Customer Identifiers In New Zealand: Legal Use And Compliance

If you run a small business, chances are you use some kind of customer identifier every day.

It might be as simple as an email address in your booking system, a customer number in Xero, or a membership ID for your loyalty programme. These identifiers are often what make a smooth customer experience possible - faster checkouts, easier refunds, better support, and smarter marketing.

But here's the catch: once an identifier can be linked to an individual, you're dealing with personal information, and New Zealand's privacy rules kick in. If you collect or use customer identifiers the wrong way, you can end up with customer complaints, reputational damage, and privacy compliance headaches you really don't need.

Below, we break down what a customer identifier is, when it might be treated as a "unique identifier" under the Privacy Act 2020, and the practical steps you can take to use customer identifiers legally (without slowing down your business).

What Is A Customer Identifier (And Why Does It Matter)?

A customer identifier is any piece of information you use to recognise a customer and link them to their account, transactions, or history with your business.

In practice, customer identifiers can include:

• Customer or account number (e.g. "Customer #10492" in your CRM)
• Email address
• Phone number
• Membership or loyalty ID
• Order number (when it can be linked back to a person)
• Device identifiers (for apps and online platforms)
• Username (especially where it's unique)
• Government-issued identifiers (like a driver licence number - more on this below)

Customer identifiers matter because they often become the "key" that connects multiple data points together. Even if a single identifier seems harmless on its own, it can be used to build a detailed picture of someone's behaviour, preferences, purchases, location, or financial information.

From a legal perspective, you should assume a customer identifier is regulated if it can be linked to an identifiable person (either directly or indirectly). That means the Privacy Act 2020 will usually apply.

Customer Identifiers vs "Personal Information"

Under the Privacy Act 2020, personal information is information about an identifiable individual.

So, an internal customer number might still be personal information if your systems can use it to identify someone (because it's connected to their name, email, delivery address, or payment history).

This is why it's a good habit to treat customer identifiers as personal information unless you're genuinely working with irreversibly anonymised data.

When Does A Customer Identifier Become A "Unique Identifier" Under The Privacy Act 2020?

Some customer identifiers raise higher privacy risks because of the way they function.

The Privacy Act has specific rules around unique identifiers. In simple terms, these are identifiers assigned to an individual to uniquely identify them.

Common examples include:

• Passport number
• Driver licence number
• IRD number
• National Health Index (NHI) number
• Any other number/code used to uniquely identify someone in an organisation's system

Even your business-issued customer number could be a "unique identifier" if it uniquely identifies a customer in your system.

Why The "Unique Identifier" Label Changes Your Compliance Risk

Unique identifiers can create bigger privacy risks because:

• they can enable identity fraud if leaked or misused
• they can be used to match data across different services
• customers usually can't easily change them (unlike a password)

The key legal issue is not that you can never collect or use unique identifiers - it's that you need to be careful about how you assign them, how you use them, and when you require them from customers. In particular, you should be extra careful about:

• when you collect them (do you truly need it, or could you use something less sensitive?)
• whether you make them mandatory (for example, requiring a driver licence number to provide a service when it isn't necessary)
• how you store them (encryption, access controls)
• who can see them (staff permissions and vendor access)
• whether you display them (e.g. printing full identifiers on invoices or labels)

If you're ever unsure whether something counts as a unique identifier (or whether you can require it), it's worth getting tailored legal advice - because the safest approach is to treat it carefully from day one.

How Do You Collect Customer Identifiers Lawfully In NZ?

Collecting customer identifiers is usually allowed - but you need to do it in a way that's fair, transparent, and limited to what you actually need.

As a small business, the easiest way to think about privacy compliance is: collect only what you need, explain what you're doing, and protect what you collect.

1) Only Collect What You Need (And Be Clear About The Purpose)

Before you collect any customer identifier, ask:

• What is this identifier for (billing, delivery, account login, customer support, compliance)?
• Could we achieve the same outcome with less information?
• What happens if we collect it "just in case" - does that increase risk with no benefit?

For example:

• If you sell products online, you likely need an email address for order updates and a delivery address for shipping.
• If you run a membership model, you may legitimately need to issue a membership number to manage entitlements.
• If you're asking for a driver licence number simply to "identify the customer", that's a higher-risk identifier and you should be confident it's actually necessary.

2) Tell Customers What You're Collecting And Why

In NZ, businesses are generally expected to notify people about key privacy details at or before collection (or as soon as practical). This is where having a clear Privacy Collection Notice can make your life much easier - especially if you collect identifiers through a website checkout, booking form, sign-up page, or in-store system.

In plain terms, you should be ready to explain:

• what identifiers you're collecting (e.g. email, phone number, account number)
• why you're collecting them
• who you might share them with (e.g. couriers, payment providers, IT vendors)
• how customers can access or correct their information

Most small businesses also publish this information in a Privacy Policy, which helps you set expectations and show customers you're taking privacy seriously.

3) Be Careful With "Required" Fields And Consent

A common mistake is making every identifier "required" by default.

If a field is optional (for example, date of birth for a birthday discount), label it clearly as optional and explain what it's used for. If you're relying on consent (especially for marketing), make sure it's specific and not bundled into unrelated terms.

Also remember: even if a customer provides the identifier voluntarily, you still need to handle it lawfully once you have it.

How Can You Use Customer Identifiers Legally (Marketing, Loyalty, Profiling And Sharing Data)?

Once you've collected a customer identifier, the next question is how you can use it without crossing the line.

