Email Marketing In New Zealand: Legal Rules Businesses Need To Know

Email marketing can be one of the most cost-effective ways to grow a small business. It helps you stay top of mind, bring customers back, and launch new products without needing a massive ad budget.

But because email marketing involves sending messages directly to people (and handling their personal information), New Zealand has some clear legal rules about what you can and can’t do. If you get it wrong, you could face complaints, reputational damage, and in some cases enforcement action.

Don’t stress - once you understand the basics, staying compliant is very manageable. Below, we break down the key laws and practical steps you can take to run email marketing campaigns confidently, while protecting your business from day one.

What Laws Apply To Email Marketing In New Zealand?

When we talk about “email marketing” from a legal perspective, we’re usually talking about three main legal areas:

• Spam rules (when you’re allowed to send marketing emails, and what you must include)
• Privacy rules (how you collect, store, use and share email addresses and other customer data)
• Advertising/consumer rules (making sure what you say in emails is accurate and not misleading)

The Anti-Spam Rules (Unsolicited Electronic Messages Act 2007)

New Zealand’s key spam law is the Unsolicited Electronic Messages Act 2007. It regulates “commercial electronic messages” (which includes marketing emails) and sets out the rules around:

• When you need consent
• What information you must include in marketing emails
• How unsubscribe requests must be handled

If you’re building campaigns or workflows and want to sanity-check your approach, it’s worth reading up on our guide to email marketing laws in New Zealand before you hit send.

Privacy Rules (Privacy Act 2020)

Email marketing almost always involves personal information (even a work email can count as personal information if it identifies someone). The Privacy Act 2020 and its Information Privacy Principles are relevant to how you:

• Collect email addresses (and what you tell people at the time)
• Store and secure your mailing list
• Use the list (including any “new purpose” you didn’t originally tell people about)
• Share data with third parties (like email sending platforms, CRMs, analytics tools)
• Respond to access or correction requests

Most businesses that collect customer data online should have a clear Privacy Policy that reflects what they actually do (not what a generic template says).

Marketing Claims And Consumer Law (Fair Trading Act 1986)

Your email campaign content also needs to comply with the Fair Trading Act 1986. That’s the law that broadly prohibits misleading or deceptive conduct in trade.

In email marketing, this can show up in places like:

• “Limited time only” claims that aren’t genuinely limited
• Before-and-after results or testimonials that aren’t representative or can’t be substantiated
• Pricing claims that aren’t clear (for example, excluding mandatory fees without saying so)
• Subject lines that create a false impression of what the email contains

Even if your intention is innocent, unclear or overly “hyped” marketing can create risk. A good rule of thumb is: if a customer relied on your email and later complained, could you justify what you said?

Do I Need Consent To Send Marketing Emails?

In most cases, yes - you need consent before you send marketing emails. Under the Unsolicited Electronic Messages Act, you generally must not send unsolicited commercial electronic messages.

Consent can be:

• Express consent (the person clearly opts in, for example by ticking a sign-up box)
• Inferred consent (consent is implied from the conduct and relationship - but you need to be careful here)
• Deemed consent (for example, where a person has conspicuously published their work email address and there’s a strong connection between the address and your message)

Express Consent: The Safest Option

Express consent is the gold standard for email marketing because it’s the easiest to prove if you ever receive a complaint.

Practical examples of express consent include:

• A sign-up form where the person actively opts in to “marketing emails”
• A checkout page where the customer ticks “Send me offers and updates”
• A lead magnet form where the person submits their email to receive ongoing updates (but make sure you clearly say this)

Tip: Avoid pre-ticked opt-in boxes. Even if they can sometimes be legally arguable, they’re a common source of customer frustration (and complaints).

Inferred Consent: Be Careful With “They’re Already A Customer”

A common small business assumption is: “They bought from us once, so we can email them forever.” That’s not always a safe approach.

Inferred consent depends on context and expectations. A customer may reasonably expect order confirmations and receipts, but not necessarily ongoing promotional campaigns - especially if you didn’t flag it at the time you collected their email.

If you want to rely on inferred consent, it’s smart to ask:

• What relationship do we actually have with this person?
• Did they give their email in a context where marketing would be expected?
• Is the content relevant to the product or service they engaged with?
• How long ago was that interaction?

Purchased Lists And “Scraped” Emails: High Risk

Buying a mailing list (or using scraped email addresses from the internet) can create serious legal and reputational risk.

Even if a seller promises their list is “compliant,” you’re the one sending the emails - and you’re the one who may have to deal with complaints or investigations.

From a practical business perspective, purchased lists also tend to perform poorly. High bounce rates and spam complaints can damage your ability to deliver emails in the future (even to genuine subscribers).

What Must Every Marketing Email Include?

Under New Zealand’s spam rules, your marketing emails generally need to include a few must-haves. These aren’t just “best practice” - they’re core compliance basics.

1) Clear Identification

Your recipients should be able to clearly identify who sent the email. That means your email should not be deceptive about the sender and should make your business identity clear.

In practice, include:

• Your trading name or legal entity name
• Branding consistent with your business
• A sender and reply-to email address that is accurate and works (not a dead inbox)

2) Accurate Contact Details

You should include contact information so the recipient can reach you. A physical address is a common approach, but depending on your business setup, this could also include other contact details that make it easy to identify and contact you (like a phone number and business email).

If you run an online store or service business, it’s also worth making sure your site has clear legal pages like Website Terms and Conditions that align with what your emails promise (for example, delivery timeframes, refund processes, subscriptions, and promotions).

