If your business collects customer data, runs marketing campaigns, or uses third-party platforms, you’ve probably wondered where the legal line is when it comes to “selling” personal information.
And you’re not alone. Data-driven business models are more common than ever, and regulators (and customers) are paying closer attention to how businesses collect, use and share information. This updated guide reflects current expectations under New Zealand’s privacy framework, so you can make practical decisions with confidence.
Below, we’ll break down what “selling personal information” can mean in practice, what the Privacy Act 2020 generally requires, the situations where selling/sharing is most risky, and the steps you can take to stay compliant from day one.
In everyday business talk, “selling personal information” can cover a few different activities - and the legal risk depends on what you’re actually doing.
Broadly, personal information is information about an identifiable individual. It doesn’t have to include a name. If someone can reasonably be identified from the information (alone or combined with other data), it’s likely personal information.
Common Examples That Can Amount To “Selling”
- Selling a customer list (names, emails, phone numbers, purchase history) to another business for marketing.
- Sharing customer data with a partner in exchange for commission, discounts, or “data swaps”.
- Providing access to your audience (for example, letting a third party target your customer database) as part of a commercial deal.
- Bundling data as an asset when selling your business, or transferring it during a restructure or acquisition.
What About “Sharing” Instead Of “Selling”?
From a privacy perspective, you can’t assume that “we didn’t sell it” means “we’re fine”. If you’re disclosing personal information to another party for their benefit - especially for marketing - it can trigger many of the same compliance obligations.
That’s why it’s worth treating any of these arrangements as a privacy project, not just a commercial one. Even if money doesn’t change hands, there may still be legal requirements around purpose, notice, consent, and security.
Businesses often ask: “What if we anonymise it?”
If data is truly de-identified so individuals are no longer reasonably identifiable, it may fall outside personal information. But this is a practical risk question, not just a label. If the data can be re-identified (for example, by combining it with other datasets), you may still be handling personal information.
Be especially careful with “pseudonymous” data (like customer IDs, device identifiers, or hashed emails). Depending on your systems and who holds the matching key, it may still be personal information.
There isn’t a simple “yes” or “no” answer. New Zealand doesn’t have a single rule that says “selling personal information is banned”. Instead, the Privacy Act 2020 regulates how you collect, use, and disclose personal information, and whether you’re doing so fairly, transparently and securely.
In practice, “selling” personal information is often high-risk because it usually involves:
- using information for a purpose the customer didn’t expect
- disclosing information to a third party who may use it for their own marketing
- transferring information offshore (common with ad tech and SaaS tools)
- creating security and breach risk
The Core Question: Is The Disclosure Allowed For That Purpose?
The Privacy Act is built around information privacy principles. In plain terms, before disclosing personal information to another business, you generally need to be comfortable that:
- you collected the information for a clear purpose that a reasonable person would expect
- your disclosure matches that purpose (or is directly related to it)
- you told people what would happen with their information
- you have a lawful basis for the disclosure (often consent, or a necessary service-provider arrangement)
- you’re keeping the information safe and only sharing what is necessary
This is why having a properly drafted Privacy Policy and clear collection wording matters. If your privacy disclosures are vague (or silent) about selling/sharing, you can quickly end up in complaint territory.
“But We Put It In Our Terms” Isn’t Always Enough
It’s common for businesses to add a line like “we may share your information with selected partners”. The problem is that privacy compliance isn’t just about having a clause - it’s about clarity and fairness.
If the average customer wouldn’t reasonably expect their details to be sold to third parties for marketing, you’ll usually need stronger transparency and (in many cases) a clear opt-in.
If you’re collecting anything that could be classified as sensitive personal information (for example, health-related information), the stakes are even higher, and you should get tailored advice before you share it with anyone.
There are certain scenarios where selling/sharing personal information is particularly risky. These are the situations where we usually recommend slowing down and getting legal advice before you proceed.
1) Selling Customer Lists For Direct Marketing
Selling a list of customer emails or phone numbers to a third party so they can market their products is one of the clearest “red flag” activities.
Why? Because the customer typically gave their details to you to receive your services - not to be contacted by unrelated businesses.
If you want to monetise your database, consider lower-risk alternatives, like:
- running a co-branded promotion where you send the marketing (without handing over the list)
- asking customers to opt in to partner offers with clear explanations
- sharing aggregated insights rather than identifiable data
2) Using Data Brokers Or “Data Enrichment” Services
If you buy data from a third party to “enrich” your customer profiles (for example, adding demographic info, income bands, or household data), you should be careful about where that data came from and whether customers were properly informed.
This is also where businesses can run into reputational issues fast - even if the arrangement is technically lawful, it may not feel fair to customers.
If you’re considering any form of Trading In Personal Information, it’s worth pressure-testing the plan against customer expectations and your privacy notices before you sign anything.
Modern businesses often rely on offshore providers for email marketing, analytics, CRM, advertising, and customer support.
