When Do You Need A Privacy Policy? (2026 Updated)

If you’re running a business in New Zealand, it’s easy to treat a Privacy Policy as something you’ll “sort out later” (usually right after your website goes live, your first customer signs up, or you start running ads).

But privacy is one of those legal foundations that’s much easier to get right from day one than to fix after something goes wrong.

This 2026 update reflects what we’re seeing across modern NZ businesses: more online sign-ups, more digital marketing tools, more payment platforms, and more customer expectations about how their information is handled.

So, when do you actually need a Privacy Policy, and what should it cover? Let’s break it down in plain English.

What Is A Privacy Policy (And Why Does It Matter)?

A Privacy Policy is a document that explains:

• what personal information you collect (and why you collect it)
• how you store and protect that information
• who you share it with (if anyone)
• how people can access or correct their information
• how people can make a privacy complaint

In New Zealand, privacy obligations are mainly governed by the Privacy Act 2020. That law applies widely, including to small businesses, startups, online stores, service providers, and community organisations.

Even if you’re not “required” to have a Privacy Policy in every scenario, having one is often the most practical way to:

• show customers you take data seriously
• set clear expectations (especially online)
• reduce the risk of disputes if something goes wrong
• meet platform or partner requirements (e.g. payment providers, ad platforms, app stores)

It’s also part of building trust. If you want people to buy, subscribe, enquire, or book online, they need to feel comfortable giving you their information.

When Do You Need A Privacy Policy In New Zealand?

As a practical rule, you should have a Privacy Policy if you collect any personal information from customers, website visitors, clients, subscribers, staff, or contractors.

And “personal information” is broader than many people realise. It includes any information about an identifiable individual, such as:

• name, email address, phone number
• delivery address or billing address
• IP address or device identifiers (often collected via cookies and analytics tools)
• purchase history
• booking details
• photos or video recordings of customers (where they are identifiable)
• health-related information (this is generally considered sensitive)

Here are some common “yes, you need one” situations.

If You Have A Website With A Contact Form

If your website collects enquiries through a form (even just name + email), you’re collecting personal information. You should have a Privacy Policy linked in your website footer, and ideally near the form (or at least referenced on the form page).

This is especially important if you’re capturing information for follow-up marketing or sales pipelines.

If You Run An Online Store Or Take Online Payments

If you’re selling products or services online, you’re likely collecting:

• customer contact details
• shipping details
• order history
• payment-related information (even if processed via third parties)

Customers expect transparency about what happens to their information, and payment providers often expect you to have a Privacy Policy in place as part of a professional checkout experience.

If you’re setting up your online legals, it’s common to bundle privacy with your website terms, like Website Terms And Conditions, so your key customer-facing documents work together.

If You Use Email Marketing Or Customer Lists

If you’re collecting email addresses for newsletters, promotions, or product updates, you should be upfront about:

• how you collect addresses (sign-up form, checkout tick-box, referral, etc.)
• what you’ll send
• how people can opt out
• what marketing tools you use (and whether data is stored offshore)

Even when the law doesn’t prescribe a “one size fits all” format, a Privacy Policy is the clearest place to spell this out.

If You Use Cookies, Analytics Or Ad Tracking

If you use tools like Google Analytics, Meta Pixel, TikTok Pixel, or similar tracking tools, you are likely collecting information about website visitors (even if you don’t know their name).

This doesn’t always feel like “personal information” to a business owner, but it can still be personal information under privacy law when it relates to an identifiable person (including in combination with other data).

For many businesses, this is where privacy compliance becomes real-world and ongoing, not just a “document you upload once”.

If You Collect Sensitive Information

Sensitive information can include health information, biometric information, or information that could cause real harm if misused.

If you’re in health, wellness, coaching, allied services, or anything involving client notes, you’ll want privacy documents that are properly tailored, such as a Privacy Policy designed for health service providers.

This is also where good privacy practices overlap with good business practice: collecting only what you need, keeping it secure, and limiting internal access.

Privacy Policy Vs Terms And Conditions: Do You Need Both?

This is a common question, especially for online businesses.

Your Privacy Policy is about information handling (how you collect, use, store, and disclose personal information).

Your Terms and Conditions (or Terms of Use) are about the rules of using your site or buying from you, such as:

• payment terms
• delivery and shipping
• refunds and returns
• limitation of liability
• intellectual property ownership
• acceptable use rules

They’re different documents, but in many businesses they work as a set. For example, your website footer might include both your Privacy Policy and your website terms.

And if you’re collecting personal information as part of providing services (like bookings, subscriptions, or account creation), your Privacy Policy should match what your customer-facing terms say you’ll do.

