Esha is a law graduate at Sprintlaw from the University of Sydney. She has gained experience in public relations, boutique law firms and different roles at Sprintlaw to channel her passion for helping businesses get their legals sorted.
When you’re building (or refreshing) your website, cookie pop-ups can feel like one more annoying “internet requirement” you have to deal with before you can get on with running your business.
But here’s the thing: cookie banners aren’t just a design trend. They’re usually part of a broader privacy compliance story - especially if you collect personal information online, use analytics tools, run remarketing ads, or have visitors from overseas.
This guide is updated to reflect current expectations around online privacy and consent. We’ll walk you through when you actually need a cookie pop-up in New Zealand, when it’s strongly recommended, and how to set it up in a way that supports your legal obligations (without scaring off customers).
What Are Cookies (And Why Do They Matter Legally)?
Cookies are small text files stored on a user’s device when they visit a website. Some are essential for your site to function properly, and others help you track behaviour, measure marketing performance, or personalise ads.
From a legal perspective, cookies matter because they can:
- Collect personal information (or information that becomes personal information when combined with other data).
- Track browsing behaviour across time and sometimes across websites (particularly with advertising/remarketing tools).
- Share data with third parties like Google, Meta, TikTok, or marketing automation platforms.
In New Zealand, the big legal framework to keep in mind is the Privacy Act 2020. The Privacy Act doesn’t have a standalone “cookie law” like some overseas jurisdictions, but it does require you to be transparent about collecting personal information and to handle it safely and fairly.
That’s why cookie pop-ups often sit alongside your Privacy Policy and overall website compliance approach.
Common Types Of Cookies You Might Use
- Essential cookies: required for core website functions (e.g. shopping cart, logins, security, page navigation).
- Preference cookies: remember settings (e.g. language, location, display preferences).
- Analytics cookies: measure traffic and user behaviour (e.g. Google Analytics).
- Marketing/advertising cookies: support remarketing, conversion tracking, personalised ads (e.g. Meta Pixel, Google Ads tags).
A key practical point: the more your cookies move from “website functionality” into “tracking and marketing”, the more important it is to think about notice and consent.
Do You Need A Cookie Pop-Up In New Zealand?
For many NZ businesses, the answer is: it depends.
There isn’t a single NZ rule that says “every website must have a cookie banner”. However, you may need (or strongly benefit from) a cookie pop-up if cookies are being used in a way that involves personal information, behavioural tracking, or sharing data with third parties.
When A Cookie Pop-Up Is Strongly Recommended
You should seriously consider using a cookie pop-up (and not just a “by using this site you agree” footer line) if you:
- Use analytics tools like Google Analytics or other tracking tools to understand visitor behaviour.
- Use advertising pixels (e.g. Meta Pixel) or run remarketing/retargeting campaigns.
- Embed third-party tools that set cookies (chat widgets, booking tools, maps, video embeds).
- Run an online store and use marketing integrations, loyalty tools, or customer tracking.
- Have a subscription, membership area, or logged-in user accounts.
Even if you’re only operating in New Zealand, a cookie pop-up can help you meet transparency expectations and reduce the risk of privacy complaints (especially where customers feel they weren’t told they were being tracked).
When A Cookie Pop-Up Might Be Required (In Practice)
If you have overseas visitors - or you actively market to customers outside New Zealand - you may be caught by other privacy regimes.
For example, if you target people in the EU/EEA (even just through online sales or marketing), the GDPR and EU cookie rules often require opt-in consent for non-essential cookies.
This is one of the most common reasons NZ businesses adopt cookie banners: not because NZ law explicitly demands it in every case, but because it’s the simplest way to manage global compliance expectations without building separate websites for different regions.
If you’re unsure whether your website is “targeting” overseas users (as opposed to passively being accessible), it’s worth getting tailored advice - this is one of those areas where the detail matters.
