Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Is It Illegal To Record A Child Without Consent In New Zealand?
Practical Compliance Steps: How To Protect Your Business From Day One
- 1. Be Clear On Your Purpose Before You Record
- 2. Give Notice (Even If You’re Not Asking For Consent)
- 3. Separate “Service” Consent From “Marketing” Consent
- 4. Tighten Storage, Access, And Retention
- 5. Have Clear Contracts With Anyone Creating Content For You
- 6. Don’t Forget Your Website Terms And Online Processes
- Key Takeaways
If you run a small business, there’s a good chance you’ll come across situations where children appear in photos or recordings.
Maybe you’re filming content for social media, running a school holiday programme, taking customer photos at an event, installing CCTV, or collecting customer testimonials.
This is where things can get tricky: even when you have a completely innocent reason for filming or photographing, recording or photographing a child without consent can raise serious privacy, safety, and reputational risks for your business.
Below, we’ll walk through how New Zealand privacy law and related rules generally apply, when consent matters (and what “good” consent looks like), and what practical steps you can put in place so you’re protected from day one.
Is It Illegal To Record A Child Without Consent In New Zealand?
In many everyday business scenarios, recording a child without consent isn’t automatically “illegal” in a criminal sense.
But that doesn’t mean it’s risk-free.
In New Zealand, the key legal framework businesses need to think about is the Privacy Act 2020. If your business is collecting images, video, or audio that identify a child (or make them reasonably identifiable), you are usually collecting personal information.
That means the Privacy Act can apply, including the Information Privacy Principles (IPPs), which cover things like:
- Whether you’re allowed to collect the information (you should have a lawful, necessary reason for doing it);
- How you collect it (it should be fair and not unreasonably intrusive);
- What you tell people (you often need to be transparent about what you’re doing and why);
- How you store and protect it (security is a big deal, especially for children’s information); and
- How you use and disclose it (e.g. sharing online is very different to keeping footage only for safety).
There can also be other legal issues depending on the circumstances, such as:
- Criminal law (for example, if the recording is an “intimate visual recording”, involves covert filming in a private setting, or is used to harass or harm someone);
- Employment law (if the recording is in a workplace, or your staff are filming as part of their role);
- Contract and consumer issues (what you promised customers about privacy in your terms, policies, enrolment forms, or sign-up process).
So the practical takeaway is: recording a child without consent can be lawful in some contexts, but it can also still breach privacy obligations (or create a complaint risk) if it’s done without proper notice, a proper purpose, and strong safeguards.
When Does Recording Or Photographing A Child Become A “Privacy” Issue For Businesses?
From a business perspective, the big question isn’t just “did we get consent?”
It’s more like: are we collecting personal information, and are we handling it properly?
Images, video, and audio can all be personal information if the child is identifiable. “Identifiable” can include:
- their face is visible (even briefly);
- their voice is recorded;
- their school uniform or name tag appears;
- a caption, tag, or sign-in sheet links the footage to a specific child; or
- context makes it obvious who they are (e.g. “Sam’s 7th birthday at our venue”).
Common business scenarios where privacy issues come up include:
CCTV And Security Footage
CCTV is usually installed for legitimate reasons like preventing theft, keeping staff safe, or investigating incidents. That purpose often makes sense for a business.
But if your cameras capture children (for example, in a retail store, café, leisure venue, after-school programme, gym, or medical practice), you should still think about transparency, signage, retention periods, who can access the footage, and whether the footage is being used for anything beyond safety.
If you’re thinking about cameras at your premises, it’s worth also checking your broader workplace approach, including are cameras legal in the workplace, because the same concepts around purpose, notice, and fairness often carry across.
Marketing Content And Social Media
This is where businesses often get caught out.
Filming a fun “behind the scenes” reel, photographing a busy event, or posting a customer testimonial video can all unintentionally include children.
Even if filming happens in a public-facing space, posting the content online changes the risk profile. You’re no longer just “collecting” the information-you’re disclosing it to an audience you can’t fully control.