What Should A Good Privacy Policy Include?

A Privacy Policy shouldn’t be a copy-and-paste template that doesn’t match your actual practices.

At a minimum, a solid Privacy Policy for an NZ business should cover the following.

1. What Information You Collect

Be specific. For example, instead of saying “we collect personal information”, list typical categories:

• identity and contact details
• transaction and payment details
• website usage data (cookies and analytics)
• communications (emails, chats, call recordings if applicable)

If you collect information through third parties (e.g. social media lead forms), that should be reflected too.

2. How You Collect It

Common collection methods include:

• when customers place an order or book a service
• when someone fills in a form or signs up to a mailing list
• when someone contacts you via email or phone
• through cookies and tracking tools on your website

3. Why You Collect It (Your Purposes)

This is where you connect the dots for your customers. Examples include:

• to provide the service or deliver goods
• to respond to enquiries and support requests
• to manage accounts and subscriptions
• to improve your website, products, or services
• to send marketing communications (where permitted)

The point isn’t to list every theoretical use. It’s to be transparent about the real reasons you need the data.

4. Who You Share It With

Most businesses share data with service providers. That can include:

• payment processors
• delivery and logistics providers
• customer relationship management (CRM) tools
• booking systems
• email marketing platforms
• cloud storage providers
• professional advisers (like accountants or lawyers, where relevant)

If you disclose information overseas (for example, because your software provider stores information on overseas servers), you should say so.

5. How You Store And Protect Information

The Privacy Act expects you to take reasonable steps to keep personal information safe.

A Privacy Policy usually won’t list your entire security system (and shouldn’t), but it should communicate the types of safeguards you use, like:

• access controls (only staff who need it can access data)
• secure storage systems and reputable providers
• processes for handling suspected privacy incidents

For some businesses, it also makes sense to have internal documents that support your privacy compliance, such as an Information Security Policy and a clear plan for responding to incidents.

6. Access, Correction, And Complaints

In NZ, individuals generally have rights to:

• request access to their personal information
• request correction of personal information

Your Privacy Policy should explain how someone can contact you to make a request, and what they should include so you can verify their identity and respond efficiently.

It should also include a complaints process and point people to the Office of the Privacy Commissioner if they’re not satisfied with your response.

Common Privacy Policy Mistakes (And How To Avoid Them)

Privacy compliance doesn’t need to be scary, but there are a few common pitfalls we see when businesses DIY it.

Using A Generic Template That Doesn’t Match Your Business

If your Privacy Policy says you “don’t share information with third parties” but you use third-party payment providers, email marketing software, or booking tools, you’ve created a mismatch.

That mismatch can cause issues if you ever face a complaint, a platform review, or a customer dispute.

Forgetting Staff And HR Data

Privacy isn’t only about customers.

If you employ staff (or even recruit staff), you’ll likely collect information like CVs, references, contact details, banking information, and emergency contacts.

This often sits alongside your employment documentation, like your Employment Contract and internal policies, but your privacy obligations still apply.

Not Having A Plan For Data Breaches

Even with good systems, incidents happen. Devices get lost, emails are sent to the wrong person, or an account gets compromised.

Under the Privacy Act 2020, some privacy breaches may require notification (including to affected individuals and the Privacy Commissioner) if they create a risk of serious harm.

Having a documented process, like a Data Breach Response Plan, can make a stressful situation far more manageable.

Not Aligning Your Privacy Policy With Your Actual Customer Journey

Imagine this: your customer signs up for a “free quote”, then immediately starts receiving marketing emails they didn’t expect. Even if you think it’s harmless, the customer experience feels off.

A strong Privacy Policy (and good sign-up wording) helps you stay consistent and transparent at every step.

Key Takeaways

• If you collect personal information in New Zealand (even just names and emails through a website form), having a Privacy Policy is usually essential.
• The Privacy Act 2020 applies broadly, including to small businesses and startups, so privacy compliance isn’t just for large organisations.
• You’ll almost always need a Privacy Policy if you run an online store, use email marketing, use analytics and tracking tools, or collect sensitive information.
• A good Privacy Policy should clearly explain what you collect, how you collect it, why you collect it, who you share it with, and how people can access or correct their information.
• Common mistakes include using a generic template that doesn’t match your real practices, overlooking employee data, and failing to plan for data breaches.
• Getting your privacy settings and documents right from day one helps build customer trust and reduces the risk of complaints or disputes later.

If you’d like help putting the right Privacy Policy (and supporting website terms) in place for your business, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.