What Is An Acceptable Use Policy? (2026 Updated)

If you run a business that uses technology (so, pretty much every business), you’ve probably relied on emails, shared drives, messaging tools, and cloud platforms to keep things moving.

But there’s a catch: without clear rules, it’s easy for staff, contractors, or even customers to use your systems in ways that create real risk - from privacy breaches to malware infections to brand damage.

That’s where an Acceptable Use Policy (AUP) comes in. This 2026 update reflects the reality that modern workplaces are more digital, more remote, and more reliant on third-party platforms than ever, which makes having clear “dos and don’ts” essential.

Below, we’ll break down what an acceptable use policy is, who needs one, what it should include, and how to make it enforceable in a practical, people-friendly way.

What Is An Acceptable Use Policy?

An Acceptable Use Policy (often called an “AUP”) is a written policy that sets out how people are allowed (and not allowed) to use your business’:

• IT systems (computers, servers, networks, Wi-Fi)
• software and apps (including cloud services)
• communication tools (email, Slack/Teams, SMS tools)
• devices (company devices and sometimes BYOD - “bring your own device”)
• online services (your website, customer portal, community platform)

In plain terms, it answers questions like:

• Can staff use work email for personal messages?
• Can someone install their own apps on a company laptop?
• Is it okay to store customer info in a personal Google Drive?
• What happens if someone downloads pirated software on a work device?
• Can a customer post abusive content in your online community?

For internal teams, an AUP is usually part of your wider workplace policies. For digital products (like an online platform or SaaS), an AUP may be included in your website or platform terms, setting clear rules for user behaviour.

Is An AUP The Same As A Privacy Policy Or Terms Of Use?

Not quite - although they often work together.

• A Privacy Policy explains how you collect, use, store, and disclose personal information (and how people can access or correct it) under the Privacy Act 2020.
• Website or platform Terms Of Use set the legal rules for using your site or service (including liability limits, payment terms, dispute processes, and so on).
• An acceptable use policy focuses specifically on what conduct is allowed when using systems or services - and what you can do if someone misuses them.

In practice, many businesses embed acceptable use rules inside their terms, or include them as a separate policy that the terms incorporate by reference.

Why Do Businesses Need An Acceptable Use Policy?

If you don’t set boundaries, you’ll often only discover the “rules” when something goes wrong - like a data breach, customer complaint, or employee dispute.

Having an AUP helps you get on the front foot, because it:

• reduces cyber and data risk by guiding safe behaviour (passwords, phishing, authorised apps, etc.)
• protects confidential information and trade secrets (especially when staff work remotely)
• supports Privacy Act compliance by encouraging secure handling of personal information
• protects your brand by setting standards for communications and online conduct
• sets expectations early, which makes enforcement much easier and fairer

Most importantly, an AUP can help you show you took reasonable steps to manage risk. That matters if you ever need to investigate an incident, respond to a complaint, or justify disciplinary action.

Common Risks An AUP Can Prevent

It’s easy to underestimate how quickly everyday tech use can create legal headaches. Here are some common examples:

• Privacy breaches: a team member exports a customer list to a personal device or sends it to the wrong person.
• Malware/ransomware: someone downloads an “invoice” attachment from a phishing email on a shared computer.
• IP infringement: staff use unlicensed images, fonts, or software through work systems, exposing you to claims.
• Harassment or bullying: inappropriate messaging happens through company tools, triggering employment issues.
• Reputational damage: someone posts offensive content through an account associated with your business.

Even if a person didn’t intend harm, the consequences can still land on the business.

Who Should Have An Acceptable Use Policy?

Most businesses benefit from an AUP, but it’s especially important if you:

• have employees or contractors using your systems
• let staff work remotely or use personal devices for work
• store customer data (even basic contact details)
• operate an online platform, forum, marketplace, or membership site
• provide Wi-Fi access to customers or visitors
• handle sensitive information (health, financial data, ID documents, background checks)

You don’t need to be a tech company to need an AUP. A tradie business with a shared iPad, a café with customer Wi-Fi, or a consultancy storing client files in the cloud can all run into the same problems.

Internal AUP vs Customer/User AUP

There are two common “types” of acceptable use policy, and they’re often confused:

• Internal AUP: for your team (employees and contractors) who access business systems and data.
• External AUP: for customers/users who access your online service, app, website, or network.

Internal AUPs are typically supported by your employment documents and workplace policies. External AUPs are often structured as part of your online terms and are essential if you need the ability to suspend accounts or remove content.

