Cookie Policy For New Zealand Businesses: What You Need And When It’s Required

If your business has a website (or an app), there’s a good chance you’re using cookies - even if you didn’t deliberately “turn them on”. Many common tools for analytics, embedded videos, live chat, online booking, or advertising rely on cookies or similar tracking technologies.

That’s where a cookie policy comes in. It’s a simple but important way to be transparent with customers about what’s happening behind the scenes when they browse your site.

In this guide, we’ll break down what a cookie policy is, when your New Zealand business should have one, what to include, and the common mistakes we see small businesses make when setting one up.

Do NZ Businesses Need A Cookie Policy?

There isn’t one single New Zealand law that says “you must have a cookie policy” in those exact words. But in practice, many businesses do need one because of broader privacy and consumer law obligations.

In New Zealand, your obligations will often come back to the Privacy Act 2020. If cookies on your site collect, use, or share personal information (or data that becomes personal information when combined with other data), you need to think carefully about transparency and lawful handling of that information.

A cookie policy is one of the clearest ways to explain:

• what tracking technologies your website uses
• why you’re using them
• who else might receive that data (for example, third-party providers)
• how a customer can control or opt out

Even if your business is small, a cookie policy becomes more important if you:

• use analytics tools to track website traffic and behaviour
• run online advertising or retargeting campaigns
• use third-party plugins (maps, booking tools, embedded social media, etc.)
• collect leads through online forms
• sell online (where you’re gathering customer details and payment-related data)

In other words: if your website is doing more than just sitting there like a digital business card, you should strongly consider a cookie policy.

It also fits with good customer expectations. People are increasingly aware of tracking, and being upfront builds trust.

What Counts As A Cookie (And Why It Matters For Your Business)?

Cookies are small text files stored on a user’s device when they visit your website. They help your site recognise that user, remember preferences, and (depending on the cookie) track behaviour across pages or even across websites.

From a small business perspective, cookies often fall into a few practical categories:

Essential Cookies

These are cookies that help the site function properly - for example, remembering items in a cart, logging in, or maintaining security settings. Without them, your website may not work as intended.

Performance / Analytics Cookies

These help you understand how people use your site (for example, which pages are popular, how long visitors stay, and where traffic comes from). This data can be incredibly useful for improving your marketing and customer experience.

Functionality Cookies

These remember user choices, like preferred language, region, or pre-filled form fields.

Advertising / Targeting Cookies

These are often used to show ads to people based on browsing behaviour, measure ad performance, and “retarget” people who visited your site previously.

Third-Party Cookies

These come from services embedded into your site - think video players, maps, social media embeds, booking widgets, payment services, and more. Even if you didn’t directly set these cookies yourself, your website might still be enabling them.

Why does this matter? Because when cookies connect to an identifiable person (directly or indirectly), this can become a privacy compliance issue - and customers will expect you to be transparent about it.

For many NZ businesses, a cookie policy sits alongside (and supports) a broader Privacy Policy, because both documents form part of your customer-facing privacy compliance.

What To Include In A Cookie Policy (A Practical Checklist)

A strong cookie policy doesn’t need to be overly legalistic - but it does need to be clear, accurate, and tailored to how your site actually works.

Here’s what we typically recommend including in a cookie policy for a New Zealand business.

1. A Plain-English Explanation Of Cookies

Start with a short explanation of what cookies are and why websites use them. The goal is to help everyday customers understand what’s going on without needing a technical background.

2. The Types Of Cookies You Use

List the categories relevant to your site (for example, essential, analytics, advertising). If you can, explain the purpose of each category.

• Essential: to make the website work securely and reliably
• Analytics: to understand and improve how customers use your site
• Advertising: to measure campaigns and show relevant ads

3. What Information Cookies Collect

This is where you connect cookies to data. For example, cookies may collect:

• IP address or approximate location
• device type and browser type
• pages visited and time spent on pages
• referring website or marketing campaign source
• actions taken (like clicking buttons, submitting forms, or adding items to cart)

If you’re collecting personal information via cookies or similar tools, your cookie policy should align with your overall privacy approach.

4. Who Receives The Data (Including Third Parties)

If your site uses third-party services that place cookies or receive tracking data, your cookie policy should explain this. Customers want to know whether data stays with you or is shared externally.

This is especially important for advertising and analytics setups, where data may be processed by external providers.

5. How Users Can Manage Or Disable Cookies

Your cookie policy should explain how users can control cookies, such as:

• adjusting browser settings to refuse cookies
• clearing cookies stored on their device
• using your website’s cookie preferences tool (if you have one)

If your website offers a cookie banner with settings, your cookie policy should match what the banner actually allows people to do.

6. How Long Cookies Stay On A Device

Some cookies are “session cookies” (deleted when the browser closes) and others are “persistent cookies” (stay for a set period). If you can, include this kind of information - especially for non-essential cookies.

7. Updates And Version Control

Your tools will change over time (new plugins, new analytics setup, new marketing pixels). Your cookie policy should include a short statement that it may be updated and how users can check the latest version.

For many online businesses, the cookie policy is part of a wider set of website legal documents - for example your Website Terms and Conditions and your privacy documentation.

