Healthcare website privacy compliance
A website privacy checklist for Australian clinics
Updated 1 July 20266 min read
Who this is for
You run a clinic or a practice. You are responsible for the website, even though an agency probably built it, and you are not a privacy lawyer or a developer. This checklist is for you. Work through it in order. Each item is something you can check, or ask someone to check for you.
1. See what your website actually does
You cannot protect against what you cannot see, so start here.
- Load your homepage and a treatment or booking page as a first-time visitor.
- List every tag, cookie and third-party service that loads, including Meta, TikTok, Google, live chat, and booking tools.
- Note which ones load before any consent is given.
If this step feels technical, a scan will do it for you and produce a plain report.
2. Make tags wait for consent
This is the single most important fix.
- Confirm that advertising and social tags do not fire until a visitor has agreed.
- Check that your consent banner blocks tags, rather than just recording a click after they have already fired.
- Remember that a banner which appears after the pixel has loaded is not protecting anyone. See how to make a banner actually block.
3. Tell people the truth in your privacy policy
- Make sure your privacy policy names the third parties that receive visitor data, including Meta and any analytics or advertising tools.
- Use plain language, not a generic "we use cookies" line.
- Check that the policy matches what the site actually does. In the OAIC's review, most health sites running a pixel had not disclosed it. A policy that does not match reality is a problem on its own.
4. Be careful with retargeting
- If you retarget visitors with ads, confirm you have consent to use their data that way.
- On a health site, avoid building ad audiences from pages that reveal a condition or a treatment.
5. Keep watching
- Privacy is not a once-a-year job. A new campaign, a new agency, or a single new tag can reopen a gap within a week.
- Put monitoring in place so you are told when something new starts firing.
- Keep a record of your checks. Being able to show that you were watching is part of doing this well.
6. Know who owns this
- Decide who is responsible for website privacy. It often falls between marketing, IT, and whoever manages the practice.
- Give that person a way to see the site's status without needing to read code.
A quick reality check
If you can confidently tick steps 1 to 3, you have already addressed the core of what the OAIC's determinations were about. If you cannot, that is normal, and it is exactly where to start.
Free Check-up
Want to know where your site stands? See exactly which pixels fire before consent — in about a minute.