If you’re hiring staff, it also helps to align your AUP with the expectations in your Employment Contract (for example, confidentiality, compliance with policies, and return of company property).

What Should An Acceptable Use Policy Include?

A good AUP is clear, practical, and specific to your actual tools and risks. If it’s too vague, it won’t change behaviour - and if it’s too strict or unrealistic, people will ignore it.

While every AUP should be tailored, here are the core clauses and topics we usually recommend considering.

1. Scope: Who And What The Policy Covers

Start by defining:

• who the policy applies to (employees, contractors, interns, volunteers, users)
• what systems it covers (devices, network, cloud apps, email accounts, social media accounts)
• when it applies (work hours only, or any time a company device/account is used)

If your team uses personal devices for work, it’s worth addressing BYOD specifically (including what happens if a device is lost or someone leaves).

2. Security Standards (Passwords, MFA, Updates)

This is often the most valuable part of the policy, because it turns “cybersecurity” into everyday habits.

Your AUP might include rules like:

• use strong passwords and never share them
• enable multi-factor authentication (MFA) where available
• lock devices when unattended
• don’t use public Wi-Fi without approved protections
• install updates promptly (or don’t disable automatic updates)

You don’t need to sound overly technical - what matters is that expectations are written down and easy to follow.

3. Data Handling Rules (Especially Personal Information)

If you collect or store personal information, you’ll want rules that support your privacy obligations under the Privacy Act 2020.

For example, your AUP may cover:

• where files can be stored (approved cloud drives only)
• whether personal email accounts can be used for work purposes (usually: don’t)
• how to share data securely with clients and suppliers
• rules for downloading, exporting, or printing customer data
• how to report suspected privacy incidents quickly

If your business handles particularly sensitive info, you might also add a more detailed incident process as part of a broader privacy framework, such as a Data Breach Response Plan.

4. Prohibited Use (The “Don’ts”)

This is the part people think of first: what is not allowed.

Common prohibited activities include:

• accessing illegal, offensive, or discriminatory material using company systems
• harassing, bullying, or threatening behaviour through work communication tools
• downloading unauthorised or pirated software
• attempting to bypass security controls
• sharing confidential information without authorisation
• using company systems to run another business or side hustle (where not permitted)

The key is to keep it specific. If you ban “inappropriate use” without examples, you’ll end up arguing later about what “inappropriate” means.

5. Email, Messaging, And Social Media Conduct

Even if your AUP focuses on security, it should also address communication tools, because they’re often where issues arise.

You may want to cover:

• professional tone and respectful communication
• when staff can use company accounts for personal matters (if at all)
• restrictions on sending confidential information externally
• rules about representing the business on social media

This works best when your AUP fits neatly alongside broader workplace policies about conduct and confidentiality.

6. Monitoring And Privacy Expectations

This is a sensitive area, and it’s worth getting right.

In many workplaces, employers can monitor systems for legitimate purposes (like security, performance, or investigating misconduct). But you still need to handle monitoring carefully and transparently, especially given privacy expectations.

Your AUP can set expectations by explaining:

• what monitoring may occur (logs, device management tools, email scanning for malware, etc.)
• why you monitor (security, compliance, protecting business assets)
• how information may be accessed during an investigation

If you’re thinking about more direct surveillance (like CCTV), it’s important to also consider workplace privacy and justification, as covered in Are Cameras Legal In The Workplace?.

7. Consequences Of Breach (And What “Enforcement” Looks Like)

An AUP should clearly explain what may happen if someone breaches it.

For staff, that could include:

• investigation
• removal of system access
• disciplinary action (which could include termination in serious cases)

For customers/users, that could include:

• content removal
• account suspension or termination
• reporting illegal conduct to relevant authorities

It’s also wise to say that you may take action where required to protect others or comply with law - while still following fair process.

What Laws Does An Acceptable Use Policy Relate To In New Zealand?

An AUP isn’t a standalone “legal requirement” in most cases, but it supports compliance with several New Zealand legal obligations that affect everyday business operations.

Privacy Act 2020

If your team handles personal information (customer details, employee records, mailing lists, ID documents), your business has obligations around:

• collecting personal information fairly and for a legitimate purpose
• keeping personal information secure (reasonable safeguards)
• ensuring people can access and correct their information
• responding appropriately to privacy breaches

An AUP helps by setting practical rules that reduce the likelihood of accidental misuse or unauthorised disclosure.

