Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business in New Zealand, chances are you’re collecting data every day - customer enquiries, online orders, email sign-ups, CCTV footage, loyalty program details, and even staff records.
That’s great for growing your business, but it also comes with legal responsibilities. Getting your data collection compliance settings right from day one can help you build customer trust, avoid complaints, and reduce the risk of costly privacy breaches.
In this guide, we’ll walk through what “data collection compliance” means in practice for NZ businesses, which laws you need to know, and the ethical considerations that can help you stay on the right side of your customers (and regulators) as your business grows.
Note: This article provides general information only and doesn’t take into account your specific circumstances. It isn’t legal advice.
What Does “Data Collection Compliance” Mean In Practice?
Data collection compliance is about collecting, using, storing, and sharing personal information in a way that meets your legal obligations - and in a way that’s fair and transparent to the people you collect it from.
For most small businesses, this isn’t about doing anything complicated. It’s usually about getting the basics right and documenting your approach so your team handles data consistently.
What Counts As Personal Information?
Under the Privacy Act 2020, “personal information” broadly means information about an identifiable individual.
Common examples include:
- name, email address, phone number
- delivery address and billing details
- order history and service history
- photos or videos of a person (including CCTV)
- IP addresses and device identifiers (often personal information in practice, especially when linked to a customer profile)
- staff information (like payroll details, performance notes, emergency contacts)
Some personal information is also considered sensitive (for example, health information), and collecting it generally requires extra care.
Why “Compliance” Is More Than Just A Privacy Policy
A Privacy Policy is a key piece of your compliance puzzle - but it’s not the whole picture.
Real compliance usually includes:
- collecting only what you genuinely need (not “nice to have” data)
- being clear with customers about why you’re collecting it and what you’ll do with it
- keeping it secure and limiting who can access it
- having a plan if something goes wrong (like a breach)
- making sure your contractors and software providers handle data appropriately too
Think of it like health and safety: a policy is important, but your everyday practices are what really protect you.
Which NZ Laws Matter Most For Data Collection Compliance?
There isn’t just one “data law” in New Zealand. Your obligations usually come from a mix of privacy, consumer, employment, and marketing rules - depending on how you collect and use information.
Privacy Act 2020 (The Big One)
The Privacy Act 2020 is the main law governing how businesses handle personal information in NZ. It’s built around “privacy principles” that cover:
- purpose - only collect information if you need it for a lawful business purpose
- source and transparency - collect from the person where reasonable, and let them know what’s happening
- storage and security - protect information from loss, unauthorised access, misuse, or disclosure
- access and correction - individuals generally have rights to access and request corrections
- retention - don’t keep information for longer than you need it
- disclosure - don’t share it unless it’s permitted and aligns with the reason you collected it
If you’re aiming to improve your approach to data collection compliance, this is the framework you’re working within.
Marketing Rules (Email, SMS, And Direct Marketing)
If you send promotional emails or texts, you also need to think about anti-spam requirements and fair marketing practices.
In practice, that often means:
- only messaging people when you have a proper basis to do so (for example, consent, inferred consent, or another permitted basis under the applicable marketing rules)
- making it easy to unsubscribe
- being honest and accurate in your advertising (which also ties into the Fair Trading Act 1986)
Even if your marketing feels “light touch”, your compliance can fall over quickly if your sign-up forms don’t match what you actually do with customer details.
Employment Privacy (Staff Data Collection)
Many privacy issues in small businesses come from staff management - not customers. If you’re collecting employee personal information, you should be clear about what you collect, why you collect it, and who can see it.
This might include:
- job applications and reference checks
- timesheets, leave records, payroll
- performance management notes
- workplace monitoring and device usage logs
It can be helpful to set expectations in writing, especially if you use workplace systems like email, messaging apps, or monitored devices. A tailored Employee Privacy Handbook can help you set those boundaries in a clear (and fair) way.
CCTV, Monitoring, And Call Recordings
Collecting data isn’t always a form on a website - it can also be recording people in the real world.
- If you use CCTV for theft prevention or safety, you should consider whether cameras in the workplace are being used in a reasonable and transparent way.
- If you record customer calls (for training, quality, or dispute management), you should understand the call recording laws and how to notify callers appropriately.
These areas often raise ethical concerns too - even when they’re technically legal - because they directly affect people’s expectations of privacy.
How Can You Collect Data Ethically (Not Just Legally)?
Legal compliance is the baseline. Ethical data collection is how you build trust, reduce complaints, and protect your brand long-term.
A simple way to think about ethics is: Would a reasonable customer be surprised by what we’re collecting or how we’re using it?
1) Data Minimisation (Collect Less, Protect More)
One of the easiest wins for data collection compliance is collecting less personal information in the first place.
For example:
- If you only need an email to send a receipt, don’t also require a phone number.
- If you’re running a giveaway, don’t ask for date of birth unless you genuinely need age verification.
- If you’re collecting dietary requirements for a catered event, don’t keep those details forever.
Less data means less risk, less storage overhead, and fewer awkward conversations if a customer asks why you collected something.
2) Clear Consent (And No “Tricks”)
Consent should be clear, informed, and freely given - not buried in tiny text or bundled into a take-it-or-leave-it box that doesn’t match what the customer expects.
In practice, this means:
- using plain language at the point of collection
- separating “necessary” data from optional marketing consent
- avoiding pre-ticked boxes for marketing where possible
Consent can be especially important if you’re collecting information that feels more sensitive (like health-related information) or using data for profiling/analytics that materially affects customers.
