Customer Database Laws In New Zealand: Privacy, Consent And Compliance

Note: This article is general information for small businesses and isn’t legal advice. Privacy compliance depends on your specific circumstances.

Building a customer database can be one of the smartest moves you make as a small business owner.

It helps you follow up leads, send marketing offers, manage returns, personalise service, and understand what customers actually want. But once you start collecting names, emails, phone numbers, purchase history, addresses, or even notes about preferences, you’re dealing with personal information.

In New Zealand, the Privacy Act 2020 sets the ground rules for how you collect, use, store, and share personal information. Getting it right from day one isn’t just about avoiding complaints or fines. It’s about building trust (and protecting the value of your business as it grows).

Below, we’ll walk through what customer database compliance looks like in practice, what consent really means, and the steps you can take to keep your business on the right side of privacy law.

What Counts As A Customer Database (And Why It Matters Legally)?

A customer database is basically any system or record where you store customer information for business purposes. It doesn’t have to be fancy.

Your customer database could be:

• a spreadsheet with customer names and email addresses
• an online shop order history (including delivery addresses)
• a CRM tool tracking sales conversations and notes
• a booking system for appointments
• a mailing list for newsletters and promotions
• a loyalty or membership program list
• a set of paper forms kept behind the counter

The legal risk usually isn’t the database itself. It’s the personal information inside it.

Under the Privacy Act 2020, “personal information” is information about an identifiable individual. That includes obvious details like:

• name, email, phone number
• address and delivery instructions
• order history and service history
• IP address and device identifiers (common in online businesses)

And it can also include information that’s more sensitive or more likely to cause harm if misused, like:

• health-related details (even casual notes can count)
• financial details
• identity document information
• complaint records or dispute notes

Once you collect this information, you become responsible for managing it properly. That responsibility applies whether you’re a sole trader, partnership, or company. (If you’re still deciding on your set-up, your business structure can affect risk and liability, but privacy compliance applies either way.)

What Privacy Law Applies To Your Customer Database In NZ?

The main law you need to understand is the Privacy Act 2020. It applies to most businesses that collect or hold personal information in New Zealand.

The Privacy Act is built around “information privacy principles” (IPPs). You don’t need to memorise them like a textbook, but you do need to run your customer database in a way that lines up with those principles.

In Practice, The Privacy Act 2020 Usually Means You Must:

• Collect only what you need (and not “just in case”)
• Tell customers what you’re doing with their information (before or at the time you collect it)
• Use it for the reason you collected it (unless an exception applies)
• Keep it secure against unauthorised access, loss, or misuse
• Let customers access and correct their personal information (with limited exceptions)
• Only share it when you’re allowed to (and ideally when you’ve told customers you will)
• Report notifiable privacy breaches to the Privacy Commissioner and affected individuals when required

If your business collects data online, you’ll also want to think about the “front end” customer-facing compliance pieces, like your website terms and privacy disclosures. A properly drafted Privacy Policy is one of the most practical ways to explain (in plain English) what you collect, why you collect it, and how customers can contact you about their data.

And if you email customers marketing content, you also need to keep an eye on the rules around electronic messages. Businesses often pair privacy compliance with email marketing laws so your customer database doesn’t become a compliance headache later. In New Zealand, the Unsolicited Electronic Messages Act 2007 can also apply to commercial email and SMS marketing (including requirements around consent, accurate sender information, and a functional unsubscribe facility).

Do You Need Consent To Build A Customer Database?

Many business owners assume you always need consent to collect customer information. In reality, whether you need consent depends on what you’re collecting, how you’re collecting it, and what you plan to do with it.

In lots of situations, you can collect customer information because it’s necessary for your business activity and the customer reasonably expects it.

For example, you generally don’t need special consent to collect:

• an email address to send an invoice
• a delivery address to ship a product
• a phone number to confirm an appointment booking

However, what you do need is transparency. Customers should know:

• what information you’re collecting
• why you’re collecting it
• who you might share it with
• how they can access or correct it

That’s where a privacy collection notice (often built into your Privacy Policy and forms) becomes important.

