Privacy Policy Requirements In New Zealand: What To Include & Compliance Tips

If you run a small business in New Zealand, chances are you’re collecting personal information in some form - customer names, delivery addresses, email lists, staff records, or even IP addresses through your website analytics.

That’s where having a privacy policy becomes more than just a box-ticking exercise. It’s one of the simplest ways to show customers you take their data seriously, and it helps you meet your obligations under the Privacy Act 2020.

In this guide, we’ll walk you through what a privacy policy should include, when you need one, and the practical steps you can take to stay compliant as your business grows.

Do I Need A Privacy Policy For My Business?

In plain terms: if your business collects, uses, stores, or shares personal information, you should have a privacy policy.

“Personal information” is information about an identifiable individual. For businesses, this commonly includes:

• Customer names, phone numbers and email addresses
• Billing details and delivery addresses
• Order history and account information
• Support enquiries (including message content)
• Employee or contractor records
• IP addresses and online identifiers (depending on context)

Even if you’re a very small operation - like a sole trader taking bookings, a service business collecting enquiries through a website form, or an ecommerce store sending order confirmations - you’re likely handling personal information.

A privacy policy helps you:

• Explain what information you collect and why (so people aren’t left guessing)
• Reduce complaints and misunderstandings about marketing, mailing lists, and third-party tools
• Show you’re taking “reasonable steps” to handle information responsibly
• Build trust (which can be a real competitive advantage)

If you have a website, online store, or app, you’ll almost always want a Privacy Policy available via a clear link (usually in your footer), and referenced anywhere you collect personal information (like checkout, contact forms, or account sign-up pages).

What Should A New Zealand Privacy Policy Include?

There isn’t a single “mandatory template” under New Zealand law, but your privacy policy should reflect what you actually do with personal information and support your compliance with the Information Privacy Principles in the Privacy Act 2020.

For most NZ businesses, a practical privacy policy will usually cover the points below.

1. What Personal Information You Collect

Be specific and business-focused. For example, instead of saying “we collect information”, break it down into categories such as:

• Identity and contact details (name, email, phone number)
• Transaction and payment-related details (order records, invoices)
• Technical information (IP address, device type, browser data)
• Communications (messages to customer support, feedback submissions)

If you collect “sensitive” personal information (for example, health details), your approach needs extra care - and you should get tailored advice because the compliance risk increases.

2. How You Collect Personal Information

Explain where the information comes from. Common examples include:

• Directly from the customer (checkout, enquiry forms, email)
• Automatically through your website (cookies and analytics)
• From third parties (couriers, payment platforms, booking platforms)

If you use cookies or tracking technologies, your privacy policy should align with your Cookie Policy so customers get a consistent explanation of what’s happening behind the scenes.

3. Why You Collect It (And How You Use It)

This is where you connect the “what” to the “why”. For example:

• To process and deliver orders
• To respond to enquiries and provide customer support
• To manage bookings or appointments
• To send service updates (like order or delivery notifications)
• To improve your website and services
• To send marketing (where permitted)

A good rule: don’t list purposes you don’t actually do. If you say you use information for marketing, you need to make sure your real-world practices match that statement (including opt-outs, where required).

4. Who You Share Personal Information With

Many businesses share personal information as part of normal operations, for example with:

• Payment processors
• Couriers and fulfilment providers
• IT service providers (hosting, email tools, CRM systems)
• Accountants, insurers, and professional advisers
• Government agencies (where required by law)

It’s usually not necessary (or practical) to name every provider, but you should describe the types of third parties you share data with and why.

If you disclose personal information to service providers (especially overseas providers), it can also be worth putting the relationship on a clearer legal footing with a Data Processing Agreement, particularly if you’re handling larger volumes of customer data or sensitive information.

5. Overseas Disclosure

If you use overseas platforms (for example, cloud hosting, marketing tools, or customer management systems), personal information may be stored or accessed offshore.