If you want this properly tailored, Sprintlaw can help with a Cookie Policy that matches your website’s actual tracking and customer journey.

How To Handle Consent And Cookie Banners In NZ (Without Scaring Customers Off)

A cookie policy is the document that explains your approach. A cookie banner (or cookie consent tool) is the mechanism customers see when they land on your site.

In New Zealand, there isn’t a single “cookie consent law” that prescribes one mandatory banner or opt-in model for all cookies. However, transparency is important where cookies are used in a way that collects or relates to personal information, or where cookies are used for more intrusive tracking (such as advertising and retargeting).

There isn’t a single “one size fits all” consent model, because what you need depends on:

• what cookies you’re using
• whether cookies collect personal information
• whether data is shared with third parties
• what overseas laws might apply (for example, if you target overseas customers, laws like the GDPR can impose stricter opt-in and banner requirements)

What Your Cookie Banner Should Generally Do

From a practical small business perspective, a good cookie banner should:

• tell users that your site uses cookies
• briefly explain why (for example, “to improve your browsing experience and analyse traffic”)
• link clearly to your cookie policy
• give users meaningful options (especially where non-essential cookies are involved)

If you’re collecting customer data through your site in more than a basic way, it’s also worth ensuring your broader privacy framework is solid - including your Privacy Policy and, where relevant, agreements with suppliers who process data for you (for example, a Data Processing Agreement if you’re working with external platforms handling customer data).

What If I Only Use “Basic Analytics”?

This is one of the most common scenarios we see. You might feel like you’re “not really collecting personal information” because you’re just looking at website traffic.

But even analytics can involve identifiers and device data. The safer approach is to assume analytics cookies deserve transparency in your cookie policy, and to consider whether consent or an opt-out mechanism is appropriate depending on how the analytics is configured and what data is shared.

What If I Run Ads Or Retarget Visitors?

If you’re using advertising cookies to build audiences, track conversions, or retarget previous visitors, it becomes even more important that your cookie policy and cookie banner are clear and accurate.

This isn’t just a privacy issue - it can also become a trust issue. If customers feel like your business is “following them around the internet” with no explanation, it can hurt your brand.

If You Sell Online, Don’t Forget The Rest Of Your Website Legals

If your website takes payments, subscriptions, or customer orders, cookies may be only one piece of the compliance puzzle. You’ll also want to ensure your online sales framework is covered with E-Commerce Terms and Conditions, plus clear refund/returns and customer service terms.

Common Cookie Policy Mistakes (And How To Avoid Them)

A cookie policy is only helpful if it matches reality. The biggest risks usually come from businesses using a generic template that doesn’t reflect their actual website setup.

Here are the common mistakes we’d encourage you to avoid.

1. Using A Template That Doesn’t Match Your Website

If your cookie policy says you only use “essential cookies” but your site has analytics, embedded media, and advertising tools running in the background, you’ve created a mismatch.

That mismatch can lead to:

• customer complaints
• privacy compliance issues under the Privacy Act 2020
• a loss of trust (which is hard to rebuild)

2. Forgetting Third-Party Cookies

It’s easy to focus only on what you installed intentionally. But third-party features often place cookies too - booking tools, videos, maps, chat widgets, and social media embeds are common examples.

If you’re not sure what cookies your website is using, it’s worth doing a quick audit with your developer or legal advisor.

3. Making It Hard To Find

A cookie policy should be easy to access, typically in your website footer alongside your other legal links. If users have to hunt for it, the transparency benefit is lost.

4. Overpromising (“We Never Share Data”)

Be careful with absolute statements. If any third-party providers receive tracking data (even in aggregated form), you need to be honest about that. Overpromising can create risk under the Fair Trading Act 1986, because your business shouldn’t mislead customers about what you do with their data.

5. Not Keeping It Updated

Websites evolve quickly. If you change analytics tools, add a new marketing pixel, or embed a new booking platform, your cookie policy should be reviewed and updated so it remains accurate.

6. Treating A Cookie Policy As A Substitute For A Privacy Policy

Your cookie policy and privacy policy do different jobs:

• A cookie policy focuses on cookies and tracking technologies on your website/app.
• A privacy policy covers the wider way you collect, use, store, and disclose personal information (including through forms, email marketing, customer accounts, sales, and support).

Most businesses need both, especially if you collect enquiries, run email marketing, or sell online.

Key Takeaways

• A cookie policy helps your business be transparent about how your website uses cookies and similar tracking tools, which supports compliance and builds customer trust.
• Even though NZ doesn’t have a single “cookie law”, cookies can trigger obligations under the Privacy Act 2020 when they collect or relate to personal information.
• A good cookie policy should clearly explain what cookies you use, why you use them, what data they collect, whether third parties receive data, and how users can manage their preferences.
• If your website uses analytics, advertising/retargeting, or third-party embedded tools, a cookie policy becomes especially important (and generic templates often won’t match what your site is doing).
• Your cookie banner and your cookie policy should align - what you say and what your site actually does should match.
• Cookie compliance usually works best as part of a broader website legal setup, alongside your privacy policy and your website terms.

If you’d like help putting the right cookie policy in place (or checking that your website’s privacy and consent approach is actually consistent with how your site works), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.