When Consent Becomes Essential

You’re far more likely to need clear consent (or another clear legal basis) when you want to:

• use customer details for marketing (especially email/SMS marketing)
• collect sensitive information (for example, health information in wellness services)
• share data with third parties beyond what’s needed to deliver the service
• use customer data in a new way that customers wouldn’t reasonably expect

A common example: a customer buys once from your online store. You might be allowed to email them about their order (transactional messages). But adding them to a long-term promotional list is different. If you want to do that, it’s usually best practice (and often required depending on the channel and circumstances) to get a clear opt-in and to make it easy to unsubscribe.

What Does “Good Consent” Look Like?

Consent should be:

• informed (the customer understands what they’re agreeing to)
• specific (not vague or bundled into unrelated terms)
• freely given (not forced where it’s not necessary)
• easy to withdraw (for marketing, customers should be able to unsubscribe)

Pre-ticked boxes and confusing wording are where small businesses often get caught out. If you’re collecting consent, keep it simple and obvious.

How Can You Collect Customer Data Legally (Online And Offline)?

A good rule of thumb is: collect customer information fairly, lawfully, and in a way that wouldn’t surprise a reasonable customer.

Common Legal Ways To Build A Customer Database

Most small businesses build a customer database through day-to-day operations, such as:

• checkout pages and order forms
• booking and enquiry forms
• quote requests
• account sign-ups
• newsletter sign-up forms
• loyalty or membership programs
• in-store customer forms (including warranty registrations)

The key is that each collection point should clearly tell customers what’s happening with their data. If you’re collecting data online, also think about the broader website legal set-up. For many businesses, having clear Website Terms And Conditions alongside your privacy documents helps reduce misunderstandings around accounts, orders, cancellations, and customer disputes.

Be Careful With “Secondary Uses”

One of the most common privacy issues isn’t how data is collected. It’s how it’s used later.

Imagine this: you collect customer emails for receipts. Six months later, you start a new product line and decide to email your whole customer database with a promotion.

If customers weren’t told their email would be used for marketing (or didn’t opt in where required), you may be using the information for a purpose they didn’t expect. That’s when complaints, unsubscribes, and reputational damage tend to happen.

If you want to use your customer database for marketing, it’s usually safer to:

• get opt-in consent at the time of collection (or ask customers to opt in later)
• separate “transactional” contact permissions from “marketing” permissions
• make opting out simple and respected quickly

Don’t “Scrape” Or Buy Lists Without Checking The Privacy Risks

It can be tempting to speed things up by buying a list of contacts or scraping public data online. But this is a high-risk area.

Even if data is publicly available somewhere, you still need to think about:

• whether customers would reasonably expect your business to collect and use it
• whether the original collection was lawful
• whether your intended use (especially marketing) is permitted
• how you will prove consent or compliance if someone complains

If your growth plan involves large-scale marketing using a customer database, it’s worth getting advice early so you don’t build a system that later needs to be rebuilt from scratch.

What Are Your Obligations To Protect And Store Customer Database Information Securely?

If you hold personal information, you’re expected to take reasonable steps to protect it against:

• loss
• unauthorised access
• unauthorised use
• misuse or disclosure

“Reasonable steps” depend on your business size, what information you hold, and how sensitive it is. But small businesses are not exempt. In fact, smaller teams are often targeted because they may have weaker security processes.

Practical Security Steps For Small Businesses

Here are sensible steps many businesses take to protect a customer database:

• Limit access (only staff who need the database should access it)
• Use strong passwords and multi-factor authentication
• Encrypt devices (especially laptops and phones that store customer data)
• Back up securely and make sure backups are also protected
• Train your team on phishing and scams (most breaches start here)
• Have a process for offboarding staff so access is removed quickly
• Check your suppliers (for example, if you use a booking system or email marketing provider)

If you have employees or contractors who access customer information, it’s worth making privacy expectations crystal clear in your internal documents. Businesses often cover these expectations in onboarding documents and workplace policies, and sometimes reinforce confidentiality obligations through contracts (particularly for people handling sensitive customer data).

