Email Marketing Laws In New Zealand: Business Compliance Checklist

If email marketing is one of your main ways to win customers (or keep existing customers coming back), you’re not alone. It’s cost-effective, easy to automate, and can deliver strong ROI.

But before you hit “send”, it’s worth making sure you understand the email marketing laws in New Zealand your business needs to follow. The rules are practical once you understand them, and getting them right from day one can save you from complaints, penalties, and reputational damage.

This cheat-sheet breaks down the key legal requirements in plain English, with a step-by-step approach you can use to check whether your next campaign is compliant.

And if you want a deeper dive into the basics, you can also read about email marketing laws and how they apply in real-world business scenarios.

What Laws Apply To Email Marketing In New Zealand?

When people talk about “email marketing compliance”, they’re usually referring to three main legal areas:

1) Unsolicited Electronic Messages Act 2007 (New Zealand’s anti-spam law)

This is New Zealand’s core anti-spam legislation. It sets the rules for commercial electronic messages (including marketing emails, and often marketing texts) and focuses on three essentials:

• Consent (you generally need permission to send marketing emails)
• Identification (your emails must clearly identify who is sending them)
• Unsubscribe (you must include a functional unsubscribe option)

If you only remember one thing, remember this: compliance is not just about having an unsubscribe link. Consent matters.

2) Privacy Act 2020

Email marketing almost always involves collecting, storing, and using personal information (like an email address, name, purchase history, or engagement data). That means the Privacy Act 2020 will usually apply.

From a small business perspective, this usually translates to practical obligations like:

• Only collecting customer information in fair and lawful ways
• Being clear about what you’ll use it for
• Keeping it secure and limiting access
• Only sharing it with third parties appropriately (for example, email software providers)

If you collect emails through your website or online store, it’s generally a good idea to have a clear Privacy Policy that explains what you collect, why you collect it, and who you disclose it to (if anyone).

3) Fair Trading Act 1986 (Truthful Marketing Rules)

Email campaigns are still “advertising”. So even if your list is fully compliant from an unsolicited messages perspective, you also need to make sure your email content doesn’t mislead or deceive customers.

For example, common risk areas include:

• “Limited time offer” claims that aren’t genuine
• Discount comparisons that don’t reflect real previous pricing
• Misleading testimonials, results claims, or “before and after” statements
• Hidden conditions in promotions (like exclusions or minimum spend requirements)

In other words: the unsolicited messages rules are about how you contact people, and the Fair Trading Act is about what you say when you do.

Consent: The Biggest Rule In Email Marketing (And The One Businesses Get Wrong)

If you’re trying to meet New Zealand’s email marketing compliance requirements, consent is your starting point.

Under the Unsolicited Electronic Messages Act 2007, you must not send unsolicited commercial electronic messages unless the recipient has consented (or an exception applies).

What Counts As “Commercial”?

A message is usually “commercial” if it promotes or advertises goods, services, land, business opportunities, or an investment. That includes:

• Sales emails and promo codes
• Newsletter content that includes promotions
• “New product” announcements
• Emails encouraging someone to book a call, request a quote, or buy

Even if your email is partly informational, it may still be commercial if it includes a promotional element.

The Three Main Types Of Consent

Consent can be:

• Express consent: the person actively agrees (e.g. they tick a box saying they want marketing emails)
• Inferred consent: their conduct and relationship with you suggests consent (e.g. there’s an existing relationship where marketing is reasonably expected in the circumstances)
• Deemed consent: this is more limited and often relates to publishing an address in a way that suggests they want to receive certain messages (typically in a business context), and your message is relevant to their role

In practice, most small businesses should aim for express consent wherever possible. It’s the cleanest, easiest to evidence, and easiest to defend if someone complains.

