If your business collects personal information (even something as simple as a name and email), you’ve probably wondered whether you need a privacy consent form - and what “consent” actually means in practice.
It’s a fair question. In New Zealand, privacy compliance isn’t just for big tech companies. Everyday businesses collecting customer details, recording calls, using CCTV, running email marketing, or handling health information can run into privacy issues quickly if the basics aren’t set up properly.
This updated guide reflects current expectations under New Zealand’s privacy framework, including the Privacy Act 2020 and the way privacy risks show up in modern, digital-first businesses. We’ll break down when you need a privacy consent form, when you don’t, and how to get it right without over-complicating things.
A privacy consent form is a document (paper or digital) that asks a person to agree to you collecting, using, or sharing their personal information for a particular purpose.
In practical terms, it usually includes:
- What information you’re collecting (e.g. contact details, identification, medical details, images/video)
- Why you’re collecting it (the purpose)
- Who it might be shared with (e.g. cloud software providers, contractors, referral partners)
- How long you’ll keep it (or the criteria you use to decide)
- How the person can access or correct it
- How they can withdraw consent (where relevant) and what that means
One of the most common misconceptions is that you always need consent to collect personal information.
In NZ, you can often collect and use personal information without a signed consent form if:
- it’s necessary for a lawful purpose connected with your business; and
- the collection is fair and not unreasonably intrusive; and
- you provide appropriate notice (so people aren’t surprised by what you’re doing).
That said, there are situations where consent is the safest - or sometimes the only realistic - way to show your collection/use is fair and transparent.
Consent Needs To Be Real (Not Just A Box-Tick)
Consent should be:
- Informed: people understand what they’re agreeing to
- Freely given: not pressured or bundled unfairly
- Specific: not vague or overly broad (“anything we want” won’t cut it)
- Current: if your purpose changes, your consent might need to be refreshed
In other words: consent works best when it’s clear, limited, and genuinely optional where possible.
You’re most likely to need a privacy consent form when you’re handling personal information in a way that is more sensitive, less expected, or goes beyond what’s necessary to provide the product or service.
Here are common situations where a consent form is usually appropriate (and sometimes essential).
Sensitive personal information isn’t a single defined list in one neat box, but it generally includes things like health information, biometrics, or information that could cause harm if misused.
Examples include:
- medical histories or symptoms (even if you’re not a “health clinic”)
- counselling or wellbeing notes
- drug and alcohol testing records
- identity documents (passport, driver licence)
If you’re collecting this kind of information, consent is often part of a “do it properly from day one” approach - along with having a fit-for-purpose Privacy Policy and strong internal handling processes.
Depending on your situation, you might also need a dedicated form, like a Medical Release Consent Form or Drug Test Consent Form.
2) You’re Using Photos, Videos, Or Recordings Of People
If you’re filming clients, recording testimonials, taking photos at events, or using images for marketing, consent can become crucial - especially if the person is identifiable and the content is used publicly.
Some common examples:
- before-and-after images for beauty, fitness, or cosmetic services
- recorded Zoom consultations used for training or quality assurance
- event photography where you plan to post on social media
- user-generated content reposted on your brand’s channels
Consent doesn’t always have to be a long contract, but it does need to be clear and provable. For many businesses, a tailored Model Release Form is the cleanest way to show you’ve obtained permission to use someone’s image.
On the recording side, be careful: recording calls or meetings can raise both privacy and (depending on circumstances) surveillance-related concerns. If call recording is part of your workflow, you’ll also want to understand call recording laws and how to notify people appropriately.
3) You’re Collecting Data For Marketing (Especially Beyond “Basic” Marketing)
If you’re collecting personal information to run targeted marketing campaigns, build customer profiles, or share customer data with marketing partners, consent can be key - because this is often outside what the customer reasonably expects when they buy something.
For example:
- collecting birthdays so you can send promotions
- tracking purchase behaviour for segmentation
- sharing customer lists with affiliate partners
Even where consent isn’t strictly legally required in every case, getting it can reduce disputes and complaints (and it’s generally better for trust).
If email marketing is part of your strategy, you’ll also want to align your privacy settings with your communications compliance. It’s worth checking your approach against email marketing laws so your opt-ins, unsubscribe processes, and data handling are consistent.
Lots of businesses share personal information as part of normal operations - for example, giving an address to a courier. That’s usually expected and necessary.
But if you’re sharing with third parties for other purposes (or in a broad/open-ended way), a consent form (or a very clear consent mechanism) may be needed.
Examples:
- sharing client details with a referral partner
- using customer information in a case study
- providing personal information to an overseas contractor or service provider for processing
If you do work with offshore service providers, consent isn’t the only piece - you’ll also want robust contractual protections and a clear privacy notice about where data goes and why.
5) You’re Collecting Information In A Workplace Context (Employees, Contractors, Applicants)
Consent is often misunderstood in employment. People sometimes assume they can “consent” their way out of workplace privacy issues, but it’s not always that simple because there can be a power imbalance between employer and employee.