Employment Law And Workplace Process

If an employee misuses your systems, you generally still need to manage the situation fairly, follow your internal process, and comply with New Zealand employment law principles (including good faith obligations).

This is where having clear written policies matters. If you’ve clearly communicated expectations, you’re in a much stronger position to respond consistently and reasonably.

For example, if you want to rely on policy breaches in a disciplinary process, it helps if the policy is referenced in your employment documentation and forms part of your workplace rules.

Harmful Digital Communications And Harassment Issues

If your business tools are used to harass or bully others (internally or externally), that can become a serious workplace issue quickly - and sometimes it can also intersect with broader legal responsibilities around safety and conduct.

An AUP won’t solve everything, but it can set the baseline rules and reporting expectations so issues are dealt with early.

Copyright And IP Compliance

Misuse of software, images, music, or written content can expose your business to IP claims. An AUP can reduce risk by banning unlicensed downloads and requiring staff to use approved content sources.

If you also rely on contractors, it’s worth being clear about who owns what IP and what tools can be used - which often comes up in an Independent Contractor relationship too.

How Do You Implement An Acceptable Use Policy (So People Actually Follow It)?

A policy only works if it’s actually used. The best acceptable use policies are simple, realistic, and built into your onboarding and everyday operations.

Step 1: Map Your Systems And Your Risks

Before writing anything, take stock of what you’re trying to protect. For example:

• What devices does your business use (laptops, phones, shared tablets)?
• Where do files live (Google Workspace, Microsoft 365, Dropbox, CRM)?
• Who has access to customer data?
• Do contractors access internal tools?
• Do you have a customer-facing platform where users can post content?

Your AUP should reflect real workflows. If you ban something people rely on to do their job, you’ll end up with non-compliance by default.

Step 2: Make It Part Of Onboarding And Training

It’s not enough to email a PDF once and hope for the best.

Common practical steps include:

• including the AUP in onboarding packs
• getting written acknowledgement (especially for employees and long-term contractors)
• running a short walkthrough of key “high-risk” rules (passwords, data storage, phishing)
• refreshing training periodically (or after an incident)

If you have a wider set of workplace policies, your AUP can sit alongside them as part of a staff handbook or policy suite.

Step 3: Align It With Your Other Legal Documents

Your acceptable use policy shouldn’t contradict your other legal documents - it should support them.

For example:

• Your employment agreements should allow you to introduce and update workplace policies, and require staff to follow them.
• Your privacy documents should reflect how data is handled in practice.
• Your online terms should give you the right to suspend or terminate users who breach acceptable use rules.

Where your business deals with external users, you may also need to align acceptable use rules with your broader contract framework, like your website terms or platform agreement.

Step 4: Be Clear About Reporting (And Keep It “No Blame”)

A lot of incidents get worse because people are scared to report them.

Your AUP should encourage early reporting, like:

• “If you think you clicked a suspicious link, report it immediately.”
• “If you accidentally emailed data to the wrong person, tell your manager right away.”

That doesn’t mean there are no consequences for reckless behaviour - it just means you’re creating a culture where issues are raised early, when they’re easier to contain.

Step 5: Keep The Policy Updated (Without Constant Overhauls)

You don’t want to rewrite your AUP every month, but you should revisit it when you:

• adopt new systems (new CRM, new chat tool, new file storage platform)
• move to remote/hybrid work
• start collecting new categories of personal information
• launch a user-generated content feature or online community

Small updates can make a big difference - for example, adding a rule about approved storage locations or AI tools if your team starts using them in daily work.

Key Takeaways

• An acceptable use policy sets clear rules for how employees, contractors, or users can use your systems, devices, and online services, helping prevent misuse and reduce risk.
• AUPs are particularly important if you handle personal information, allow remote work or BYOD, provide customer Wi-Fi, or run an online platform with user accounts or content.
• A strong AUP typically covers scope, security expectations, data handling, prohibited activities, communications standards, monitoring expectations, and clear consequences for breaches.
• An AUP supports compliance with key legal obligations in New Zealand, including the Privacy Act 2020 and fair, well-documented workplace processes if misconduct occurs.
• Your policy should be practical and actually implemented - make it part of onboarding, align it with your contracts and privacy documents, and keep it updated as your tools and risks change.

If you’d like help drafting or reviewing an acceptable use policy (or aligning it with your privacy and employment documents), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.