Cookie Policies for NZ Businesses: What to Include

Alex Solo
byAlex Solo12 min read
eCommerce
Contents

If your business has a website, online store, booking portal or app, there is a good chance it uses cookies or similar tracking tools. Many New Zealand businesses make the same mistakes here: copying a generic overseas cookie policy, listing only "essential cookies" when analytics and advertising tools are also running, or treating a cookie policy as a one-off document that never needs updating. Those shortcuts can create privacy issues, misleading disclosures, and awkward questions from customers or commercial partners.

A clear cookie policy helps people understand what information your site collects, why that happens, and what choices they have. It also helps your business line up its website practices with its wider privacy documents and internal processes. This guide explains what a cookie policy means for New Zealand businesses, when you should put one in place, the clauses and details it usually needs, and the practical mistakes founders often make before they launch online or update their site.

Overview

A cookie policy is a plain language document that explains how your website or app uses cookies and similar technologies to collect information from visitors' devices. For New Zealand businesses, the key issue is transparency: your policy should match what your site actually does, fit with your privacy practices, and give users accurate information about their options.

  • Identify all cookies and tracking tools actually used on your website, store, app and plug-ins.
  • Explain what each category does, such as essential, analytics, functionality and advertising cookies.
  • Describe what information is collected and whether it can be linked to identifiable individuals.
  • State whether third parties place cookies through your site, such as analytics, payment, chat or advertising providers.
  • Tell users how they can manage cookie preferences through your banner, settings or browser controls.
  • Keep the cookie policy consistent with your privacy policy, website terms and actual data handling.
  • Review the document whenever you add new marketing tools, integrations or ecommerce features.

A cookie policy is not just a technical website notice, it is part of how your business explains its privacy practices to customers, users and prospects.

Cookies are small files or identifiers stored on a user's device when they visit a website. Some are essential for core functions, such as keeping a shopping cart active or remembering login details. Others help you measure traffic, personalise content, save preferences or track behaviour for advertising.

In practice, a cookie policy matters because those tools can involve the collection of personal information or online identifiers. Under New Zealand privacy law, businesses that collect personal information should be open about what they collect, why they collect it, how they use it, and who they share it with. A cookie policy can help meet that transparency expectation, especially when paired with a well-drafted privacy policy.

Why transparency matters

The main risk is not simply using cookies. The main risk is using them without telling people clearly what is happening.

If your website says very little about cookies, but analytics, advertising pixels, heatmaps, embedded videos, chat widgets and social media integrations are all active, your disclosures may be incomplete. If your banner says you only use cookies "to improve the site" but your tools also support remarketing or audience profiling, that wording may be too vague. For an ecommerce business, SaaS startup or online service provider, that gap can create trust issues and legal exposure.

Transparency also matters when you work with larger customers, enterprise procurement teams or offshore partners. They often ask for privacy and website documentation before you sign a contract. A missing or poorly drafted cookie policy can slow that process down.

Your cookie policy should not sit on its own. It usually works alongside several other business documents and decisions.

  • A privacy policy, which explains your broader approach to collecting, storing, using and disclosing personal information.
  • Website terms or terms of use, which set out the rules for using your site.
  • Customer terms and conditions, especially if you are selling online, taking bookings or offering subscriptions.
  • Internal privacy processes, such as who can access analytics tools, how long data is kept, and what happens if a customer asks questions about tracking.
  • Supplier agreements or platform contracts, where third party tools process data or set their own requirements for disclosures and consent language.

This is where founders often get caught. They install tools through Shopify apps, ad platforms, CRM systems or cookie consent software without checking whether their legal documents still match the website setup.

A useful cookie policy should tell users what is happening in a way that is specific to your business. Generic wording copied from another jurisdiction often misses important details.

Most cookie policies should include:

  • What cookies and similar tracking technologies are.
  • Why your business uses them.
  • The categories of cookies used on your site.
  • The type of information collected through each category.
  • Whether cookies are first party or third party.
  • How long cookies stay active, if relevant and practical to explain.
  • How users can accept, reject or manage cookies.
  • How cookies relate to your privacy policy.
  • How users can contact your business with privacy or website questions.

If your website targets customers outside New Zealand, you may also need to consider overseas privacy and consent rules. That often comes up for software businesses, online retailers and digital services selling into Australia, the UK, Europe or North America. The answer may not be one-size-fits-all, so the wording should reflect where you operate and who you target.

When This Issue Comes Up

You should think about your cookie policy before you launch online, before you spend money on paid traffic, and before you add tracking tools that change what your website collects.

Many business owners only notice cookies when a developer installs a consent banner or a platform prompts them to publish a policy. In reality, the issue usually appears at several specific moments in the life of a business.

When you launch a new website or online store

A new website build often includes analytics, ecommerce functions, payment integrations, live chat, video embeds and marketing plug-ins from day one. Each of those tools can create cookie and tracking issues that need to be described properly.

