Sapna has completed a Bachelor of Arts/Laws. Since graduating, she's worked primarily in the field of legal research and writing, and she now writes for Sprintlaw.
If you run a website in New Zealand, chances are you collect at least some personal information - even if it’s just an email address from a contact form or an IP address through analytics.
So it’s completely normal to wonder: do you actually need a website privacy policy by law, or is it just “nice to have”?
This guide is updated to reflect current expectations and practical compliance under New Zealand’s privacy framework, so you can get your legal foundations right from day one (without getting lost in legal jargon).
When Is A Website Privacy Policy Required In New Zealand?
In New Zealand, there isn’t a single rule that says “every website must have a privacy policy”.
But in practice, many websites do need one because of how the Privacy Act 2020 works.
The key question is usually this:
Does your website collect, use, store, or share personal information?
If yes, then you have obligations to be transparent about what you’re doing and why. A privacy policy is one of the most straightforward ways to meet that transparency expectation.
What Counts As “Personal Information” Online?
Personal information is broadly any information about an identifiable individual. On a website, this commonly includes:
- Name and email address (newsletter sign-up, enquiry forms, account creation)
- Phone number or address (booking forms, shipping details)
- Payment details (if you process payments directly)
- Photos or video of people (e.g. testimonials, submissions, community posts)
- IP addresses, device IDs, and cookie identifiers (often through analytics and advertising tools)
- Messages sent through chat widgets or support systems
Even if you think “we’re a small business, we don’t collect much”, it’s common to be collecting more than you realise once you factor in plugins, embedded tools, and third-party trackers.
Common Website Scenarios Where You Should Have A Privacy Policy
You’ll generally want a privacy policy if your website has any of the following:
- A contact form
- An email newsletter sign-up
- User accounts or logins
- An online store (even a basic one)
- Google Analytics or similar tracking tools
- Meta Pixel / online advertising tracking
- Embedded booking systems or CRMs
- Chatbots or live chat widgets
For many businesses, that’s basically “any modern website”. That’s why privacy policies have become the norm - not just for big corporates, but for everyday Kiwi businesses too.
What Does The Privacy Act 2020 Expect From Your Website?
The Privacy Act 2020 doesn’t just apply to “privacy-focused” businesses. It applies to most organisations in New Zealand that handle personal information.
One of the big themes of the Act is: be clear, be fair, and don’t surprise people.
Practically, that means when you collect personal information through your website, you should be upfront about things like:
- What you collect
- Why you collect it
- How you use it
- Who you share it with (if anyone)
- How you keep it safe
- How people can access or correct their information
A properly drafted Privacy Policy is the usual place to set all of this out in one accessible document.
Do You Need A “Privacy Collection Notice” Too?
Sometimes, yes.
A privacy policy is usually a general document that explains your overall approach to personal information.
A Privacy Collection Notice is often shorter and placed right where you collect information (for example, under your enquiry form), so users see the key points at the exact time they’re handing over their details.
For many businesses, the best setup is:
- A privacy policy linked in your website footer; and
- A short collection notice near your forms (with a link to the full policy).
This is a practical way to show transparency without overwhelming your website visitors.
What If You’re Using Third-Party Tools?
This is where a lot of businesses accidentally fall short.
Even if you don’t “intend” to collect much data, third-party tools might collect information through your website, such as:
- Email marketing platforms
- Online appointment booking tools
- Customer support platforms
- Payment gateways
- Analytics and ad tracking tools
You’re still responsible for how personal information is handled in your business, even if a third party processes it for you.
In some cases, it’s also worth checking whether you need a Data Processing Agreement with providers who handle personal information on your behalf - especially if the relationship is more customised than “standard plug-in” use.
What Should A Website Privacy Policy Include?
There’s no one “perfect” privacy policy for every business, because what you need depends on what your website does.
But there are some core clauses most New Zealand businesses should cover to avoid confusion (and reduce the risk of complaints).
1) What Information You Collect (And How)
Be specific. For example:
- information submitted via forms
- account registration details
- purchase and transaction details
- website usage data through cookies and analytics
If you collect sensitive information (for example, health information), you should treat that with extra care and consider a tailored approach such as a Privacy Policy Sensitive.
2) Why You Collect It (Your Purposes)
Your “purpose” shouldn’t be vague. Common purposes include:
- responding to enquiries
- providing products or services
- processing payments and orders
- account management
- improving website performance and user experience
- marketing communications (where permitted)
The goal is to ensure visitors aren’t left guessing what will happen to their details.
3) Cookies, Analytics, And Tracking
Cookies and tracking are a common blind spot, because many business owners install analytics tools and never revisit what those tools are doing.
Your privacy policy should explain (in plain English):
- whether cookies are used
- what they’re used for (e.g. analytics, remembering preferences, advertising)
- how users can control cookie settings (often via browser settings)
Depending on your setup, a separate cookie policy can also make sense, but the key is transparency and consistency across your documents.
4) Who You Share Information With
If you share personal information with third parties, say so. For example:
- service providers (hosting, email marketing, payment processors)
- couriers and fulfilment partners
- IT and support providers
- professional advisers (where relevant)
You don’t always need to list every provider by name, but you should be clear about categories and reasons for sharing.
5) Overseas Transfers
A lot of common website tools store data outside New Zealand (or allow access from overseas), such as cloud hosting, CRMs, and email marketing platforms.
