins, screen resolution, timezone, canvas/webGL rendering quirks—to create a probabilistic identifier. It’s harder for users to control and is frowned on by regulators unless it’s strictly necessary (e.g., fraud prevention) and disclosed.
6. HTTP Referrer
When you click a link, the referrer header may tell the destination which page you came from. Useful for analytics and attribution. Browsers and sites can limit this via Referrer-Policy (e.g., strict-origin-when-cross-origin).
7. User-Agent Strings & Client Hints
Used to identify browser/OS for compatibility and analytics. Modern Client Hints reduce passive fingerprinting by sharing only what’s needed and only when the site asks for it.
8. Campaign Parameters (UTM & friends)
utm_source, utm_medium, utm_campaign and similar query parameters tag marketing links, letting analytics tools attribute traffic and conversions to a channel or ad.
9. Mobile Advertising IDs
Apple’s IDFA and Android’s Advertising ID enable app-to-app ad attribution—subject to user permission (e.g., ATT prompts on iOS). Users can reset or limit these in system settings.
10. Wi-Fi, Bluetooth & Location Analytics
In physical spaces (stores, venues), anonymised device probes can indicate foot-traffic patterns. Lawful use requires strong de-identification, signage, and (where required) consent.
11. Server-Side Tagging & CDPs
Data collection increasingly shifts from the browser to the server, giving site owners better security, rate limits, and data minimisation control. Customer Data Platforms (CDPs) unify first-party data (with consent) across systems
First-party vs third-party tracking (and why it matters)
- First-party tracking: The site you’re using collects data for its own purposes (e.g., analytics, essential personalisation). Users are generally informed via Privacy Policies and consent banners.
- Third-party tracking: A different company collects data through embedded scripts, widgets, or pixels—often for cross-site advertising profiles.
The big shift: Browsers and regulators now limit third-party tracking. Expect first-party data (with consent) + contextual advertising + on-device privacy APIs to dominate.
Australian legal backdrop: APPs in plain English
If your organisation handles personal information in Australia, you’re likely bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). In practice that means:
- APP 1 – Open and Transparent Management: Have a clear, current Privacy Policy that explains what you collect, why, how you store/disclose, and how users can access or correct it.
- APP 3 – Collection: Collect information only where reasonably necessary, and generally directly from the individual.
- APP 5 – Notification: Tell people at or before collection (e.g., via cookie banners/just-in-time notices).
- APP 6 – Use & Disclosure: Use data only for the purposes you stated—or where a permitted exception applies (e.g., consent, law enforcement).
- APP 8 – Cross-border Disclosure: Extra care when sending data overseas; ensure comparable protection.
- APP 11 – Security: Take reasonable steps to protect personal information from misuse, interference, and loss.
- APP 12/13 – Access & Correction: Provide ways to access and correct personal information.
Not legal advice. If you target residents in other jurisdictions (EU, UK, US states), you may also need to comply with GDPR, UK GDPR, or CCPA/CPRA, which have stricter consent and data subject rights.
Myths vs facts
- Myth: “Incognito mode makes me invisible.”
- Fact: It mostly stops local history/cookies. Your ISP, employer, websites, and sign-in services can still see plenty.
- Myth: “Deleting cookies stops all tracking.”
- Fact: It helps, but fingerprinting, server logs, ad IDs, and single-sign-on may still tie sessions together.
- Myth: “Analytics data isn’t personal.”
- Fact: If it relates to an identifiable person or could be combined to identify them, treat it as personal information
- Myth: “Consent banners = compliance.”
- Fact: Consent must be informed, specific, freely given, and recorded—and you still need security and minimisation.
Practical guidance for website owners
1. Map your data flows
- List every tag, pixel, SDK, and endpoint receiving data.
- Document what you collect, purpose, lawful basis/consent, retention, and where it’s stored.
2. Minimise by default
- Don’t collect fields you don’t use.
- Truncate IPs, hash sensitive IDs, and avoid storing raw personal data in analytics where possible.
3. Implement a Consent Management Platform (CMP)
- Provide granular toggles (Essential / Analytics / Marketing).
- Block non-essential tags until consent is granted.
- Keep timestamped consent logs for audits.
4. Prefer first-party and server-side
- Use first-party analytics or server-side tag management to gate outbound data.
- Eliminate unnecessary third-party scripts; review quarterly.
5. Tighten security
- Enforce HTTPS everywhere.
- Use Content-Security-Policy (CSP) to limit where scripts can load from.
- Rotate API keys; apply least-privilege access; enable MFA for admins.
6. Be transparent
- Plain-English Privacy Policy and Cookie Notice.
- In-context notices (e.g., “We’ll use your email to send order updates.”)
7. Set sensible retention
- Purge logs and analytics after a defined period (e.g., 14–26 months) unless needed longer for compliance.
8. Enable user rights
- Offer easy access, correction, deletion paths and honour opt-out/unsubscribe quickly.
9. Test & monitor
- Validate your consent gating with a fresh browser/device.
- Monitor for tag drift—vendors sometimes add new capabilities that change data flows.
10. Prepare for incidents
- Maintain an incident response plan: detection, containment, notification, lessons learned.
Practical guidance for everyday users
- Review consent banners: Deselect “Marketing” if you don’t want cross-site ads.
- Block third-party cookies: Many browsers do this by default; you can also install reputable content blockers.
- Use privacy-respecting browsers/search: Consider options with stronger defaults.
- Reset ad IDs on iOS/Android and choose “Ask App Not to Track” where available.
- Limit permissions: Only grant location, microphone, camera when necessary—turn off background access.
- Use a VPN on public Wi-Fi to encrypt traffic between you and the VPN server.
- Keep software updated: Patches close vulnerabilities trackers (and attackers) might exploit.
- Beware of over-sharing: Form fields marked “optional” are often truly optional.
Glossary (Jargon Buster)
- VPN: Encrypted “tunnel” between your device and a VPN server; useful on public Wi-Fi.
- HTTP/HTTPS: Protocols for web traffic; the S adds encryption.
- Cookie: Small browser file storing session or preference data.
- Local/Session Storage: Browser storage areas controlled by scripts on a site.
- Pixel/Web Beacon: Tiny image/request used to record an event like a view or conversion.
- User Agent / Client Hints: Browser-reported info about your software and device.
- UTM Parameters: Tags (e.g., utm_source) in URLs for marketing attribution.
- Fingerprinting: Combining device/browser attributes to create a unique ID.
- CMP: Consent Management Platform controlling which tags run based on user choices.
- CDP: Customer Data Platform—centralises first-party data with consent.
- APPs: Australian Privacy Principles guiding lawful handling of personal information.
FAQ
Can I stop pixels from tracking email opens?
Some email clients block remote images by default; you can also switch to plain-text view or disable image loading. Marketers now rely more on click and conversion signals instead.
Are essential cookies allowed without consent?
Typically yes—cookies strictly necessary for a service you requested (logins, baskets, load balancing). You still need to disclose them.
Is fingerprinting legal?
It’s risky. Many regulators expect explicit justification (e.g., fraud prevention) and clear disclosure. For marketing, it’s usually discouraged.
What happens to tracking if third-party cookies go away?
Expect a pivot to first-party data, contextual ads, aggregated measurement, and on-device privacy APIs.