How Cookie Pop-Ups Link To The Privacy Act 2020
The Privacy Act 2020 focuses on how you collect, use, store, and disclose personal information. Cookies can fall into that picture when they collect data that identifies someone (directly or indirectly).
In plain terms, the Privacy Act expects you to:
- Be clear and upfront about what information you’re collecting and why.
- Collect information fairly (not in a way that’s misleading or unreasonably intrusive).
- Keep information secure and only keep it as long as needed.
- Give people access to their personal information if they request it (with some exceptions).
If your cookies are used for tracking and marketing, you should think about whether your customer would reasonably expect that collection and use - and whether you’ve explained it clearly enough.
Transparency Is The Core Issue
Many cookie issues come down to a simple question:
Would a reasonable customer understand what’s happening if they visited your website?
A short, clear cookie notice (linked to a more detailed policy) can go a long way in showing that you’re being transparent.
As part of that transparency, your website terms also matter - for example, your Website Terms Of Use can help set expectations about how visitors use the site, what you’re responsible for, and what you’re not.
Don’t Forget “Data Breach” Risk
Cookies and tracking tools can increase privacy risk because they often involve third-party platforms and integrations. If you suffer a security incident, you may have obligations to assess and respond appropriately (including, in some situations, notifying affected individuals and the Privacy Commissioner).
It’s worth having an internal plan for this, even if you’re a small business. A Data Breach Response Plan is a practical way to document what you’ll do if something goes wrong.
What Should A Cookie Pop-Up Actually Say (And What Should It Do)?
A cookie pop-up isn’t just a graphic element - it’s part of how you communicate with users and (in some situations) capture consent.
What your cookie banner should say and do depends on what cookies you use and what jurisdictions you need to satisfy. But in most cases, you’ll want your banner to be:
- Clear: avoid vague language like “we use cookies to improve your experience” with no further detail.
- Specific: explain the key categories (essential, analytics, marketing).
- Actionable: let users accept, reject, or manage preferences (particularly for non-essential cookies).
- Linked to detail: include a link to your cookie policy or privacy policy for the full picture.
A Simple Example Cookie Banner Wording
Here’s an example of plain-English wording that often works as a starting point (you’ll still need to tailor it to your tools and your risk profile):
- “We use essential cookies to make our website work. We’d also like to use analytics and marketing cookies to understand how you use our site and to improve our advertising. You can accept all cookies, reject non-essential cookies, or manage your preferences.”
If you’re using advertising/remarketing cookies, it’s a good idea to clearly mention that marketing cookies may be used to show ads on other platforms.
Do You Need “Accept” And “Reject” Buttons?
If you only use essential cookies, you might not need a full preference centre.
But if you use analytics and marketing cookies (especially where overseas compliance is relevant), you’ll generally want the ability for users to:
- Accept all
- Reject non-essential
- Customise settings (optional but often helpful)
Also, make sure rejecting cookies doesn’t punish the user unnecessarily. It’s fine if some optional features don’t work, but the core site should remain usable.
Should You Block Cookies Until Users Consent?
This is where many businesses get caught out technically.
If you’re aiming for an opt-in consent approach (common where GDPR applies), you’ll generally need to ensure that non-essential cookies (like advertising pixels) don’t load until the user has opted in.
In practice, this might involve a consent management platform (CMP) and tag controls (for example, managing how marketing tags fire).
If you’re not sure what’s loading on your site, it’s worth doing a cookie scan - you might be surprised how many third-party cookies appear just from common plugins and embeds.
Do You Need A Cookie Policy, Privacy Policy, Or Both?
In most cases, you’ll want both - because they do different jobs.
- Your Privacy Policy explains what personal information you collect, how you use it, who you share it with, and how people can contact you about privacy issues.
- Your Cookie Policy focuses specifically on cookies and similar tracking technologies (what they are, what categories you use, and how users can manage them).