The Privacy Act 2020 includes rules around disclosing personal information overseas (including additional requirements in some cases). In simple terms, you should understand:

• Whether personal information is going offshore
• Why that disclosure is happening
• What safeguards exist (for example, contractual protections)

Your privacy policy should be upfront about overseas storage/disclosure where relevant.

6. How You Store Information And Keep It Secure

You don’t need to publish your full security playbook (and you probably shouldn’t), but you should give customers comfort that you take security seriously.

This might include statements like:

• Access controls (only authorised staff can access certain systems)
• Use of reputable cloud providers
• Encryption where appropriate
• Secure payment handling (without storing raw card data, if applicable)

Security is also where your internal documents matter - for example, having an Acceptable Use Policy can help set clear rules for your team around system access, passwords, and handling customer information.

7. How Long You Keep Information (And When You Delete It)

Under NZ privacy law, you generally shouldn’t keep personal information for longer than you need it.

Your privacy policy should explain (at least at a high level):

• That you retain information only for as long as required for business or legal purposes
• That you take steps to securely delete or de-identify information when it’s no longer needed

8. Access And Correction Requests

Individuals generally have rights to request access to, and correction of, their personal information.

Your privacy policy should tell people:

• How they can contact you to request access or correction
• What information you may need to verify their identity
• That there may be legal limits/exceptions in some cases

From a business owner’s perspective, the key is having a simple internal process to respond promptly and consistently - not scrambling each time a request comes in.

9. Marketing, Mailing Lists, And Opt-Outs

If you send promotional emails or newsletters, your privacy policy should explain:

• How people get added to your marketing list
• Whether they can opt in (and how)
• How they can unsubscribe or opt out

Keep in mind that marketing emails and texts are also regulated under New Zealand’s Unsolicited Electronic Messages Act 2007 (the “anti-spam” law). In practice, that usually means you need consent (or another permitted basis), accurate sender information, and a functional unsubscribe option.

This is also an area where your Website Terms and Conditions and customer communications should be consistent, particularly if you run promotions, accounts, subscriptions, or member-only areas.

10. How People Can Make A Privacy Complaint

Your privacy policy should tell people how to raise a complaint with you first (including your contact details), and that they can contact the Office of the Privacy Commissioner if they’re not satisfied.

This doesn’t invite trouble - it shows transparency, and it can actually reduce escalations because customers can see you have a process.

How Do I Write A Privacy Policy That Fits My Business (Not A Generic Template)?

It’s tempting to copy and paste a privacy policy from somewhere else, but that’s where many businesses accidentally create legal risk.

The main issue is simple: your privacy policy needs to match your real practices. If your policy says one thing and your business does another, you can end up with:

• Customer complaints (and loss of trust)
• Regulatory scrutiny if something goes wrong
• Contract issues with partners who rely on your statements
• Operational confusion internally (especially when you hire staff)

A practical way to approach a privacy policy is to map your data flow first. Ask yourself:

• What personal information do we collect (and where does it come from)?
• What do we use it for day-to-day?
• Which tools store or process it (email platforms, booking systems, accounting tools)?
• Do any suppliers or contractors access it?
• Do we send it overseas?
• How do customers request access/correction?

Once you’ve answered those questions, your privacy policy becomes much easier to draft - because you’re describing what you do, in plain English.

If you run an ecommerce store, your privacy policy should also line up with your customer-facing purchase documents (especially around accounts, fulfilment, and communications). For example, your Online Shop Terms and Conditions might refer to delivery notifications or account creation, which relies on personal information being collected and used in a predictable way.

How Do I Stay Compliant With The Privacy Act 2020?

A privacy policy is a great start, but it’s not the whole job. Staying compliant is really about building privacy into your business operations - especially as you scale, hire staff, or start using more software tools.

Here are practical steps that make a big difference.

1. Collect Only What You Need

If you don’t need a piece of personal information to provide your service, think carefully before collecting it. Less data can mean less risk (and less hassle if you ever deal with a breach).

