Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a business, you’re probably communicating all day - with customers, suppliers, contractors and staff - across email, text, WhatsApp, Messenger, Slack, Teams and DMs.
It can be tempting to “just forward” a message to someone else to get a second opinion, resolve a dispute, prove what was said, or show a team member what to do next.
But sharing private messages without consent can create real legal risk for New Zealand businesses, even when your intentions are completely reasonable. Privacy law, confidentiality obligations, employment law, defamation risk, and basic customer trust can all be impacted.
Below, we’ll walk you through the main risks and what practical steps you can take to protect your business from day one.
What Counts As “Sharing Private Messages Without Consent” In A Business Context?
In practice, sharing private messages without consent usually means you disclose the contents of a message (or screenshot it) to someone who wasn’t meant to receive it, without the sender’s permission.
This can happen in lots of “normal business” situations, including:
- Forwarding a customer complaint (including their personal details) to a contractor or supplier for context.
- Screenshotting an employee’s DM and sending it to a manager or the wider team.
- Posting screenshots in a workplace group chat to “clear things up”.
- Sharing messages publicly on your business social media to defend your brand against negative reviews.
- Including screenshots in marketing as “testimonials” (even if names are blurred).
- Using a message thread as evidence in a dispute, claim, or complaint.
Sometimes sharing is necessary for legitimate business reasons. The legal risk usually comes down to:
- what information is in the message (especially personal information),
- who you share it with,
- whether the person would reasonably expect that sharing, and
- whether you have a lawful reason (including where disclosure is authorised or required) and have minimised the disclosure.
Which New Zealand Laws Can Apply When You Share Private Messages?
There isn’t one single “private messages law” in New Zealand. Instead, several legal areas can apply depending on the context and what you do with the message.
Privacy Act 2020 (Personal Information Handling)
The Privacy Act 2020 is often the biggest issue for businesses. If a message contains personal information (anything that identifies an individual, directly or indirectly), your business needs to handle it in line with the Information Privacy Principles (IPPs) - including limits on using and disclosing personal information (and the exceptions that can permit disclosure).
Common personal information in private messages includes:
- names, phone numbers, email addresses
- order details, addresses, payment-related information
- health information or personal circumstances (often included in customer complaints)
- employment-related complaints or performance issues
Sharing private messages without consent can become a privacy problem if you disclose personal information for a purpose the person wouldn’t reasonably expect, or you disclose more than you actually need. Even when consent isn’t strictly required (for example, where an exception applies), you should still aim to minimise what you share and keep it secure.
One of the easiest ways to reduce risk is to ensure your business has a clear Privacy Policy that explains what you collect, why you collect it, and when you might share it (for example, with service providers, delivery partners, software tools or advisers).
Confidentiality Obligations (Contract And Relationship-Based)
Even where privacy law isn’t clearly triggered, you may still have confidentiality obligations.
For example, if you share private messages between your business and a supplier, contractor, or client, you might be disclosing:
- pricing and commercial terms
- trade secrets or internal processes
- customer lists or operational information
- internal workplace matters
These can be protected by your contracts (like service agreements), NDAs, or implied confidentiality duties depending on the situation. If you’re unsure where privacy stops and confidentiality starts, the difference matters - and it’s worth understanding the difference between privacy and confidentiality so you don’t accidentally treat them as the same thing.
Harmful Digital Communications Act 2015 (Where Sharing Causes Harm)
If private messages are shared online (or through digital channels more broadly) in a way that is seriously harmful, the Harmful Digital Communications Act 2015 can become relevant.
In general terms, the HDCA is aimed at harmful digital communications, and some remedies and offences have higher thresholds (for example, conduct that causes serious emotional distress). This risk is more likely where screenshots are posted publicly, used to embarrass someone, or shared widely without a genuine business reason. From a business perspective, this can quickly turn into a reputation crisis - as well as a legal one.