Customer Feedback, Reviews, And Testimonials
It might feel harmless to share a happy customer story (especially for family-focused businesses), but if a child appears in a review photo or video, you should treat it carefully. The child can’t usually provide informed consent on their own, and parents may later change their mind about online exposure.
Call Recordings And Audio Recordings
Some businesses record calls for training, compliance, or quality assurance. If a child is speaking on the call, you may be recording personal information about them too.
If call recording is part of your operations, keep your privacy messaging and procedures aligned with business call recording laws in New Zealand.
Do You Need Parental Consent To Record Or Photograph A Child?
Consent is not the only legal basis for collecting personal information under the Privacy Act, but for many businesses it’s the cleanest and safest approach when children are involved-especially for marketing.
As a practical rule:
- If the recording is for marketing or public-facing use (website, social media, brochures), you should generally aim to get express, informed consent from a parent or guardian.
- If the recording is for safety or security (like CCTV), you may not need express consent every time, but you should still use clear notice and good privacy practices.
It’s also worth remembering that “consent” can be more complicated when a child is involved. In practice, whether a child can consent depends on their age and maturity, and on whether they understand what they’re agreeing to (especially where the content might live online indefinitely).
So, for small businesses, the low-risk approach is usually:
- get parent/guardian consent for identifiable marketing content; and
- also respect the child’s comfort and dignity (even if a parent says yes, forcing a child to be filmed is a bad idea and can create complaints).
What Counts As “Good” Consent?
Consent is much more than a casual “is this okay?”
For consent to be useful (and defensible if there’s a complaint), it should generally be:
- Informed: you explain what you’ll record, why, and where it might be used (including social media platforms);
- Specific: consent to appear in a private customer file isn’t the same as consent to be featured in an ad campaign;
- Freely given: no pressure, and ideally no “take it or leave it” when the recording isn’t necessary to provide the service;
- Documented: you keep a record (form, email, checkbox with clear wording, etc.); and
- Easy to withdraw: parents should have a practical way to change their mind and ask you to stop using the content (keeping in mind you may not be able to claw back what’s already been shared widely, but you can remove it from your channels).
This is also why having a clear Privacy Policy and a collection notice process matters-it helps you show you’ve been upfront about what you do with personal information.
Common High-Risk Situations (And How To Avoid Them)
Most privacy complaints don’t come from businesses trying to do the wrong thing. They come from businesses moving fast, wearing too many hats, and not realising how a “normal” piece of content could be perceived.
Here are a few situations that tend to create real risk for businesses when it comes to recording a child without consent.
1. Posting Footage Online Without A Clear Plan
If you film in-store or at an event and upload the video later, you might not have a clear record of who appears in the footage, whether consent was obtained, or whether a parent asked not to be filmed.
How to reduce risk:
- Set a rule: no identifiable children on social media unless consent is recorded and file-noted.
- Use visual cues: wristbands, lanyards, or a simple system to mark “okay to film” participants for certain events.
- Use editing: blur faces, avoid showing name tags, and cut audio where children speak.
2. Recording In Sensitive Settings
If your business operates in a context that’s inherently sensitive (health services, counselling, disability support, childcare, tutoring), even a well-intentioned photo can feel intrusive.
In these industries, you’re more likely to be dealing with information that is sensitive in nature, and expectations of privacy are higher.
How to reduce risk:
- Only collect what you genuinely need for the service.
- Limit staff access to recordings and set strict retention periods.
- Use written consent forms that separate “service delivery” from “marketing”.
3. Using CCTV For Anything Other Than Security
A common mistake is using CCTV footage for purposes beyond why it was installed. For example, using footage to create promotional content or “funny moments” posts is a big red flag.
How to reduce risk:
- Clearly define your CCTV purpose (security, safety, incident investigation).
- Put up clear signage and keep access restricted.
- Don’t repurpose CCTV footage for marketing unless you have a strong legal basis and express consent (and even then, consider whether it’s appropriate).