Even if you’re not “selling” personal information, you may still be disclosing it overseas, which can trigger additional obligations. The key is making sure you’re using providers with appropriate safeguards and that your customers are told what’s happening.
In these setups, it’s common to use a Data Processing Agreement (or similar contract terms) to ensure your provider has security obligations, limits how they use the data, and assists with breach response.
4) Sharing Data Without A Clear Collection Notice
A lot of privacy problems start at the moment of collection, not disclosure.
If your sign-up form, checkout page, or app onboarding doesn’t clearly explain what you’re collecting and why, it’s hard to argue later that customers knew their information might be shared or monetised.
For many businesses, a clear Privacy Collection Notice at the point of collection is one of the simplest ways to reduce risk (especially where you collect information through multiple channels).
5) “Selling” As Part Of A Business Sale Or Restructure
If you sell your business (or even just a customer database), personal information can be part of the assets being transferred.
This isn’t automatically unlawful, but you should treat it carefully. A buyer may want to use the data in new ways, and customers may not expect that. As part of due diligence, the buyer will also want to know whether the data was collected properly and whether it can be lawfully used post-sale.
If a business sale is on the horizon, it’s smart to review how your customer data is handled early - it can become a deal issue later if the data isn’t “clean”.
Practical Steps To Monetise Data (Without Breaking Privacy Rules)
If you’re building a data-driven revenue stream, the good news is there are often compliant ways to do it. The key is to design your data practices so they’re transparent, limited, and secure.
1) Be Clear About The Purpose From The Start
Ask yourself: Why are we collecting this information? Then write that purpose in plain English, not legal jargon.
For example:
- “We collect your email so we can send order updates and receipts.”
- “If you opt in, we’ll also send promotions from us and selected partners.”
If the real plan is to disclose the information to third parties, that should be disclosed clearly - and usually requires a stronger consent mechanism.
2) Use Consent Properly (And Don’t Bundle It)
Consent works best when it’s:
- informed (people understand what they’re agreeing to)
- specific (not vague “we may share” wording)
- freely given (not forced as a condition of buying something, unless genuinely necessary)
- easy to withdraw
If you’re relying on consent to sell or share personal information, your records and systems should be able to prove who consented, when, and to what.
3) Minimise What You Share
A simple rule that helps: only share what is needed for the purpose.
If you’re partnering with another business, consider whether you can:
- share a limited dataset (for example, suburb and broad age band rather than full contact details)
- share aggregated stats rather than individual-level data
- run the campaign yourself so the third party never receives the list
4) Put The Right Contracts In Place With Third Parties
If a third party will handle personal information on your behalf (for example, your CRM, marketing platform, fulfilment provider, or call centre), you’ll usually want written terms that cover:
- what personal information they can access
- what they can (and can’t) do with it
- security requirements
- subcontracting rules (including offshore processing)
- breach notification and cooperation
- return or deletion of data at the end of the engagement
This is also where you’ll want to ensure your internal documents and customer-facing wording line up. If your contracts allow broad sharing but your customer notices don’t, you can end up exposed.
5) Build A Process For Access, Correction, And Deletion Requests
People have rights to access and correct their personal information under the Privacy Act. Depending on your business and how your systems work, you may also need a practical way to delete information you no longer need.
Customers sometimes refer to this as the right to be forgotten. Even where deletion isn’t absolute (for example, you may need to keep records for legal or tax reasons), you should have a clear internal process for responding to requests and explaining what you can and can’t do.
If you sell or share personal information, you’re increasing the number of places that data exists - which increases breach risk.
That means you should have reasonable security steps in place, including:
- access controls (limit who can export lists or access customer data)
- multi-factor authentication for key systems
- secure transfer methods (avoid emailing spreadsheets where possible)
- retention rules (don’t keep personal information forever “just in case”)
- breach response planning
If you’re unsure what “reasonable” means for your size and industry, that’s a good time to get tailored advice from a privacy professional.
Key Takeaways
- Selling personal information isn’t automatically banned in New Zealand, but it is heavily regulated through the Privacy Act 2020 rules on collection, use, and disclosure.
- “Selling” can include many common business arrangements, like providing a partner with access to your customer database, swapping lists, or transferring data as part of a business sale.
- High-risk scenarios include selling customer lists for third-party marketing, using data brokers, disclosing information offshore without safeguards, and sharing data without clear collection notices.
- Strong privacy compliance usually starts at the point of collection - make sure people understand what you’re collecting, why, and who it may be disclosed to.
- If you use third-party providers to handle data, you should have the right contracts and security measures in place, and ensure your customer-facing wording matches your actual practices.
- If you’re monetising data as part of your business model, it’s worth getting legal advice early so you’re protected from day one (and don’t have to rebuild your systems later).
If you’d like help reviewing your data practices, drafting privacy documents, or assessing whether a data-sharing or customer list arrangement is allowed, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