Defamation Risk (If The Message Suggests Someone Did Something Wrong)
Sharing a message can create defamation risk if the content (or your commentary when sharing it) implies a person did something dishonest, unlawful, unsafe, or unethical, and that allegation can’t be justified or defended.
This often comes up when businesses:
- post screenshots of “rude customers”
- publish DMs to “prove the truth” in a public argument
- share allegations about a former employee, contractor or supplier with others
Even if you believe you’re just defending your business, a public post can go much further than you intend - and it can be hard to undo once it spreads.
Employment Law (If Messages Involve Staff)
If the private messages involve employees, then employment law is often in the background too.
As an employer, you generally need to act in good faith and follow fair process, especially if the messages relate to performance management, misconduct, or workplace conflict. Sharing private messages in a way that humiliates an employee or undermines trust can increase the risk of personal grievances.
It’s also worth having clear internal rules for how staff communicate and what can be shared, particularly where personal accounts are used. A practical policy around employee social media use can help set expectations before problems happen.
Common Business Scenarios That Create Risk (And How To Handle Them)
Let’s make this practical. Here are a few common “real life” scenarios where sharing private messages without consent can get risky - and what you can do instead.
1. Sharing Screenshots Of Customer Messages To Defend Your Business Online
We get it - running a small business can feel personal, and unfair criticism can be incredibly frustrating. But posting screenshots of a customer’s messages (even if they started it) can create privacy and defamation risk, and it can also backfire reputationally.
Safer approach:
- respond without posting screenshots
- if you need to show proof, consider sharing privately with a trusted adviser
- if you absolutely must share, redact identifying details and share only what’s necessary (still not risk-free)
2. Forwarding Customer DMs Internally For Staff Training Or “Awareness”
If your team needs to know about a complaint or a tricky customer situation, you might forward a message thread so everyone has context.
The issue is that the thread may include extra personal information (addresses, phone numbers, sensitive context), and sending it widely internally may be more disclosure than you need.
Safer approach:
- share a summary instead of the full screenshots
- limit distribution to staff who need to know
- remove personal details where possible
- document your business purpose for sharing (especially in higher-risk situations)
3. Sharing Employee Messages With Other Staff
Workplace conflict sometimes arrives via text. A manager may receive a message from an employee complaining about another staff member, calling in sick, or raising a sensitive issue.
If that message is then shared with others in a way that feels punitive, it can escalate quickly.
Safer approach:
- treat staff messages as confidential HR material
- share only with decision-makers who need the information
- avoid “group chat justice” - handle issues through proper processes
Where your employment documentation is unclear, it’s also worth tightening your baseline documents (like an Employment Contract) and workplace policies so your expectations around communication and confidentiality are clear from day one.
4. Using Private Messages As Evidence In A Dispute
There are times when using messages as evidence is necessary - for example, to recover unpaid invoices, respond to a complaint, or deal with misconduct.
Even then, you should still consider privacy and confidentiality. The goal is usually to share the minimum amount needed with the right audience (for example, your lawyer, mediator, insurer, or the relevant authority).
Safer approach:
- don’t circulate evidence widely “just in case”
- keep the material secure and access-controlled
- if sharing externally, share only what is relevant
Privacy Compliance Tips For Businesses Handling Messages (Texts, DMs, Emails And Chat Logs)
If your business communicates via messages (and most do), it helps to treat those communications like any other business record that may contain personal information.
Here are practical steps you can take to reduce the risk of sharing private messages without consent.
Set Clear Rules On Who Can Access And Share Messages
Decide, document and communicate:
- who can access customer DMs and inboxes
- who can forward messages to suppliers/contractors
- how messages should be stored (and for how long)
- when messages must be escalated (for example, complaints, threats, suspected fraud, sensitive disclosures)
Minimise, Redact And De-Identify Where You Can
A great practical habit is to share “need-to-know” information only.
Before you forward or screenshot anything, ask:
- Can I summarise this instead of forwarding the whole thread?
- Can I remove names, phone numbers, addresses or order numbers?
- Am I sharing this with the smallest group possible?