Practical Tips For Getting Consent The Right Way

• Use unticked checkboxes (pre-ticked boxes can be risky, and at minimum they’re a bad look for trust)
• Be specific (e.g. “weekly product updates and offers” is clearer than “marketing”)
• Keep records of when and how the person opted in (date/time, source, wording shown)
• Don’t bundle consent into something unrelated (like forcing people to agree to marketing to get a receipt)

If you’re collecting emails online, it’s also smart to make sure your sign-up wording aligns with your website disclosures and customer terms (including your Website Terms And Conditions) so customers understand what they’re agreeing to when they engage with your business.

What Must Be In Your Marketing Emails? (Identification + Unsubscribe)

Even with consent, you still need to meet the content requirements under the Unsolicited Electronic Messages Act 2007.

1) Clearly Identify Your Business

Your email must contain accurate information about who authorised the sending of the message. This is about transparency and accountability.

In most cases, include:

• Your business or trading name
• A way to contact you (like an email address, phone number, or physical address)
• If relevant, your NZBN or registered company name (not strictly required in every email, but it can help clarity)

Tip: if you regularly email customers (especially with staff members sending messages), you may also want an Email Disclaimer to help manage confidentiality and liability risks in your business communications (particularly in professional services).

2) Include A Functional Unsubscribe Facility

Your marketing email must contain a way for recipients to unsubscribe that is:

• Clear and easy to use
• Functional (it actually works)
• Available for at least 30 days after the message is sent

Also, unsubscribe requests must be honoured within a reasonable timeframe. As a practical rule, your systems should action unsubscribes promptly (and in many cases immediately).

3) Don’t Hide The Unsubscribe Link

A classic mistake is burying the unsubscribe in tiny grey text or making it hard to find. Even if it’s technically present, it can trigger complaints and reputational damage.

From a business perspective, unsubscribes are normal. A clean unsubscribe process helps keep your list healthy and reduces spam reports (which can affect deliverability).

Privacy Compliance: How To Collect, Store, And Use Email Lists Safely

Marketing compliance isn’t only about spam. You also need to handle personal information responsibly.

For many businesses, your email list is one of your most valuable assets. That’s exactly why it needs to be protected.

Collecting Email Addresses Properly

Under the Privacy Act 2020, you should generally make sure your collection methods are fair and transparent. That includes being upfront if you’ll use an email address for marketing.

Common collection points include:

• Checkout pages (e.g. “receive updates and offers” tick box)
• Lead magnets (eBooks, discount codes, free consult bookings)
• Competitions and giveaways
• In-person sign-up sheets

Where businesses get into trouble is when they collect an email for one purpose (like sending a receipt), then quietly use it for another purpose (like ongoing marketing) without proper consent or notice.

Storing And Securing Your List

If your email list is stored in an email platform, CRM, spreadsheet, or shared drive, you should think about:

• Who has access internally (and whether access is still appropriate)
• Strong passwords and multi-factor authentication
• Whether you’re exporting and emailing spreadsheets internally (often a risk)
• How you deal with departing staff and contractors

It can feel like “admin”, but a data leak can quickly become a business crisis. Many businesses set up a simple Data Breach Response Plan so there’s a clear process if an email list is accidentally disclosed or hacked.

Sharing Your List With Third Parties (Agencies, Platforms, Contractors)

If you use third parties to help run campaigns (like marketing agencies, virtual assistants, or email platforms), you’re potentially disclosing personal information.

A good first step is to ensure you have the right contract terms in place with service providers, particularly if they process personal information on your behalf. Depending on your setup, a Data Processing Agreement may be appropriate to clearly allocate responsibilities around data security, permitted use, and breach notification.

Common High-Risk Scenarios (And How To Handle Them)

Most compliance issues show up in a few predictable situations. If you handle these well, you’ll cover a big portion of your legal risk.

Buying Or Renting An Email List

This is one of the fastest ways to trigger spam complaints.

Even if the seller claims the list is “opted in”, the consent may not be valid for your business specifically. Consent is not always transferable, and people may not recognise you when your email lands.

If you want to grow your list, it’s usually safer to do it through:

• Website sign-ups
• Content offers (lead magnets)
• Events and networking (with clear opt-in)
• Referral campaigns (with careful structuring)

Emailing People Who Gave You A Business Card

Someone handing you a business card isn’t automatically permission to add them to an ongoing marketing list.