Still, there are situations where having clear, written acknowledgment/consent is very important, such as:
- collecting medical certificates and health-related information beyond what is necessary
- drug and alcohol testing
- collecting emergency contact details and storing them appropriately
- using employee photos in marketing materials
If you’re monitoring staff (for example, CCTV or device monitoring), you need to be extra careful. You can’t just install cameras and hope for the best - you should take a considered approach and document it properly. If this applies to your business, it’s worth reading about cameras in the workplace and ensuring your policies and notices match what you’re actually doing.
Consent forms can be helpful, but they’re not always required - and sometimes they can create extra risk if they’re used lazily.
Here are situations where you often don’t need a dedicated privacy consent form, as long as you’ve done the basics properly.
If a customer buys something from you and you need their details to complete the transaction, you can generally collect and use that information for that purpose.
For example:
- name, email, and delivery address to send an order
- phone number so a courier can arrange delivery
- billing details to issue invoices and manage payment
You should still give a clear privacy notice (often via a privacy policy and checkout wording) explaining what you collect and why - but a signed consent form is usually overkill.
Basic Customer Service Communications
If someone contacts you with an enquiry and you reply using their contact details, consent is generally implied because it’s the reasonable and expected use of the information they provided.
Legal Or Regulatory Requirements
Sometimes you collect or keep information because the law requires it (for example, certain tax records or employment records). In those cases, consent isn’t the “reason” you’re collecting it - legal obligation is.
However, you still need to:
- limit collection to what you need
- store the information securely
- give people transparency about what you’re doing
- respond to access/correction requests appropriately
A vague consent form that says you can use personal information for “any purpose we decide” can create the impression you’re not being transparent - and that can be exactly what triggers a complaint.
Done well, consent builds trust. Done poorly, it can create confusion and friction (and it won’t reliably protect you if something goes wrong).
A strong privacy consent form should be short enough that people will actually read it, but clear enough that the consent is meaningful.
What you include depends on the context, but as a general checklist, consider covering the following.
The Essentials
- Who you are: the business/entity collecting the information
- What information you’re collecting: list categories (not necessarily every data field)
- Purpose: why you need it (be specific)
- Use and disclosure: who it may be shared with and why
- Storage and security (high-level): where it’s stored and that you take reasonable steps to protect it
- Access/correction rights: how someone can request a copy or a correction
- Contact point: who to contact (email is usually fine)
If It’s Optional, Say That Clearly
If the person can still receive the service even if they don’t consent to an extra use (like marketing), make that obvious.
This is particularly important where you’re asking for consent to:
- use images for promotions
- send marketing communications
- share details with partners
- use information for research, analytics, or training
Withdrawal Of Consent
If consent is the basis for a particular use (like marketing emails), you should explain how the person can withdraw consent.
Just keep it practical. For example, “unsubscribe using the link” or “email us at ”.
Link It To Your Broader Privacy Settings
A consent form shouldn’t exist in a vacuum. It should align with what your business says elsewhere - especially your privacy policy and internal processes.
If your business collects information online, make sure your website wording, cookies/analytics settings, and checkout forms line up with the same story. When these documents contradict each other, that’s when disputes start to pop up.
Most business owners don’t want to “lawyer up” every interaction - and you don’t have to. The trick is to build consent into your workflow in a way that’s clear and normal.
- Online form tick-box: good for marketing opt-ins or service onboarding (make it specific and unticked by default where it’s optional)
- Signed form (digital or paper): best for higher-risk situations like health information, image/video release, or disclosures to third parties
- Recorded verbal consent: sometimes appropriate for phone-based services, but you still need a clear script and recordkeeping
If you’re collecting consent by phone, be careful not to accidentally create a compliance issue by recording the call without proper notice. Your consent process and your recording practices should work together.
Keep Records (Because Consent You Can’t Prove Isn’t Very Helpful)
If you rely on consent, you should be able to show:
- what the person saw at the time they consented
- what they agreed to
- when they agreed
- how they agreed (signature, tick-box, email, etc.)
This is especially important if your business operates online, uses automated marketing tools, or handles higher-risk information.
Train Your Team And Set Internal Rules
Even a perfect consent form won’t help if your staff handle information inconsistently.
At a minimum, make sure your team knows:
- what information they are allowed to collect (and what they shouldn’t ask for)
- where to store information (and where not to store it)
- who can access it internally
- what to do if a customer asks for a copy of their information
- what to do if there’s a suspected privacy breach
If you’re building your legal foundations more broadly, it’s also a good time to make sure your other customer-facing documents are consistent - like your Website Terms and Conditions and service terms.
Key Takeaways
- A privacy consent form is most useful when you’re collecting or using personal information in a way that is sensitive, unexpected, or beyond what’s necessary to deliver your service.
- You don’t always need a signed consent form to collect personal information in New Zealand, but you do need to be transparent and fair, and comply with the Privacy Act 2020.
- Consent should be informed, specific, and provable - vague “catch-all” consent wording can create risk rather than reduce it.
- Common situations where consent forms help include collecting health information, using images/videos for marketing, recording calls, and sharing personal data with third parties.
- Consent forms should match your broader privacy approach, including your Privacy Policy, internal processes, and any marketing opt-in settings.
- If you’re relying on consent, keep good records and make sure your staff understand how to collect, store, and share personal information properly.
If you’d like help putting the right privacy consent form in place (or reviewing your privacy compliance more broadly), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