3) Transparency With Cookies And Tracking
If you collect data through your website, you’ll want to think about cookies, analytics tools, and tracking pixels. Even if you’re not “selling data”, tracking can still be personal information in context.
From a practical perspective, your website should clearly explain what tracking is in place and why. Depending on your website setup (and the type of tracking you use), a cookie pop-up and/or a cookie policy can help you stay transparent with users.
4) Fairness (Don’t Use Data In Ways That Feel Creepy)
Sometimes the fastest way to damage trust is to use data in a way that feels overly intrusive - even if it’s arguably permitted.
Examples that often create problems:
- collecting customer data for one purpose, then using it for a different unrelated purpose
- uploading customer contact lists into advertising platforms without a clear basis
- over-monitoring staff in a way that feels disproportionate to the risk you’re trying to manage
If you’re ever unsure, it’s usually worth stepping back and asking: “Is this reasonable for our business size and customer expectations?”
What Are The Biggest Risk Areas For Small Businesses?
Most privacy problems aren’t caused by “bad actors” - they happen when a business grows quickly, adds new tools, hires new team members, or starts marketing more actively without updating its processes.
Here are a few common pressure points to watch.
Collecting Data Through Third Parties (Apps, CRMs, Booking Platforms)
Small businesses often rely on software providers to handle bookings, payments, newsletters, customer support tickets, and more.
That’s normal - but from a data collection compliance perspective, you should still know:
- what information the tool collects on your behalf
- where it’s stored (including offshore storage)
- who can access it internally
- what happens if you stop using the platform
If a service provider will handle personal information for you, it can be worth putting the right contractual protections in place, such as a Data Processing Agreement where appropriate.
Security Practices That Haven’t Kept Up With Growth
In early stages, it’s common to do everything yourself - including managing customer lists, spreadsheets, and inboxes. But as you hire staff or contractors, the risk of accidental disclosure increases.
Some practical steps that support data collection compliance include:
- using role-based access (not everyone needs access to everything)
- multi-factor authentication on key accounts
- password managers instead of shared passwords
- secure disposal of old devices
- training your team to spot phishing attempts
Website Forms And “Invisible” Collection
It’s easy to focus on what customers type into your form, but don’t forget what’s collected in the background - like IP addresses, device identifiers, and behavioural data.
This is where an Acceptable Use Policy can also be useful, particularly if you operate a platform, community space, or account-based service where users interact with your systems.
A Practical Data Collection Compliance Checklist (What To Put In Place)
If you want a simple, business-owner-friendly way to approach data collection compliance, start with the following building blocks. You don’t need to do everything overnight - but you should know where your gaps are.
1) Map What You Collect And Why
Start with a basic list:
- What personal information do you collect? (customers, leads, suppliers, staff)
- Where do you collect it? (website, email, in-store, phone calls, CCTV)
- Why do you collect it? (sales, delivery, support, safety, marketing)
- Where is it stored? (inbox, spreadsheets, CRM, accounting software)
- Who has access? (you, staff, contractors)
This step alone often reveals quick fixes - like forms collecting unnecessary data or staff having access to data they don’t need.
2) Put The Right Customer-Facing Disclosures In Place
At a minimum, many businesses benefit from having:
- a clear Privacy Policy on the website
- collection notices at the point of collection (for example, on forms or sign-up pages)
- clear opt-in wording for marketing
- cookie disclosures where appropriate, including considering whether you need cookie pop-ups
The key is that what you say publicly should match what you actually do internally.
3) Set Internal Rules For Staff And Contractors
Policies and training help prevent “unforced errors”, like forwarding customer information to personal email accounts or downloading data onto unsecured devices.
This is also where your employment documents matter. For example, confidentiality and data-handling expectations are commonly reinforced through a well-drafted Employment Contract and internal privacy guidance.
4) Have A Data Breach Plan Before You Need It
Even with strong security, breaches can still happen (for example, an employee clicks a phishing link, or a laptop is stolen). Under the Privacy Act 2020, some privacy breaches may need to be reported to the Office of the Privacy Commissioner and affected individuals.
Having a plan reduces panic and helps you respond quickly. Many businesses implement a Data Breach Response Plan so the steps are clear if the worst happens.
5) Review Your Approach As Your Business Changes
Your compliance setup shouldn’t be “set and forget”. It should evolve as you:
- add new marketing channels
- hire staff or contractors
- launch a new product or subscription model
- expand into new regions
- introduce CCTV, call recording, or new tracking tools
A good habit is to schedule a regular check-in (for example, every 6–12 months) to confirm your data collection compliance still fits what your business is doing.
Key Takeaways
- Data collection compliance isn’t just a box-ticking exercise - it’s about collecting, using, storing, and sharing personal information in a way that’s lawful, secure, and transparent.
- Most NZ businesses need to comply with the Privacy Act 2020, and may also need to consider marketing rules, employment privacy obligations, and monitoring rules (like CCTV and call recording).
- Ethical data collection helps you build trust: collect less, be clear about purpose, avoid surprise uses, and make consent meaningful.
- High-risk areas for small businesses include third-party software providers, outdated security practices, and website tracking that isn’t properly disclosed.
- Strong foundations usually include a privacy policy, clear collection notices, internal staff guidance, secure access controls, and a data breach response plan.
- If you’re unsure what you need for your particular business model, it’s worth getting advice - privacy obligations can be very context-specific.
If you’d like help setting up your data collection compliance (including your Privacy Policy, internal policies, and contracts), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