If you are setting up a company through the Companies Office, choosing a business structure, clearing a business name or planning a trade mark, website legal documents can feel like something to leave until later. But if your sales funnel depends on online traffic, your privacy policy and cookie disclosures should be sorted before the site goes live.

When you start selling online

Selling online usually increases the amount of data moving through your site. Product views, abandoned cart tracking, customer login tools, payment providers and email marketing integrations often mean more cookies, more third party data flows and more user profiling.

That is especially relevant for ecommerce brands, subscription businesses and app-based services. A bare-bones cookie paragraph is rarely enough once your site is handling user accounts, checkout functions and remarketing campaigns.

When you add advertising or analytics tools

The legal position often changes when you move from basic site functionality to measurement and targeted advertising.

Common triggers include:

  • Installing Google Analytics or similar traffic measurement tools.
  • Using Meta Pixel or other advertising pixels.
  • Running retargeting campaigns.
  • Adding A/B testing, session recording or heatmap software.
  • Embedding social media content or videos from third party platforms.
  • Using customer support chat software that tracks repeat visitors.

Each of these tools can affect what your policy needs to say. If your old wording only referred to basic functionality cookies, it may no longer be accurate.

When customers or partners ask questions

Sometimes the issue only surfaces when someone asks directly. A customer may want to know how to turn tracking off. A corporate client may ask for your privacy policy and website terms during procurement. An investor or buyer may review your compliance position during due diligence.

These moments tend to expose whether your cookie policy reflects reality or whether it was copied from a template years ago and never updated.

When you expand overseas

New Zealand businesses often sell internationally from an early stage. That can include SaaS products, digital subscriptions, online education, or physical products shipped abroad.

If your site attracts or targets users in markets with stricter consent and disclosure expectations, your cookie setup may need closer review. This becomes part of your wider online business legal requirements, along with contracts, privacy wording, marketing claims and platform terms.

Practical Steps And Common Mistakes

The best cookie policy starts with a technical reality check, not a drafting exercise.

Before you sign off on any wording, confirm what your website, ecommerce platform and third party services actually do. Many founders assume their site only uses a few essential cookies, then discover several marketing and analytics tools have been active for months.

Step 1: Audit your website tools

Make a list of every service connected to your website or app. Include tools installed directly by your developer, platform defaults, marketing integrations and browser-side scripts.

Your audit should cover:

  • Website platform tools, such as Shopify, WooCommerce or custom builds.
  • Payment and checkout systems.
  • Analytics and reporting tools.
  • Advertising and remarketing pixels.
  • Email marketing integrations.
  • Live chat and customer support software.
  • Video, maps and social media embeds.
  • Personalisation, A/B testing and session recording tools.
  • App SDKs and in-app tracking tools, if you run a mobile app.

Once you know what is active, you can describe it properly. Without that step, the policy is guesswork.

Step 2: Group cookies into useful categories

Most businesses organise cookies by function so users can understand the differences more easily.

Typical categories include:

  • Essential cookies, which support core website functions like security, login or checkout.
  • Preference or functionality cookies, which remember settings such as region, language or display choices.
  • Analytics cookies, which help measure traffic and user behaviour.
  • Advertising or targeting cookies, which support marketing, audience building or retargeting.

The exact categories may vary depending on your website, but the goal is clarity. If a cookie supports advertising, call it that. Do not bury marketing tracking under a broad label like "site improvement".

Step 3: Explain the data collected in plain English

Users do not need a technical manual, but they do need a truthful explanation. Your policy should describe the kinds of information the cookies collect and how your business uses it.

That may include:

  • IP address or device identifiers.
  • Browser type and settings.
  • Pages viewed and time spent on the site.
  • Shopping cart activity and purchase behaviour.
  • Referral source, such as an ad or search engine.
  • Approximate location data.
  • Interactions with content, forms or ads.

If those data points can be linked to a person, whether directly or indirectly, your privacy disclosures need to line up as well.

Step 4: Give users real choices where appropriate

A cookie policy should tell users how they can manage cookies. That often includes a cookie banner or preference tool, plus browser settings information.

The right approach depends on your business model, where your users are based, and what tracking technologies you use. The key point is that your policy should match the actual controls available on the site. If your banner says users can reject non-essential cookies, the site should operate that way in practice.

Step 5: Keep it aligned with your privacy policy and terms

Your documents should tell the same story. If your privacy policy says you collect information for marketing and analytics purposes, but your cookie policy only refers to website functionality, there is a mismatch.

Review the policy against:

  • Your privacy policy.
  • Your website terms of use.
  • Your customer terms, subscription terms or online sale terms.
  • Your actual marketing, analytics and CRM setup.
  • Your developer and software provider arrangements.

This matters before you sign a supplier agreement, before you onboard an agency, and before you scale ad spend. Once multiple providers are involved, cookie practices can drift away from the wording on your site.