Be Careful With Monitoring, Recording And Workplace Surveillance
Many businesses also use monitoring tools - call recording, CCTV, chat monitoring, device controls - to manage service quality and safety. These can be lawful, but they need to be implemented carefully and transparently.
If you record calls, the rules can get technical quickly, so it’s worth checking the practical guidance around business call recording before you roll out (or rely on) call recordings.
Similarly, if you use CCTV or other surveillance, you should be confident you’re doing it in a legally compliant way - including signage, purpose limitations and access controls. The same applies when thinking about whether cameras are legal in the workplace.
Train Staff On “What Not To Share”
Most privacy issues aren’t caused by bad intentions - they’re caused by rushed decisions, unclear rules, and “everyone does it”.
Staff training is one of the simplest ways to prevent problems, especially for team members who handle:
- customer support inboxes
- social media accounts
- bookings and enquiries
- complaints and disputes
A good internal rule of thumb is: if a message contains personal information, treat it like a customer file.
Have A Plan For Removing Shared Messages (Where Possible)
If a private message has been shared incorrectly, speed matters. You may need to request removal from platforms, ask staff to delete copies, and consider whether this is a notifiable privacy breach.
Customers may also ask you to delete information you hold. New Zealand doesn’t have an absolute “right to be forgotten” in the same way some other jurisdictions talk about it, but there are still rights and expectations around requesting correction and, in some cases, deletion or removal (depending on the circumstances and whether you’re required to retain the information). It’s helpful to understand how the right to be forgotten concept fits into privacy expectations and risk management.
What Policies And Contracts Help Reduce The Risk?
When you’re busy, it’s easy to treat “messages” as informal. But for a business, messages are often business records - and they can become evidence.
That’s why it’s smart to set the rules early, in writing.
Privacy Policy And Collection Notices
Your customer-facing privacy documents should clearly explain:
- what messages you collect (for example, enquiries, DMs, support tickets)
- why you collect them (customer service, bookings, dispute resolution, fraud prevention)
- who you might share them with (for example, delivery partners or contractors), and why
- how customers can request access or correction
For most businesses, the starting point is a properly drafted Privacy Policy that matches your actual business operations (not a generic template).
Employment Contracts And Workplace Policies
If your staff are messaging customers or each other, your internal documents should cover:
- confidentiality obligations during and after employment
- rules on taking screenshots and sharing internal communications
- appropriate use of messaging apps and social media
- processes for customer complaints and sensitive communications
Even a small team benefits from having a strong foundation in place, starting with an Employment Contract and clear policies that reflect how you actually operate.
Customer And Contractor Agreements
If you work with contractors (for example, VA support, marketing agencies, IT providers or delivery contractors), they may have access to your inboxes and messages.
Your agreements should address:
- confidentiality
- what information they can access and use
- security standards (passwords, device controls, access removal)
- what happens if there’s a breach or accidental disclosure
This isn’t about overcomplicating things - it’s about being clear, so your business is protected if something goes wrong.
Key Takeaways
- Sharing private messages without consent can expose your business to privacy complaints, confidentiality disputes, employment issues and reputational damage.
- The Privacy Act 2020 often applies where messages contain personal information, especially if you disclose more than needed or share for an unexpected purpose (and you should always check whether any permitted disclosure exception applies and keep sharing to a minimum).
- Publicly posting screenshots to “defend your business” can increase risk, including potential defamation issues and harmful digital communications concerns (particularly where harm is serious and the sharing is widespread or targeted).
- Reduce risk by limiting access, sharing on a need-to-know basis, redacting personal information, and training staff on what should never be forwarded or screenshot.
- Strong legal foundations help - including a properly tailored Privacy Policy, clear workplace rules, and contracts with any third parties who access your communications.
- If you’re dealing with a sensitive situation (like an employee issue or a serious customer complaint), get advice early so you don’t accidentally create a bigger problem by trying to solve it quickly.
If you’d like help reviewing your privacy practices, drafting a Privacy Policy, or putting the right workplace policies and contracts in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