2. Make Sure You Have A Clear “Authority” To Use The Information

You should be able to explain (to a customer, or regulator) why you’re collecting and using personal information.

For example, using an email address to send an order confirmation is expected. Using it for unrelated marketing without proper consent (and a working opt-out) is where complaints often start.

3. Keep Your Team On The Same Page

Privacy compliance isn’t just a legal document issue - it’s a people and process issue.

Even for small teams, it helps to have:

• Clear rules about who can access customer information
• Guidelines on what staff can download, store, or forward
• A process for responding to access/correction requests

Internal policies don’t need to be complicated, but they should be clear and followed consistently.

4. Have A Plan For Data Breaches

Data breaches can happen to any business - including small businesses - through phishing emails, lost devices, weak passwords, or supplier incidents.

Under the Privacy Act 2020, some privacy breaches may need to be reported if they create (or are likely to create) serious harm. Depending on the circumstances, this can include notifying affected people and the Office of the Privacy Commissioner.

That’s why it’s worth having a Data Breach Response Plan in place before anything happens. It can save you a lot of stress and help you act quickly when time matters.

5. Review Your Privacy Policy When Your Business Changes

Your privacy policy isn’t a “set and forget” document. Common triggers for an update include:

• Launching a new website, app, or customer portal
• Adding a new booking/CRM/email marketing tool
• Starting targeted advertising or new analytics tracking
• Expanding overseas or engaging overseas contractors
• Hiring staff and collecting more HR information

If you’re making changes, it’s usually better to update the policy first (or at least at the same time), rather than trying to patch it later.

Common Privacy Policy Mistakes Small Businesses Should Avoid

Most privacy issues we see aren’t caused by “bad actors” - they happen because business owners are busy and privacy ends up being treated as admin, instead of part of your legal foundations.

Here are some of the most common mistakes to watch out for.

Using A Template That Doesn’t Match Your Business

If your privacy policy says you “don’t share information with third parties” but you use couriers, online booking systems, cloud hosting, or payment processors, that’s a mismatch.

Even worse, some templates include clauses about collecting information you don’t collect (or complying with overseas laws that don’t apply to you), which can confuse customers and create unnecessary obligations.

Not Addressing Cookies Or Analytics

If your website uses analytics tools, tracking pixels, or advertising features, you should be transparent about it. This is where a well-drafted privacy policy (and a matching cookie approach) can reduce complaints and build trust early.

Forgetting About Overseas Storage

Many common business tools store data offshore. If that applies to you, your privacy policy should say so, and you should be comfortable that you’ve got appropriate safeguards in place.

Not Having A Clear Contact Point

Your privacy policy should clearly explain how customers can get in touch about privacy questions, complaints, or access requests. If that contact point isn’t monitored, you can miss important deadlines and escalate small issues unnecessarily.

Failing To Follow Your Own Policy

This one is simple but important: your privacy policy should reflect what you actually do, and your team should follow it.

If you’re not sure whether your privacy policy matches your operations, it’s a good time to get it reviewed - especially before you scale up marketing, move to new software, or start collecting more customer information.

Key Takeaways

• A privacy policy is essential for most New Zealand businesses because most businesses collect personal information through enquiries, bookings, sales, or staff records.
• Your privacy policy should clearly explain what information you collect, how you collect it, why you use it, who you share it with, and whether information is disclosed overseas.
• You should include practical compliance points like security measures, retention/deletion, access and correction requests, marketing consents and opt-outs (including under the Unsolicited Electronic Messages Act 2007), and how customers can raise privacy complaints.
• Privacy compliance isn’t just about having a document - it’s about building good systems, training your team, and being ready to respond if something goes wrong.
• Generic templates can create risk if they don’t match your real practices, especially around cookies, marketing, and third-party software providers.
• As your business grows, review and update your privacy policy so it stays accurate and compliant with the Privacy Act 2020.

If you’d like help drafting or reviewing a privacy policy for your business (or setting up privacy compliance documents that actually fit how you operate), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.