If you’re collecting customer details through your site (contact forms, enquiries, online checkout, newsletters), having a clear Privacy Policy is often a baseline expectation.
If you’re also using tracking and advertising tools, a dedicated Cookie Policy makes it much easier to explain what’s happening in a way users can actually understand.
What Should A Cookie Policy Include?
A good cookie policy usually covers:
- What cookies are (and similar technologies like pixels or local storage).
- What cookies you use (broken into categories).
- Why you use them (e.g. site functionality, analytics, marketing).
- Third parties that may set cookies through your site (e.g. Google, Meta, Shopify apps).
- How users can manage cookies (banner settings + browser/device controls).
- How updates will be handled (for example, if your tools change over time).
One practical tip: keep it accurate. If your policy says you don’t use marketing cookies but your Meta Pixel is live, that mismatch can create legal and reputational risk.
Practical Checklist: Getting Cookie Compliance Right From Day One
Cookie compliance doesn’t have to be complicated - but it does need to be deliberate.
Here’s a practical checklist you can work through:
1) Identify What Cookies And Tracking Tools You Use
- Run a cookie scan using a reputable tool.
- Review your website plugins, analytics tools, and ad accounts.
- Check embedded services (maps, videos, booking systems, chat widgets).
2) Categorise Cookies (Essential vs Non-Essential)
- Essential cookies: required to deliver the service the user expects.
- Non-essential cookies: analytics, marketing, personalisation (in most cases).
This categorisation matters because it informs what you need your banner to do.
3) Decide Whether You Need Consent (Opt-In) Or Notice (Opt-Out)
This depends on:
- Where your customers are located and whether you target overseas users.
- Whether you use advertising/remarketing tracking.
- Your overall privacy risk profile and brand expectations.
If your website is central to your business (especially for ecommerce), it’s worth getting advice on the “right” approach for your situation rather than guessing.
4) Update Your Website Legal Documents
- Make sure your Privacy Policy aligns with what your website actually does.
- Consider having a separate Cookie Policy if you’re using tracking tools.
- Ensure your Website Terms Of Use match how users interact with your site.
It’s really common for businesses to start with a template, then add new apps and tracking tools over time - and suddenly the policy no longer reflects reality. Keeping these documents current is part of staying protected as you grow.
5) Implement A Banner That Matches Your Tools
- If you need opt-in consent, configure tags so non-essential cookies don’t load until consent is given.
- Make “reject” or “manage preferences” easy to find if you’re offering those choices.
- Keep records of consent where appropriate (particularly if you operate internationally).
6) Think About Your Marketing Workflow
If you run email marketing, lead capture funnels, or targeted ads, cookie compliance sits alongside your broader marketing compliance. For example, your sign-up flows and disclaimers should match what you actually do with user data.
Even small changes - like adding a new ad platform pixel - can change your compliance needs, so it’s worth building a habit of checking your privacy settings whenever you change your marketing stack.
Key Takeaways
- In New Zealand, cookie pop-ups aren’t automatically required for every website, but they’re often recommended where cookies are used for analytics, advertising, or third-party tracking.
- The Privacy Act 2020 makes transparency a key issue - if cookies collect personal information (or enable tracking that becomes personal information), you should be clear with users about what’s happening and why.
- If your website targets or sells to people overseas (particularly in the EU/EEA), you may need opt-in consent for non-essential cookies, which usually requires a more robust cookie banner setup.
- A good cookie banner should be clear and actionable, and it should match how your website actually loads cookies (especially for marketing tags and pixels).
- Cookie compliance works best when it’s supported by the right website documents, including a Privacy Policy, a Cookie Policy, and suitable Website Terms Of Use.
- Because cookie and tracking setups can be technical (and the legal answer often depends on your customer base and tools), getting tailored advice can save you headaches later.
If you’d like help getting your cookie pop-up, cookie policy, and privacy compliance sorted, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
Esha Kumarlaw graduate
