The accessibility of the online world has opened doors for businesses and their customers alike. However, operating online comes with its own set of rules and evolving best practices.

If your business has a website, then you want to ensure it’s fully compliant with the latest privacy laws. Adhering to the correct rules and regulations can save you from potential complaints and hefty penalties in the future.

What Is A Privacy Policy?

A Privacy Policy is your way of informing users that you are complying with the Privacy Act 2020 – which has been refined further in recent years to reflect modern data practices. Essentially, it assures anyone using your website that their information is protected and will not be misused, unless disclosed under exceptional circumstances.

Do I Need A Privacy Policy On My Website?

You might be legally required to have a privacy policy on your website depending on the nature of your business and the data you collect.

If your business is operating in New Zealand, you are generally required to have a privacy policy because you are classified as an agency under the Privacy Act. This remains true in 2025, especially as digital data becomes even more integral to commercial operations.

There are some exceptions to this rule:

  • If you are a health service provider or your business handles sensitive health information;
  • If you operate under a business model that specifically requires the collection of personal information;
  • If you are engaged in a contract that involves the public sector.

The general rule is that if your business is collecting personal information from people – such as names, phone numbers, and addresses – you need to have a comprehensive Privacy Policy in place and adhere to all relevant privacy laws in New Zealand.

Therefore, if your website collects information, including emails, phone numbers, names, or addresses, then you must comply with these privacy obligations.

What Does A Privacy Policy Look Like?

A privacy policy is essentially a written statement that is displayed prominently on your website, ensuring it is easy for users to view and understand.

Your privacy statement should include your business name and contact details, along with clear information about the types of data you collect and how that data is processed.

This typically includes details such as:

  • The specific types of information being collected;
  • The purpose behind collecting this information;
  • How the information will be stored and protected;
  • How the information will be used;
  • The consequences, if any, of not providing the information.

A robust privacy policy should also outline the procedure for handling complaints if a visitor believes their information has been misused, as well as explain how they can access and correct their data. For further guidance, you might wish to review our detailed guide on contract and policy review.

Ultimately, your privacy policy should be as transparent as possible, ensuring that customers or website users know exactly how you manage their information. If you’re still unsure, feel free to consult one of our privacy lawyers for expert assistance.

The Privacy Act

The Privacy Act is governed by twelve New Zealand Privacy Principles, which provide guidelines on the collection, transparency, protection, access, and accuracy of personal information. These principles are regularly updated – the latest revisions have been in effect since early 2024 to address new digital challenges.

The Act outlines the responsibility of your business to take reasonable steps to meet all of your obligations regarding website privacy, including secure data storage and secure online transactions, which are particularly crucial in today’s environment of increasing cyber threats.

The principles also detail the requirements for disclosing information overseas. Even if your business is based in New Zealand and is expanding globally, familiarising yourself with these practices is essential. For more insights, check our guides on compliance.

Is This Legally Enforceable?

The Office of the Privacy Commissioner (OPC) is tasked with enforcing compliance with the Privacy Principles. If your business is found to be in breach – especially if multiple breaches occur – the OPC has the authority to impose significant civil penalties.

GDPR

The EU General Data Protection Regulation (GDPR) remains a vital framework for online privacy for users based in the European Union. Even if you are based in New Zealand, should your business extend its services to the EU, compliance with the GDPR is mandatory.

Under the GDPR, a privacy policy must be transparent, accessible, easy to understand, and provided free of charge to all users. The regulation imposes stricter requirements, including details on data retention periods, data recipients, and disclosure of third parties who may receive data. The penalty for non-compliance can be severe – in 2025, fines have reached up to €20 million or 4% of global revenue, whichever is higher.

Even if your business does not plan to operate in the EU, using GDPR guidelines can enhance the robustness of your Privacy Policy by making it more detailed and protective of customer rights.

How Serious Are They?

Recent enforcement actions under the GDPR highlight its importance. For example, in 2025, regulators imposed a record fine on a major global retailer for mismanagement of cookie consent, prompting significant changes to its data practices. This demonstrates that privacy laws are taken very seriously worldwide – a precaution that all businesses should heed.

For additional context on compliance and avoiding penalties, check out our consumer guarantees guide.

What Other Policies Might I Need?

In addition to a Privacy Policy, several other policies can bolster your online compliance and protect your business. While not all may be legally mandatory, including them can enhance transparency and trust with your users.

Cookies store information and a user’s browsing history; hence, it is advisable to be transparent about their use by including them in your detailed Cookie Policy. This is an important aspect of ensuring online transparency.

Cyber Security Policy

A cyber security policy is essential for any business, particularly if your operations involve the handling of sensitive customer information such as personal details and credit card numbers. This policy outlines how you protect data from hackers and cyber threats. To explore more on safeguarding your business, see our regulatory compliance services.

Data Breach Response Plan

Once you have obtained someone’s personal information, you are responsible for keeping it secure. It is crucial to have a well-documented plan in place to manage any potential data breaches. A comprehensive Data Breach Response Plan details the steps to take immediately after a breach is identified, thereby reducing further risk.

Confidentiality Clauses

Including confidentiality clauses within your agreements is another layer of security. These clauses are binding and ensure that any sensitive information shared with third parties or internal employees is kept strictly confidential. For bespoke drafting advice, consider consulting one of our small business lawyers.

Where Do I Begin?

Ensuring the privacy of anyone visiting your website is paramount, especially when you are handling personal information. Start by crafting a Privacy Policy that not only meets legal obligations but also builds trust with your customers, complemented by supportive policies and response plans.

If you’re embarking on updating your privacy framework or need assistance reviewing your current policies, we’re here to help. You might also consider exploring our resources on business set up and contract drafting to ensure your legal documents are up to date in 2025. Our experts are ready to provide a free, no-obligation consultation – give us a call at 0800 002 184 or email [email protected].

Additionally, staying informed through our regular updates on legal tips and industry news can help you maintain compliance as regulations evolve. This proactive approach not only protects your business but also reinforces customer confidence in your dedication to data privacy.

Sapna Goundan
Sapna has completed a Bachelor of Arts/Laws. Since graduating, she's worked primarily in the field of legal research and writing, and she now writes for Sprintlaw.
About Sprintlaw

We're an online legal provider operating in New Zealand, Australia and the UK. Our team services New Zealand companies and works remotely from all around the world.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Privacy Policy

Privacy policies outline how you handle information.
Learn More

Privacy Policy (GDPR)

Ensure your privacy policy is GDPR-compliant.
Learn More

Privacy Policy (Sensitive Information)

If you hold sensitive data, it's important you comply with privacy law.
Learn More

Privacy Policy (Credit Provider)

Get a Privacy Policy (Credit Provider)
Learn More

Privacy Policy (Health Service Provider)

Privacy policies tailored to health service providers.
Learn More
Related Articles
Should I Have My Commercial Sublease Reviewed? (2025 Updated)
Posted 25th February, 2025
What Is A Limited Liability Partnership Agreement? (2025 Updated)
Posted 25th February, 2025
Do I Need A Domain Name Licence? (2025 Updated)
Posted 25th February, 2025
Who Can Access Medical Records? (2025 Updated)
Posted 24th February, 2025
How To Start An Online Subscription Business: Legal Tips (2025 Updated)
Posted 24th February, 2025
Trade Marks Vs. Copyright: What’s The Difference? (2025 Updated)
Posted 24th February, 2025