If personal information may be stored or processed overseas, that should be addressed in your privacy policy. It’s also a good idea to ensure your internal practices match what you say publicly - consistency is what protects you.
6) How You Store And Protect Personal Information
You don’t need to publish your security blueprint (and you shouldn’t), but you should reassure users that you take reasonable steps to protect personal information.
This can include things like access controls, secure systems, and limiting internal access.
If something goes wrong, you may also have obligations to respond appropriately - including, in some cases, notifying affected individuals and the Privacy Commissioner. Having a Data Breach Response Plan can make a stressful situation much more manageable.
7) Access And Correction Requests
Individuals in New Zealand generally have rights to request access to, and correction of, their personal information (with some exceptions).
Your privacy policy should explain how users can contact you to make these requests, and what information you need to process them.
What Happens If You Don’t Have A Privacy Policy (Or It’s Wrong)?
For many businesses, the bigger risk isn’t just “not having a privacy policy” - it’s having one that:
- doesn’t match what your website actually does
- was copied from another business and doesn’t fit your setup
- promises things you can’t realistically follow (like deleting all data instantly, or never sharing with providers)
That mismatch can create issues in a few ways.
Customer Trust And Brand Damage
Privacy is now closely linked to trust.
If a customer is deciding between you and a competitor, a clear privacy policy can help them feel comfortable buying from you - especially if you’re a newer brand.
On the flip side, if a customer feels surprised by marketing emails or tracking, it can lead to complaints, bad reviews, and a reputation hit that’s hard to undo.
Privacy Complaints And Investigations
If someone believes you’ve mishandled their personal information, they can complain to your business and/or to the Office of the Privacy Commissioner.
Even if a complaint doesn’t escalate, dealing with it can take time and energy you’d rather spend running your business.
Misleading Statements (Fair Trading Risk)
There’s also a practical overlap with consumer protection expectations. If your privacy policy says one thing but your actual practices are different, it may create a “misleading impression”. That can raise issues beyond privacy alone.
This is why it’s important that your privacy policy is not just “legal-sounding” - it needs to be accurate.
Lost Opportunities With Partners And Platforms
Some online platforms, payment providers, and marketing partners expect you to have a privacy policy in place as part of their onboarding or compliance checks.
If you’re planning to scale, run ads, or partner with other brands, privacy compliance becomes part of looking established and credible.
How To Set Up Your Website Privacy Compliance (A Practical Checklist)
If you want a simple way to approach this without overthinking it, here’s a practical checklist many NZ businesses follow.
Step 1: Map What Your Website Collects
Start with the basics:
- What forms do you have (contact, booking, checkout, newsletter)?
- What plugins are installed?
- What analytics and ad tracking tools are running?
- Where does the data go (email inbox, CRM, spreadsheets, third-party platforms)?
This “data map” makes everything else easier.
Step 2: Decide Your Lawful Purposes (And Stick To Them)
For each type of information, be clear on why you collect it and whether you really need it.
A simple rule that keeps you safe: collect what you need, and don’t use it for unexpected purposes.
Step 3: Put The Right Documents On Your Website
Most websites will need:
- a privacy policy linked in the footer
- collection notices near key forms (where appropriate)
- website terms (depending on your business model)
If you sell online or run a platform, your privacy setup often sits alongside your Website Terms And Conditions so expectations are consistent across the whole customer experience.
Step 4: Make Sure Your Marketing Practices Match Your Policy
If you send email marketing, make sure you’ve got:
- clear opt-in processes (where required)
- an unsubscribe function
- internal processes so you actually honour unsubscribes
Your privacy policy should reflect what you do in real life. If you say “we only send marketing with consent”, make sure your signup and email practices support that statement.
Step 5: Train Your Team (Even If It’s Just Two People)
Privacy compliance isn’t only “a website thing”. It’s an operations thing.
Make sure anyone who can access personal information understands:
- what they can use it for
- who they can share it with
- how to spot a privacy issue early
If you have staff handling customer enquiries or orders, their contracts and policies also matter. For example, a clear Employment Contract and internal confidentiality expectations can help reduce the risk of mishandling customer data.
Step 6: Have A Plan If Something Goes Wrong
Data incidents can happen to any business - a hacked mailbox, a misdirected email, a compromised password, or a lost device.
What matters is how quickly you respond and whether you have a calm, consistent process to follow.
Having a documented response plan (and knowing who is responsible for what) is one of the easiest ways to protect your business if an incident occurs.
Key Takeaways
- A website privacy policy isn’t explicitly required for every website in New Zealand, but if your site collects or uses personal information (which most do), you will usually need one to meet transparency expectations under the Privacy Act 2020.
- Personal information can include obvious details like names and emails, as well as online identifiers like IP addresses and cookie data collected through analytics and advertising tools.
- A good privacy policy should clearly explain what you collect, why you collect it, how you use and store it, who you share it with (including service providers), and how people can request access or correction.
- The biggest risk is often having a privacy policy that doesn’t match your actual practices, which can lead to customer complaints, reputation damage, and potential legal issues.
- Privacy compliance is easier when you take a practical approach: map your data collection, publish the right documents, align marketing practices, and prepare a plan for data incidents.
If you’d like help putting the right privacy documents in place for your website (or checking whether your current policy matches what your site actually does), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
Sapna GoundanMarketing Coordinator