Common mistakes NZ businesses make

The most common mistake is using a generic template that does not match the website. That creates false comfort without solving the real problem.

Other frequent issues include:

  • Listing only cookies your business intentionally added, while ignoring cookies set by embedded or third party services.
  • Failing to update the policy after adding pixels, chat widgets, reviews tools or new ecommerce apps.
  • Using vague descriptions like "we may use cookies to improve your experience" without explaining the actual categories and purposes.
  • Publishing a cookie banner that conflicts with the policy wording.
  • Assuming a privacy policy makes a cookie policy unnecessary.
  • Copying EU or US language that does not reflect your real operations or legal position.
  • Forgetting that app tracking, not just website tracking, may need similar disclosures.

A separate but related mistake is overlooking the wider legal setup of an online business. Founders often focus on site design and ad campaigns, but leave privacy, contracts, trade mark protection and business structure decisions until later. That can be costly once the brand gains traction.

What good practice looks like

A good cookie policy is accurate, readable and reviewed regularly. It does not need to be full of jargon. It does need to reflect your actual systems.

For many SMEs, good practice means:

  • Documenting the tracking tools used across the website and app.
  • Assigning responsibility for updates when marketing or development changes are made.
  • Reviewing disclosures before launching new campaigns or features.
  • Checking third party provider documentation and settings.
  • Testing whether your banner and preference tools behave as described.
  • Keeping records of when the policy was updated and why.

That approach is especially helpful if your business is growing fast, using external agencies, or preparing for investment, acquisition or enterprise sales.

FAQs

Not every business will need a stand-alone cookie policy, but if your website or app uses cookies or similar tracking technologies, clear disclosure is usually a sensible step. For many online businesses, a dedicated cookie policy is the clearest way to explain this properly.

No. A privacy policy covers your broader handling of personal information. A cookie policy focuses on tracking technologies used on your website or app, what they do, and how users can manage them.

You can start from a template, but it needs careful tailoring. The main risk is that a generic template will not match your actual tools, your customer journey, or the New Zealand and overseas markets you operate in.

What if I use third party tools like analytics, chat or ad pixels?

Your policy should mention those third party tools or at least the categories they fall into, explain their purpose, and state that third parties may collect information through your site. You should also make sure your privacy documents and settings align with those tools.

Review it whenever you add or remove website tools, launch new marketing activities, redesign your site, expand overseas or change your data practices. For active online businesses, a regular scheduled review is also a good idea.

Key Takeaways

  • A cookie policy explains how your website or app uses cookies and similar tracking technologies.
  • For New Zealand businesses, the core issue is transparency about what data is collected, why it is collected, and who is involved.
  • Your cookie policy should match your actual website setup, including analytics, advertising, ecommerce and third party integrations.
  • A good policy usually works alongside your privacy policy, website terms and customer terms.
  • Common mistakes include copying generic templates, missing third party cookies, and failing to update disclosures when tools change.
  • You should review cookie practices before you launch online, before you spend money on setup, before you scale advertising, and before you sign major customer or supplier contracts.

If your business is dealing with cookie policy and wants help with privacy policies, website terms, ecommerce terms and data disclosure reviews, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Pet Care Service Terms to Include in New Zealand

Pet Care Service Terms to Include in New Zealand

Pet care businesses face unique contract risks, from owner disclosures and emergency vet treatment to cancellations and liability limits. This guide

29 May 2026
Read more
Legal Steps for Starting an Ecommerce Business in New Zealand

Legal Steps for Starting an Ecommerce Business in New Zealand

Getting into ecommerce in New Zealand means more than building a store. This guide covers the legal issues online businesses should sort out around

27 May 2026
Read more
Subscription Terms for Pet Food Brands in New Zealand

Subscription Terms for Pet Food Brands in New Zealand

Offering repeat pet food deliveries can be great for revenue, but unclear subscription terms can lead to complaints, chargebacks and consumer law risk

25 May 2026
Read more
Refund and Cancellation Terms for New Zealand SaaS Businesses

Refund and Cancellation Terms for New Zealand SaaS Businesses

Refund and cancellation clauses can make or break a New Zealand SaaS customer relationship. This guide explains how cloud software providers should

21 May 2026
Read more
Website Terms for New Zealand Eco Product Brands Selling Online

Website Terms for New Zealand Eco Product Brands Selling Online

Selling eco products online in New Zealand means your website terms need to do more than cover checkout. They should address delivery, refunds

18 May 2026
Read more
Website Terms, Delivery Policies and Subscription Terms for NZ Meal Prep Businesses

Website Terms, Delivery Policies and Subscription Terms for NZ Meal Prep Businesses

NZ meal prep businesses need website terms, delivery policies, and subscription terms that reflect perishable food, recurring billing, delivery logistics

16 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call