4. Staff Filming Customers On Their Personal Phones
Even if staff are filming “for the business”, using personal devices can blur boundaries. It can also make it much harder to control where the content goes, who keeps copies, and whether it’s deleted when you need it deleted.
How to reduce risk:
- Create a clear policy: if filming is part of the job, it must be done on business-controlled accounts/devices.
- Train staff on what can and can’t be recorded.
- Back it up with a properly drafted Employment Contract and workplace policies that cover privacy and acceptable conduct.
Practical Compliance Steps: How To Protect Your Business From Day One
If you want to reduce the risk of a privacy complaint (or a social media backlash), you need more than “we meant well”. You need systems.
Here’s a simple, business-friendly checklist to build into your operations.
1. Be Clear On Your Purpose Before You Record
Ask yourself:
- Why are we recording or photographing?
- Is it necessary for that purpose?
- Could we achieve the same goal without identifying children?
This aligns with privacy law expectations that collection should be connected to a legitimate business function and not be excessive.
2. Give Notice (Even If You’re Not Asking For Consent)
For CCTV or general filming at events, clear notice can be crucial.
Notice can look like:
- signage at entrances (“CCTV in operation” / “Filming and photography may occur at this event”);
- a sentence in your booking confirmation emails;
- a short notice on your website checkout page; or
- a verbal announcement at the start of an event.
Notice helps people make informed choices (for example, avoiding certain areas or asking your staff not to film their child).
3. Separate “Service” Consent From “Marketing” Consent
If you run classes, programmes, or services for children, don’t bundle everything into one vague permission statement.
Instead, consider separate tick boxes, such as:
- permission to take photos for internal records;
- permission to share photos with parents privately (e.g. via a secure portal); and
- permission to use photos for marketing (social media/website).
This is where a tailored consent form and privacy wording can make a big difference.
4. Tighten Storage, Access, And Retention
Recording children creates an extra layer of responsibility. You should think carefully about:
- Storage: are files kept in secure systems, or sitting on phones/laptops?
- Access: who can view, download, and share the recordings?
- Retention: how long do you keep footage, and why?
- Deletion: how do you actually delete the content when required?
If your team is collecting personal information regularly, an internal privacy process (and sometimes a broader policy framework) is a smart move. This often sits alongside a website-facing Privacy Collection Notice, so customers and parents know what’s happening upfront.
5. Have Clear Contracts With Anyone Creating Content For You
If you hire photographers, videographers, marketing contractors, or social media managers, you want clarity around:
- who owns the footage;
- where it can be stored;
- what happens if consent is withdrawn;
- confidentiality and privacy expectations; and
- who is responsible if something goes wrong.
Often this is handled through a properly drafted Service Agreement with privacy-friendly clauses built in.
6. Don’t Forget Your Website Terms And Online Processes
If you accept online bookings, sign-ups, or run an online community where customers upload images (including images of their children), make sure your website documents match your actual practices.
Depending on your business model, this may include Website Terms and Conditions that clearly deal with user content, permissions, and what happens if content needs to be removed.
Key Takeaways
- Recording or photographing a child without consent isn’t always automatically illegal, but for businesses it can still trigger obligations under the Privacy Act 2020 (and create major reputational risk if handled poorly).
- If a child is identifiable in a photo, video, or audio recording, your business is likely collecting personal information and should handle it transparently, fairly, and securely.
- For marketing and public-facing content, getting express parent/guardian consent is usually the safest approach, and consent should be informed, specific, and documented.
- CCTV and security recording may be permitted without express consent in many contexts, but you should still use clear notice, limit access, and avoid using footage for unrelated purposes.
- High-risk areas include filming for social media, recording in sensitive settings, storing content on staff personal devices, and repurposing footage beyond its original purpose.
- Strong privacy foundations (privacy policy, collection notices, internal processes, and clear contracts) help protect your business from day one and reduce the chance of complaints.
If you would like help setting up privacy-friendly consent wording, policies, or contracts that fit how your business actually operates, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