As a general rule, you should use customer identifiers in ways that:

• match the purpose you originally collected them for
• would be reasonably expected by the customer
• are not misleading or overly intrusive

Using Customer Identifiers For Marketing

Many businesses use email addresses and phone numbers as customer identifiers for marketing - which can be fine, but you need to think about marketing compliance as well as privacy.

For electronic marketing messages (like promotional emails or texts), you should also consider the rules under the Unsolicited Electronic Messages Act 2007. If you're building email campaigns, it's worth checking your approach against email marketing laws, because the risk isn't just privacy complaints - it can also be spam complaints.

Practical tips that usually keep you on the right track:

• Use clear opt-ins for marketing where possible (especially if you're targeting new leads).
• Include a functional unsubscribe option in marketing emails.
• Don't use a customer's identifier for a totally new purpose without telling them (or giving them a meaningful choice).

Using Customer Identifiers For Loyalty Programmes

Loyalty programmes are a classic use-case for a customer identifier: you issue a membership number (or use email/phone), track purchases, and offer rewards.

The legal risk tends to increase when you:

• collect more information than needed (e.g. excessive demographic info)
• use the programme to build detailed profiles without being transparent
• share loyalty data with third parties without clear disclosure

If you run a loyalty programme, keep the data model simple and document what each identifier is used for. If you want to expand into personalised offers later, plan for that upfront and make sure your customer-facing privacy wording covers it.

Sharing Customer Identifiers With Third Parties (Couriers, CRM Tools, IT Vendors)

Most small businesses need to share customer identifiers to deliver their services. For example:

• sharing a customer's name, phone number, and address with a courier
• storing customer emails in an email platform
• using a booking system that hosts your customer database

These are normal business activities - but you should still treat them as a privacy risk management exercise. In particular, make sure you understand:

• what you're sharing (only share what's necessary)
• where it's going (including whether data is stored overseas)
• who can access it (supplier staff, subcontractors, support teams)
• what happens if something goes wrong (breach response and notification)

If you're working with third-party suppliers who handle personal information on your behalf, it's often smart to have contract terms that clearly allocate responsibilities (like security, breach notification, and permitted uses).

How Do You Store And Protect Customer Identifiers (And What If There's A Data Breach)?

Collecting customer identifiers is one thing. Keeping them secure is where many businesses get caught out - often because they grow quickly and their systems don't keep up.

Under NZ privacy law, you're expected to take reasonable steps to protect personal information (including customer identifiers) from loss, unauthorised access, misuse, or disclosure.

Practical Security Steps For Small Businesses

"Reasonable steps" will look different depending on your size and what you collect, but for many SMEs, a good baseline includes:

• Access controls: limit who can see customer identifiers (especially admin accounts).
• Strong authentication: use multi-factor authentication (MFA) for key tools like email, CRM, and cloud storage.
• Secure storage: avoid storing identifiers in spreadsheets on personal devices.
• Minimisation: don't keep identifiers for longer than you need them.
• Staff training: make sure your team knows how to spot phishing and social engineering attempts.
• Safe disposal: securely delete or destroy old files, devices, and printed records.

If you have staff handling customer personal information, you should also set internal rules about access and appropriate use, so your operational reality matches your privacy promises.

What If Your Customer Identifiers Are Exposed?

Data breaches are more common than most business owners expect - and they're not limited to big companies. A breach can be as simple as:

• sending a customer list to the wrong email address
• a hacked password giving access to your CRM
• a staff laptop with customer identifiers being lost or stolen

Under the Privacy Act 2020, some breaches may be considered notifiable, meaning you may need to notify affected customers and the Office of the Privacy Commissioner.

This is exactly why having a documented Data Breach Response Plan is so useful - it helps you respond quickly and consistently when the pressure is on.

Even if a breach isn't notifiable, you should still treat it seriously and take steps to reduce harm (like resetting credentials, improving access controls, and updating internal processes).

Do Customers Have Rights Over Their Identifiers (Access, Correction, Complaints)?

Yes - and this is an area where small businesses can get tripped up, especially when you're busy and don't have a dedicated compliance person.

Customers generally have the right to:

• request access to personal information you hold about them (which can include identifiers)
• request correction if the information is wrong

If you receive a request, you'll want a consistent internal process so you don't scramble each time. Many businesses use an Access request form to capture what the person is asking for and to help verify identity before releasing anything.

A Quick Tip: Verify Identity Without Over-Collecting

It's reasonable to verify someone's identity before providing access to personal information - but be careful not to "solve" this by collecting high-risk identifiers unnecessarily.

For example, depending on context, you might be able to verify identity by:

• confirming control of the account email address
• asking questions about recent orders
• using secure account logins

What you choose should fit the risk level of the information involved.

Key Takeaways

• A customer identifier is any information you use to recognise a customer (like an email address, phone number, or customer ID), and it will often count as personal information under the Privacy Act 2020.
• Some identifiers are regulated as unique identifiers (like driver licence numbers or IRD numbers), and even your own customer numbers may fall into this category if they uniquely identify people in your system - so you should be careful about assigning them, using them, and requiring them.
• To collect customer identifiers lawfully, you should only collect what you need, be clear about your purpose, and give customers transparent privacy information (often through a Privacy Policy and collection notice).
• If you use customer identifiers for marketing, make sure your approach aligns with privacy expectations and spam compliance, including opt-outs and clear messaging practices.
• Sharing customer identifiers with couriers and software providers is common, but you should still manage the risk by limiting what you share and ensuring your providers have appropriate security.
• Protecting customer identifiers means taking reasonable security steps and being ready to respond quickly if something goes wrong, including having a clear breach response plan.

If you'd like help reviewing how your business collects, uses, shares, and stores customer identifiers - or you want your privacy documents set up properly from day one - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.