3) A Functional Unsubscribe Option

This is non-negotiable: marketing emails need a clear unsubscribe option that actually works.

Best practice is:

• Include an unsubscribe link in the footer of every marketing email
• Make it easy to unsubscribe (don’t hide it or require unnecessary steps)
• Honour unsubscribe requests within 5 working days, and make sure the unsubscribe option remains functional for at least 28 days after the message is sent

If someone unsubscribes and you keep emailing them, that’s when complaints escalate quickly - and it can be hard to defend.

What About Transactional Emails?

Not every email you send is “email marketing.” Many businesses send transactional emails like:

• Order confirmations
• Invoices and receipts
• Password resets
• Appointment reminders

These are usually acceptable because they’re directly related to a transaction the customer requested. However, be cautious about adding heavy promotional content to a transactional email. If the email becomes primarily promotional, it may be treated as a commercial electronic message (and should meet the consent/unsubscribe requirements).

How Does The Privacy Act Affect Email Marketing?

Email marketing isn’t just about what you send - it’s also about the data behind it.

Under the Privacy Act 2020, you should be thinking about email marketing through the full “data lifecycle”:

• How you collect email addresses
• What you tell people at the time of collection
• How you store and secure the data
• How you use it (and whether that use matches what you told people)
• Whether you share it with anyone else
• How long you keep it for

Collection Notices: Tell People What You’re Doing

When you collect email addresses (especially through your website), you should be upfront about:

• Who is collecting the information
• Why you’re collecting it (e.g. to send updates and promotions)
• Who it might be shared with (e.g. your email distribution platform)
• How people can access or correct their information

A solid privacy setup usually includes a properly drafted Privacy Policy plus clear wording right where the email is collected (for example, next to the sign-up form).

Using Third-Party Email Tools (And Overseas Providers)

Most small businesses use third-party tools to store mailing lists and send campaigns. That’s normal - but it means customer data may be handled by another provider, and sometimes stored offshore.

Practically, you should understand:

• What data the provider collects on your behalf
• Where it is hosted
• What security protections are in place
• Who has access within your own business (staff, contractors)

If your business has multiple team members accessing customer data, having internal guidelines like an Acceptable Use Policy can help reduce “human error” risks (which is one of the most common causes of privacy incidents).

Data Breaches: Have A Plan Before Something Goes Wrong

Mailing lists are valuable - and that makes them a target. Even if you’re not a huge company, you can still experience issues like:

• Compromised login credentials
• Accidental sharing of a list
• Misconfigured audience settings resulting in unintended sends

If there’s a privacy breach involving customer email addresses, you may have obligations to assess it and in some cases notify affected people and/or the Privacy Commissioner. Having a Data Breach Response Plan in place can make a stressful situation far more manageable.

What Are The Biggest Legal Mistakes Small Businesses Make With Email Marketing?

Most email marketing problems aren’t caused by bad intentions - they come from rushed processes, unclear consent, or DIY systems that don’t scale as your list grows.

Here are a few of the most common traps we see small businesses fall into.

Sending Marketing Emails Without Clear Opt-In

If someone didn’t clearly sign up (or you can’t prove they did), you’re exposed if they complain. Even if the email content is harmless, the issue is usually about permission, not the promotion itself.

Not Keeping Records Of Consent

It’s not enough to “be pretty sure” someone opted in. A strong email marketing system keeps basic records such as:

• When the person subscribed
• How they subscribed (website form, checkout, event sign-up, etc.)
• What they were told at the time (e.g. “news and promotions”)

This is especially helpful if you ever need to investigate an unsubscribe complaint or a “why am I receiving this?” query.

Making Over-The-Top Claims

Email marketing can be punchy without being risky. If you’re advertising discounts, results, availability, turnaround times, or “guarantees,” make sure you can support those claims.

This is where your marketing team and legal foundations should work together. For example, if you’re advertising a particular refund outcome or warranty promise, your consumer-facing terms should match what your emails say.

Forgetting That Contractors And Staff Can Create Compliance Risk

As you grow, you might outsource email marketing to a freelancer or agency, or delegate it internally. That’s great - but it’s still your business on the line if they upload a questionable list or send a campaign without proper unsubscribe functionality.

If someone external is managing your campaigns or accessing customer data, consider documenting responsibilities clearly in a proper service arrangement, and ensure your privacy settings and permissions are locked down appropriately.

Key Takeaways

• Email marketing in New Zealand is mainly regulated by the Unsolicited Electronic Messages Act 2007 (spam rules), the Privacy Act 2020 (data handling rules), and the Fair Trading Act 1986 (misleading advertising rules).
• In most situations, you should only send email marketing where you have valid consent (express consent is the safest and easiest to prove).
• Every marketing email should clearly identify your business, include accurate contact details, and provide a functional unsubscribe option that is easy to use.
• Your mailing list is personal information, so you should collect it transparently, store it securely, and only use it in ways you’ve told people about.
• Purchased or scraped email lists are high risk and often lead to complaints, deliverability issues, and compliance headaches.
• Having the right legal foundations in place (like a Privacy Policy, website terms, and internal processes) helps you grow your email marketing with confidence.

Note: This article is general information only and doesn’t take into account your specific situation. If you need advice about your email marketing compliance, it’s best to get legal advice tailored to your business.

If you’d like help setting up the right legal foundations for your email marketing - including privacy compliance and customer-facing terms - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.