Abinaja is the legal operations lead at Sprintlaw. After completing a law degree and gaining experiencing in the technology industry, she has developed an interest in working in the intersection of law and tech.
Contents
If you’ve already got a Privacy Policy on your website, it’s easy to assume you’ve “ticked the privacy box” and can move on.
But in New Zealand, a Privacy Policy and a privacy collection notice aren’t the same thing. In practice, many businesses need both to properly meet their obligations under the Privacy Act 2020 and to give customers (and staff) clear, timely information about what’s happening with their personal information.
This guide is updated to reflect what we’re seeing right now: businesses collecting more data across more channels (webforms, cookies, CRM tools, online bookings, e-commerce and apps), and regulators and customers expecting clearer, more “at the point of collection” transparency.
Let’s walk through what a privacy collection notice is, when you need one, and how it should work alongside your Privacy Policy.
What’s The Difference Between A Privacy Policy And A Privacy Collection Notice?
They work together, but they do different jobs.
What A Privacy Policy Does
Your Privacy Policy is your “big picture” document. It explains, generally, how your business handles personal information across your operations.
It usually covers things like:
- what types of personal information you collect (e.g. names, emails, delivery addresses, payment info);
- how and why you collect it;
- how you store it and keep it secure;
- who you may disclose it to (e.g. couriers, payment providers, IT platforms);
- how people can access or correct their information; and
- how people can complain if something goes wrong.
Most businesses will publish this on their website (usually in the footer). If you don’t have one yet, a properly drafted Privacy Policy is a strong starting point.
What A Privacy Collection Notice Does
A privacy collection notice is the short, clear message you give at (or around) the time you collect personal information.
Think of it like this:
- Your Privacy Policy is the “full manual”.
- Your collection notice is the “quick warning label” right when someone hands you their information.
A collection notice usually appears:
- next to a contact form;
- under an online checkout;
- in an email sign-up box;
- in an onboarding form (e.g. for clients); or
- in a job application portal.
It’s also common to include a link to your Privacy Policy inside the notice so people can click for the longer explanation.
Is A Privacy Collection Notice Legally Required In New Zealand?
Often, yes. Under the Privacy Act 2020, one of the key obligations is that when you collect personal information, you need to take reasonable steps to make sure the person is aware of certain things (such as what you’re collecting, why you’re collecting it, and who will receive it).
In plain terms: you can’t quietly collect personal information and rely on a Privacy Policy hidden in your website footer as your only disclosure.
That’s where a privacy collection notice becomes practical (and, in many situations, the easiest way to show you’re meeting your privacy obligations).
Why Your Privacy Policy Alone Might Not Be Enough
Even with a good Privacy Policy, you can still run into issues if:
- people aren’t actually seeing it at the time they provide their information;
- the Privacy Policy is long and general, and doesn’t clearly cover the specific form or purpose; or
- you’re collecting information in contexts where a website footer link won’t be obvious (e.g. in-person forms, QR sign-ups, events).
A collection notice is your chance to be upfront in the moment, in a way that’s easy to understand.
When Do You Need A Privacy Collection Notice (Common Scenarios)?
As a rule of thumb, if you collect personal information directly from an individual, you should consider whether you’re giving them a clear notice right there and then.
Here are common situations where a privacy collection notice is usually appropriate.
1) Website Contact Forms And Booking Forms
If you collect enquiries, bookings, or consultation requests through your website, you’re collecting personal information (even if it’s “just” a name and email address).
A simple notice under the form can explain:
- what you’re collecting (e.g. contact details and message content);
- why (e.g. to respond to the enquiry and provide services); and
- where to find more details (link to your Privacy Policy).
2) Email Marketing Sign-Ups
If you’re collecting emails for newsletters or promotions, you should be clear about what people are signing up for, and whether you’re using any marketing platforms or analytics tools.
This links closely to your broader marketing compliance too, like the rules around consent and unsubscribe processes.
3) E-Commerce Checkout And Customer Accounts
Online stores usually collect a lot of personal information: delivery details, purchase history, sometimes saved payment preferences, and account details.
A collection notice can be brief, but it should still be meaningful. For example, if you share delivery details with a courier, or use a third-party fulfilment provider, it’s better to flag that at the point of checkout rather than relying on someone finding it later.
4) Job Applications And Recruitment
When you’re hiring, you might collect sensitive information without meaning to (e.g. health information disclosed by a candidate, background checks, references).
A recruitment collection notice is a smart way to clarify:
- how you’ll use application information;
- whether you’ll contact referees;
- how long you’ll keep the information; and
- who can access it internally.
This is also a good time to check your broader employment documentation is aligned (for example, your Employment Contract and workplace policies).
5) In-Store, Events, QR Codes And Paper Forms
If you collect personal information offline (think: sign-in sheets, membership forms, loyalty programs, event registrations), you still need to be transparent.
In these settings, a collection notice might be printed on the form, shown on a tablet, or displayed near a QR code.
6) CCTV, Monitoring And Workplace Personal Information
If you collect information through monitoring in a workplace (like CCTV) you’ll generally need to make sure people know it’s happening and why.
This isn’t just about having a policy in a folder somewhere. Clear signage and staff communications can function as “notice at the time of collection” for surveillance-based collection. If this is relevant to your business, it’s worth reviewing whether are cameras legal in the workplace issues apply to your setup.
What Should A Privacy Collection Notice Include?
There’s no single mandatory template, because what you need depends on what you collect and why. But your notice should be clear, accurate, and tailored to the collection point.