A safer approach is to send a one-off follow up that’s genuinely relevant (for example, responding to the conversation you had), and then invite them to opt in to your newsletter.

Marketing To Existing Customers

This is where a lot of small businesses rely on inferred consent (because there’s an existing relationship).

However, you still want to check:

• Was the customer told they would receive marketing?
• Is the marketing reasonably connected to what they purchased or enquired about?
• Has a lot of time passed since the transaction?
• Did they opt out previously?

When in doubt, an opt-in approach is usually the cleanest solution (and it builds trust).

Cold Outreach To Businesses (B2B Emailing)

Business-to-business outreach can still fall under the unsolicited messages rules if the message is “commercial”. It’s not automatically exempt just because it’s sent to a work email address.

Deemed consent may apply in limited situations (for example, where an address is conspicuously published and your message is relevant to their business role), but it’s not a blanket permission slip-and it’s often sensitive to context.

If your sales strategy includes outbound emails, it’s worth getting advice on how to structure them compliantly-especially if you’re emailing at scale.

Competitions, Giveaways, And Lead Magnets

These are great for list growth, but you need to be crystal clear about what people are signing up for.

In particular:

• Don’t hide marketing consent inside dense terms
• Make opt-in optional (unless marketing is genuinely the purpose of the offer)
• Make it clear if third parties will also market to entrants

This is also a good moment to check your privacy wording, because competitions and lead magnets often involve collecting extra data beyond an email address (like phone numbers, location, and preferences).

Email Marketing Compliance Checklist For Small Businesses

If you want a quick “scan test” before you launch your next campaign, here’s a practical checklist you can use.

1) List Health And Consent

• Do you know where each contact came from (and can you evidence consent if needed)?
• Is the consent express, inferred, or deemed-and does that match your actual relationship with them?
• Are you avoiding purchased, scraped, or “third-party” lists?
• Have you removed bounced emails and inactive addresses where appropriate?

2) Message Content

• Is the email clearly commercial (sales/promo), and if so, have you checked the unsolicited messages requirements?
• Are your pricing claims, discounts, and urgency claims truthful and not misleading?
• If you’re making “results” claims, can you substantiate them?

3) Sender Identification

• Does the email clearly state your business name (or trading name)?
• Does it include accurate contact information?

4) Unsubscribe Process

• Is there a clear unsubscribe link (or reply-to-unsubscribe option) that works?
• Is the unsubscribe functional for at least 30 days after sending?
• Are unsubscribe requests actioned promptly?
• Do you have an internal process to ensure unsubscribed people aren’t re-added later?

5) Privacy And Data Security

• Do you have a clear Privacy Policy that matches how you collect and use emails?
• Are your systems secure (access control, passwords, MFA, secure storage)?
• If you use service providers, have you documented how they can use the data?
• Do you have a response process if the list is leaked or hacked (for example, a Data Breach Response Plan)?

If you’re missing a few items, don’t panic. Most businesses can fix the main gaps quickly once you know what to look for.

Key Takeaways

• New Zealand email marketing compliance usually involves three key areas: the Unsolicited Electronic Messages Act 2007 (rules for unsolicited commercial messages), the Privacy Act 2020 (handling personal info), and the Fair Trading Act 1986 (truthful advertising).
• Consent is the foundation of compliant email marketing-aim for express consent wherever possible, and keep records of when and how people opted in.
• Every commercial marketing email should clearly identify your business and include a functional unsubscribe option that’s easy to use.
• Privacy compliance matters because email lists are personal information-make sure you collect emails transparently, store them securely, and control access.
• High-risk areas include bought lists, unclear competition sign-ups, and assuming that business cards or B2B addresses always equal consent.
• Getting your legal foundations right early helps protect your brand, improve deliverability, and reduce the risk of complaints or enforcement action.

If you’d like help tightening up your email marketing compliance, privacy documents, or customer terms, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.