How NZ Businesses Must Collect, Store And Use Customer Data Legally

If you run a small business, you probably rely on customer data every day ? names, emails, delivery addresses, purchase history, booking notes, and maybe even CCTV footage or recorded calls.

Handled well, customer data helps you improve your service and grow your revenue. Handled poorly, it can damage trust, trigger complaints, and expose you to legal risk (including investigations by the Office of the Privacy Commissioner).

The good news is that you don't need a huge compliance team to get this right. You just need a practical system that follows New Zealand's privacy laws and matches how your business actually operates.

Below, we'll walk you through the key rules and best practices for collecting, storing and using customer data legally in New Zealand ? in plain English.

What Counts As Customer Data (And Why It Matters)?

In most small businesses, "customer data" is any information that identifies (or could reasonably identify) a customer.

Common examples include:

• Contact details: name, email, phone number, address
• Transactional data: purchase history, invoices, refunds, subscription status
• Account or booking information: login details, appointment notes, service preferences
• Online identifiers: IP addresses, cookie IDs, device identifiers (especially for websites and apps)
• Communications: customer support messages, complaints, call recordings
• Images/video/audio: CCTV footage, photos for testimonials, recordings from security systems

Some customer data can also be more sensitive (for example, health-related information or information about a person's finances). If you handle anything that feels "high stakes" for the customer if it got out, you should treat it with extra care.

From a legal perspective, customer data matters because New Zealand businesses generally need to comply with the Privacy Act 2020 when they collect, use, store and share personal information.

What Laws Apply To Customer Data In New Zealand?

For most businesses, the main legal framework is the Privacy Act 2020 (and the privacy principles under it). These principles guide:

• when you're allowed to collect customer data
• how you should tell customers what you're doing
• how you must keep data secure
• when you can use or disclose it to others (including overseas)
• what you do if there's a data breach

Depending on your business model, other laws can also come into play. For example:

• Unsolicited Electronic Messages Act 2007 (spam rules) if you send marketing emails/texts
• Fair Trading Act 1986 if you make claims about privacy/security that aren't accurate (for example, saying "we never share your details" when you do)
• Contract law if your customer terms promise specific privacy protections
• Employment/privacy obligations if your staff handle customer data and you monitor staff systems

Even when the law gives you flexibility, the big practical risk is customer trust. If customers feel surprised by what you're doing with their personal info, you're already on the back foot.

How Can You Collect Customer Data Legally?

Most customer data collection is legal in New Zealand, as long as you do it fairly, transparently, and for a proper purpose. The key is to collect what you need ? and be clear about why.

1. Be Clear About Your Purpose (And Don't Over-Collect)

Before you add a new form field, sign-up checkbox, or "optional" survey question, ask yourself:

• What do we need this customer data for?
• Is the purpose connected to our service (or reasonably expected by the customer)?
• Could we provide the service without collecting this information?
• Are we collecting it "just in case?"

As a rule of thumb, collect the minimum amount of data you need to run your business properly. This reduces compliance risk and limits the damage if something goes wrong.

2. Tell Customers What You're Doing (Privacy Notices And Policies)

When you collect customer data, you should usually tell customers things like:

• what information you're collecting
• why you're collecting it
• who will receive it (for example, couriers, payment providers, booking platforms, IT providers)
• whether it may be stored or disclosed overseas (for example, where your cloud providers are based)
• what will happen if they don't provide it
• how they can access/correct their information

For many businesses, the most practical way to do this is through a Privacy Policy, supported by short "just in time" notices at key collection points (checkout pages, enquiry forms, booking forms, sign-up forms).

If you run an online business, you'll also want to think carefully about cookies, analytics tools, and tracking pixels, and how you explain them in a Cookie Policy.

3. Be Careful With Consent (Especially For Marketing)

A common misconception is that you always need consent to collect customer data. In reality, you can often collect it because it's necessary for (or directly connected to) providing your service (for example, you need a delivery address to ship an order), as long as you're transparent and collecting it fairly.

However, consent (or another clear legal basis) matters a lot when you're using customer data for things customers might not expect ? especially marketing.

If you plan to send promotional messages, you need to comply with the Unsolicited Electronic Messages Act 2007. In practice, that usually means ensuring you have consent (which may be express or inferred in some situations), including a functional unsubscribe option, and clearly identifying who the message is from. This is where businesses can easily trip up, so it's worth checking your approach to email marketing laws as part of your customer data compliance.

4. Recording Calls Or Collecting CCTV? Treat It As Customer Data

Many small businesses capture customer data without thinking of it as "data collection", such as:

• recording customer phone calls for "training and quality"
• CCTV footage in stores, studios, offices, warehouses, or reception areas

If you record calls with customers, make sure you understand the rules and set expectations early (for example, by notifying customers at the start of the call). In New Zealand, call recording can also raise issues beyond privacy (including whether at least one party to the call has consented), so it's a common compliance gap and worth reviewing business call recording laws in New Zealand.

If you use CCTV or workplace monitoring tools, you should also consider privacy and reasonableness (including signage and internal policies). A helpful starting point is understanding whether are cameras legal in the workplace, because even if your intent is security, you still need to manage privacy risks carefully.

How Do You Store Customer Data Securely (And What "Secure" Actually Means)?

The Privacy Act expects businesses to take reasonable steps to protect customer data from loss, unauthorised access, disclosure, or misuse.