As a practical checklist, your privacy collection notice should usually address:
- Who is collecting the information (your business name and contact details if needed).
- What information you’re collecting (e.g. name, email, phone, address, message content).
- Why you’re collecting it (the purpose, in plain English).
- What you’ll do with it (e.g. respond to enquiry, provide services, issue invoices, deliver goods).
- Who you may share it with (if relevant, e.g. delivery providers, payment processors, booking platforms, IT providers).
- Whether it’s required (and what happens if the person doesn’t provide it).
- How to access/correct information (often via your Privacy Policy process).
- A link to your Privacy Policy for full details.
Keep It Short (But Not Vague)
A collection notice works best when it’s short enough to be read quickly, but specific enough to actually inform the person.
For example, “We respect your privacy” doesn’t tell someone what you’re doing with their details. On the other hand, a 1,500-word block of text under a form defeats the purpose.
When in doubt, aim for:
- 2–5 short sentences; and
- a clear link to your full Privacy Policy.
Be Careful With “Consent” Language
Some businesses add tick boxes that say “I consent to the Privacy Policy”. Sometimes that’s helpful, but sometimes it creates confusion.
In many cases, you don’t need “consent” to collect information (for example, you need their delivery address to deliver a product). What you do need is transparency and a lawful, fair reason to collect and use the information.
Consent is more relevant when:
- you’re collecting optional information;
- you’re doing marketing communications; or
- you’re collecting sensitive information where express agreement is appropriate.
If you’re not sure whether a tick box is the right approach for your situation, it’s worth getting advice before you lock in the wording.
How Do A Collection Notice And Privacy Policy Work Together (Best Practice)?
You’ll usually get the best compliance outcome when your Privacy Policy and collection notices are consistent, and you treat them as part of one privacy system.
Think “Layered Privacy”
A common approach is “layered” privacy information:
- Layer 1: the collection notice at the point of collection (short, specific, immediate).
- Layer 2: the Privacy Policy with full detail (longer, comprehensive, ongoing).
This is especially useful when you have multiple collection points (for example, a website contact form, a newsletter sign-up, and a customer checkout). Each of those collection points can have its own mini-notice, while the Privacy Policy ties everything together.
Make Sure Your Notice Matches Reality
A surprisingly common issue we see is privacy wording that doesn’t match what the business actually does.
For example:
- Your form says you only use details to respond to enquiries, but you add everyone to a mailing list.
- Your checkout doesn’t mention sharing details with a courier, but that sharing is necessary to deliver orders.
- Your Privacy Policy says you don’t disclose personal information overseas, but your software tools store data on offshore servers.
These gaps aren’t just technicalities. They can create real trust issues with customers and increase the risk of privacy complaints.
Don’t Forget Cookies And Tracking
If your site uses tracking (analytics, ad pixels, remarketing), your Privacy Policy should cover this, and you may also need a cookie banner or cookie notice depending on how your site operates and what tools you use.
If you’re updating this part of your website compliance, a Cookie Policy can help make your tracking practices clearer and easier to manage.
Privacy Is Part Of Your Wider Online Terms Setup
Privacy documentation usually sits alongside other website legal documents, particularly if you sell online or operate a platform. Depending on what you do, you might also need website terms covering user conduct, orders, refunds, and disclaimers. Many businesses bundle this together as Website Terms And Conditions to protect themselves from day one.
What Happens If You Don’t Use A Proper Collection Notice?
For most small businesses, the biggest risk isn’t an immediate fine (privacy enforcement can be more nuanced than that). The bigger, day-to-day risks are practical:
- Customer trust issues: People are less willing to submit forms or make purchases if they’re not sure how their data will be used.
- Higher complaint risk: If someone feels surprised by how you used their information, they’re more likely to complain.
- Messy internal processes: Without a clear “why we collect this” statement, staff may handle personal info inconsistently.
- Marketing and CRM problems: You may end up with contact lists that are unusable (or risky) because you didn’t properly disclose your use.
- Harder incident response: If something goes wrong, it’s harder to show you took reasonable steps if you can’t point to clear notices and policies.
If you’re building a business you want to grow, privacy compliance is part of building credibility. It’s also often a requirement if you want to work with corporate clients who do vendor checks.
And if you ever have to manage a privacy incident, having clear documentation in place can make your response faster and more defensible. In more mature privacy programs, businesses also use tools like a Data Breach Response Plan so there’s no scrambling if an incident happens.
Key Takeaways
- A Privacy Policy and a privacy collection notice are different tools: the policy is the comprehensive overview, while the notice provides clear information at the point you collect personal information.
- Under the Privacy Act 2020, you generally need to take reasonable steps to make people aware of key details when you collect their personal information, which is why collection notices are so useful (and often necessary).
- Collection notices are especially important for contact forms, bookings, checkout pages, email sign-ups, job applications, and offline collection (like events and QR sign-ups).
- A good collection notice should clearly explain what you collect, why you collect it, who you might share it with, and where to find your full Privacy Policy.
- Your Privacy Policy and collection notices should be consistent with your actual data practices, including any tracking tools, couriers, software providers, or overseas storage arrangements.
- If you’re unsure what wording you need, it’s worth getting advice early-privacy compliance is much easier (and cheaper) to set up properly from day one than to fix after a complaint.
If you’d like help getting your Privacy Policy and privacy collection notices right (or reviewing what you already have), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
Abinaja Yogarajahthe legal operations lead