What If There’s A Privacy Breach?

A privacy breach is any situation where personal information is accessed, disclosed, altered, lost, or destroyed without authorisation (or where that’s likely to cause harm).

Common examples include:

• sending a customer email to the wrong recipient
• losing a laptop with customer information saved on it
• a staff member accessing records they shouldn’t
• your online store being hacked and customer data leaked

Under the Privacy Act 2020, some breaches are “notifiable,” meaning you may need to notify the Office of the Privacy Commissioner and affected individuals. The threshold generally relates to whether the breach has caused (or is likely to cause) serious harm.

Even when notification isn’t required, you should still document what happened, what you did to contain it, and how you’ll prevent it happening again. Having a plan in place before anything goes wrong can save you a lot of stress.

When Can You Share Or Sell Customer Database Information?

For small businesses, “sharing” customer database information often happens without you thinking of it as sharing.

For example, you might share customer information with:

• couriers and delivery providers
• payment processors
• booking and CRM tools
• cloud storage providers
• marketing platforms
• accountants or customer support contractors

Some of this sharing is necessary to provide your service, and customers generally expect it. But you should still be transparent about it (for example, stating in your Privacy Policy that you use third-party providers to help run your business).

Selling A Customer Database (Or Buying One) Is A Big Deal

If you’re thinking about selling your business, your customer database can be a valuable asset. But legally, it isn’t just “property” you can freely transfer like stock.

Privacy issues often come up in:

• business sales and due diligence (what data is held, how it was collected, whether consents exist)
• transferring customer lists to a purchaser
• merging with another business

The general question to ask is: would your customers reasonably expect their data to be transferred? If not, you may need to take additional steps (like notifying customers or obtaining consent).

This is also where good contracting matters. If you’re selling a business, the sale agreement should clearly address customer data, who is responsible for compliance, and what happens if there’s a privacy complaint later. Many business owners use a properly drafted Business Sale Agreement to reduce disputes about what was included in the sale.

If you’re buying a business, customer data should be part of legal due diligence so you’re not inheriting a compliance problem.

Cross-Border Storage And Overseas Providers

Many tools store information on servers outside New Zealand. That doesn’t automatically mean you can’t use them, but it does mean you should think carefully about:

• where customer data is stored
• what security and privacy commitments the provider offers
• whether disclosures in your Privacy Policy are accurate
• what happens if there is a breach

It’s also important to be aware of IPP 12 (disclosing personal information overseas). If you disclose personal information to an overseas recipient (including some offshore service providers), you may need to take extra steps to make sure the disclosure is permitted under NZ law-for example, by ensuring the recipient is subject to comparable safeguards or putting appropriate contractual protections in place (unless an exception applies).

If you’re using overseas contractors (for example, a virtual assistant or offshore customer support) who will access your customer database, you should set clear expectations about confidentiality and data handling. Depending on your situation, you may also want formal agreements in place with the service provider and your internal team.

Key Takeaways

• A customer database can be as simple as a spreadsheet or as advanced as a CRM, but if it contains personal information, you need to comply with the Privacy Act 2020.
• You don’t always need express consent to collect customer information, but you do need to be transparent about what you collect and why, and avoid using data in ways customers wouldn’t reasonably expect.
• Marketing use of a customer database is higher risk, so clear opt-in consent, easy opt-outs, and good disclosure practices are essential (and email/SMS marketing may also need to comply with the Unsolicited Electronic Messages Act 2007).
• Businesses must take reasonable steps to secure customer data, including limiting access, using strong security controls, and having processes to prevent and respond to privacy breaches.
• Sharing customer database information with suppliers (like couriers or software providers) should be disclosed, and selling or transferring customer data during a business sale needs careful handling.
• If you disclose personal information to overseas recipients, you should also consider IPP 12 and whether additional safeguards (like contractual protections) are needed.
• Clear customer-facing documents like a Privacy Policy and Website Terms And Conditions help set expectations and reduce complaints and disputes.

If you’d like help setting up your customer database compliance, including a Privacy Policy and practical privacy processes, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.