"Reasonable" depends on your business size, what information you hold, and the harm that could occur if it was exposed. But there are some practical basics that apply to almost everyone.

Security Measures Small Businesses Should Consider

Here are common security steps that are usually appropriate for small businesses handling customer data:

• Access controls: only staff who need the data to do their job should be able to access it
• Strong passwords + multi-factor authentication: especially for email accounts, CRMs, accounting tools and cloud storage
• Device security: screen locks, encryption, and remote wipe for laptops/phones used for work
• Secure storage: avoid saving customer data in personal inboxes or unprotected spreadsheets
• Staff training: phishing scams and "human error" are still major causes of breaches
• Retention limits: don't keep customer data longer than you need (it's a risk to keep it forever)

If you have staff accessing customer data (especially remotely), it's often helpful to set clear internal rules about devices, logins, acceptable use, and security expectations. Many businesses formalise this in an Acceptable Use Policy.

What If You Use Third-Party Tools (Cloud CRMs, Booking Systems, Email Platforms)?

Most small businesses use service providers to store or process customer data ? such as:

• website hosts and eCommerce platforms
• mailing list providers
• booking and scheduling tools
• payment providers
• cloud storage and file sharing platforms
• IT support providers

This is normal (and often more secure than DIY systems), but it creates a legal and operational responsibility: your business will generally remain responsible for the customer data you hold and use, even if a supplier is processing it for you.

That means you should do some due diligence on providers (including where data is stored) and put the relationship on clear legal footing, including confidentiality, security expectations, limits on what the provider can do with the data, and breach notification responsibilities. Depending on the arrangement, a Data Processing Agreement can be a practical way to document who does what with the customer data and who is responsible if something goes wrong.

How Can You Use Customer Data Without Breaching Privacy Rules?

Once you've collected customer data, the next question is usually: "Can we use it for X?"

In general, you should use customer data in a way that:

• matches the purpose you originally collected it for, or
• is directly related to that purpose, and something the customer would reasonably expect

If you want to use customer data for a new purpose, it may be safer to update your privacy messaging and, in some situations, get consent (or otherwise ensure you meet a permitted exception under the Privacy Act).

Common "Safe" Uses Of Customer Data

These are examples of uses that are often fine (assuming you've clearly communicated them):

• fulfilling orders and providing services
• sending booking confirmations and service updates
• processing refunds and handling complaints
• fraud prevention and basic security monitoring
• internal reporting (ideally using aggregated data where possible)

Where Businesses Often Get It Wrong

Customer data compliance problems often come from everyday marketing and operations, such as:

• Marketing without proper permissions: adding people to a mailing list because they bought once, without a clear opt-in (or other compliant) pathway
• Sharing customer lists: giving customer contact details to a "partner" business for their marketing
• Over-sharing: revealing customer personal info in public replies to reviews or complaints
• Using CCTV/audio beyond the stated purpose: using recordings for reasons unrelated to security/training without appropriate justification
• Collecting data "for future use": capturing birth dates, ID documents, or extra details that aren't needed

A helpful rule: if a customer would be surprised or uncomfortable if they knew about it, pause and get advice before you roll it out.

What Happens If There's A Data Breach (And What You Should Have Ready)?

Even with good systems, data breaches can happen. It might be:

• a staff member clicking a phishing link
• a lost laptop or phone with customer data on it
• customer data being emailed to the wrong recipient
• a compromised password for your email or cloud storage

Under the Privacy Act 2020, some data breaches must be reported. Whether you need to notify anyone depends on whether the breach has caused (or is likely to cause) serious harm to affected individuals.

The practical issue for small businesses is speed: if you don't have a plan, you lose time, and the situation gets harder to control.

A Simple Data Breach Response Checklist

If something happens, your first steps are usually:

1. Contain: stop the unauthorised access (disable accounts, change passwords, recall emails if possible)
2. Assess: what customer data was involved, who got it, and what harm could occur
3. Notify if required: affected individuals and the Privacy Commissioner, where the legal threshold is met
4. Fix: patch the gap that caused the breach (technical and human processes)
5. Document: keep records of what happened and what you did

Many businesses find it far easier to manage this when they already have a documented Data Breach Response Plan in place, so you're not building a process in the middle of a crisis.

It can feel daunting, but having a plan is one of the best "from day one" steps you can take to protect your business and your customers.

Key Takeaways

• Customer data includes more than just names and emails ? it can also include online identifiers, recordings, and CCTV footage if it can identify a person.
• Most New Zealand businesses handling customer data need to comply with the Privacy Act 2020, including collecting data fairly, being transparent (including about overseas disclosures where relevant), and storing it securely.
• You should only collect customer data for a clear purpose, avoid over-collecting, and tell customers what you're doing (often through a well-drafted Privacy Policy and notices at collection points).
• If you use customer data for marketing, make sure your opt-in/opt-out processes comply with spam rules and customer expectations.
• Reasonable security steps (access controls, MFA, staff training, retention limits) are essential, and you should also manage risks when third parties process customer data for you.
• If a breach happens, you'll need a fast, practical response process and may need to notify affected individuals and the Privacy Commissioner depending on risk of serious harm.

If you'd like help setting up your customer data practices properly ? including your Privacy Policy, internal policies, and customer-facing notices ? you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.