Marketing Emails In New Zealand: Privacy Act And Spam Law Requirements

Marketing emails can be one of the most cost-effective ways to grow a small business in New Zealand. You can keep customers in the loop, promote new products, and build repeat sales without relying on big advertising budgets.

But there's a catch: marketing emails are heavily tied to privacy and anti-spam rules. If you get it wrong, you can annoy customers, damage your brand, and in some cases expose your business to complaints and enforcement action.

The good news is that compliance doesn't have to be complicated. Once you understand the core rules (consent, identification, unsubscribe, and safe data handling), you can send marketing emails with confidence.

Below, we break down what New Zealand small businesses need to know about marketing emails under the Privacy Act 2020 and the Unsolicited Electronic Messages Act 2007 (UEMA), plus practical steps you can implement straight away.

What Counts As "Marketing Emails" (And When Do The Rules Apply)?

In practice, "marketing emails" usually means any email you send to promote your business, products, or services, or to encourage an action that benefits your business.

This can include:

• Newsletters promoting new products or services
• Discount codes, sales announcements, or "limited time" offers
• Abandoned cart reminders (if they contain promotional content)
• Re-engagement emails ("We miss you" come back for 10% off?)
• Referral or loyalty programme promotions
• Event invitations where the purpose is business promotion

Some emails are less "marketing" and more "service or relationship" emails. These include order confirmations, invoices, shipping updates, security notifications, or product recall notices. These types of emails are often outside the core anti-spam rules where they are purely transactional (because they're not primarily promotional). However, if you add promotional content, they may become a "commercial electronic message" and trigger UEMA requirements. Either way, you still need to handle customer contact details in line with privacy law.

A key thing to keep in mind: you can't avoid the legal rules just by calling a message "informational" if the real purpose is to promote your business. Regulators look at substance, not labels.

What Does The Unsolicited Electronic Messages Act Require For Marketing Emails?

The Unsolicited Electronic Messages Act 2007 (UEMA) is New Zealand's key anti-spam law. It applies to "commercial electronic messages", which includes many marketing emails.

When you send marketing emails, UEMA mainly focuses on three non-negotiables:

• Consent (you generally need permission to send marketing emails)
• Identification (your emails must clearly identify who is sending them)
• Unsubscribe (every marketing email must include a functional way to opt out)

Consent: The Foundation Of Compliant Marketing Emails

Under UEMA, you must not send unsolicited commercial electronic messages. In plain terms, you need consent.

Consent can come in a few forms, and it matters how you obtained it:

• Express consent: the person actively agrees (for example, they tick a sign-up box or complete a subscription form).
• Inferred consent: consent can be inferred from an existing relationship and the person's conduct (for example, a customer gives you their email during a purchase and it's reasonable they'd expect follow-up about similar products).
• Deemed consent: in limited cases, consent may be treated as given (for example, where a person has conspicuously published their work email and they haven't said "no marketing", and your message is relevant to their role).

For small businesses, the safest option is usually express consent, because it's clear, recordable, and easier to defend if a complaint is made.

Also be careful with "bundled consent" (where someone has to agree to marketing to access something else). If you're relying on a sign-up form, keep it clear and specific, and don't make it confusing for customers to say no.

Identification: Make It Clear Who You Are

Your marketing emails must clearly identify your business. In practice, that means your email should include:

• Your business name (and trading name if relevant)
• Contact details (such as a physical address, email address, or phone number)
• Any other information a recipient would need to easily understand who is contacting them

This isn't just a legal formality. Clear identification builds trust and reduces spam complaints.

Unsubscribe: It Must Be Easy, And It Must Work

Every marketing email must include a functional unsubscribe facility. The unsubscribe process should be:

• Clear: easy to find and understand (no hiding it in tiny font)
• Easy to use: ideally one click, or a simple reply-to unsubscribe option
• Reliable: it must actually work

Under UEMA, the unsubscribe facility must remain functional for at least 30 days after the message is sent. Once a person unsubscribes, you also need to stop sending them marketing emails within the required timeframe (generally within 5 working days), and you shouldn't keep emailing them "just in case".

A common trap for small businesses is having multiple lists across different tools (for example, an online store list and a separate newsletter list) and unsubscribes not syncing properly. If you're sending marketing emails, you need a system you can rely on.

How The Privacy Act 2020 Affects Your Marketing Emails

Even if your marketing emails comply with UEMA, you still need to handle customer data lawfully under the Privacy Act 2020. Email addresses are "personal information" when they identify (or could identify) an individual.

From a small business perspective, privacy compliance usually comes down to:

• Collecting email addresses in a fair and transparent way
• Only using email addresses for purposes people would reasonably expect (or you've told them about)
• Keeping your mailing list secure
• Letting people access or correct their information if requested
• Having a plan if something goes wrong (like a data breach)

Most businesses that send marketing emails should also have a clear Privacy Policy that explains what information you collect, why you collect it, how you use it (including for marketing), and who you share it with (for example, email marketing platforms).

Collection: Tell People What You're Doing

If you're collecting emails at checkout, through lead magnets, or via sign-up forms, your customers should understand:

• That you're collecting their email address
• What you'll use it for (including whether you'll send marketing emails)
• Whether you'll share it with any third parties (like marketing platforms)

Many businesses use a short privacy statement at the point of collection plus a link to their full privacy policy. If you want something more formal (especially if you're collecting information in a structured way), a Privacy Collection Notice can help make your intentions clear.

Use And Purpose: Don't Drift Beyond What's Reasonable

A classic privacy risk is "purpose drift". That's when you collected an email address for one reason (like fulfilling an order), then later start using it for broader marketing emails without the customer reasonably expecting that.

If you want to market to existing customers, you should still think carefully about:

• What you told them at the time you collected the email
• Whether your marketing is related to what they purchased (and how recent it was)
• Whether they had a simple way to opt out

When in doubt, getting express opt-in consent is usually the cleaner approach.

Security: Protect Your Mailing List Like A Business Asset

Your mailing list is valuable, but it's also a privacy risk if it's mishandled. The Privacy Act expects businesses to take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure.

Practical steps that are often considered "reasonable" for small businesses include:

• Using strong passwords and enabling multi-factor authentication on your email marketing platform
• Restricting staff access to only those who need it
• Training staff on phishing and account security
• Being careful with exports (for example, not downloading CSV lists onto personal devices)
• Having a documented process for responding to incidents

If your business ever experiences a privacy incident, you may need to consider whether it's a notifiable privacy breach. Having a Data Breach Response Plan can save you a lot of time (and stress) when you're trying to respond quickly.

How To Get Consent The Right Way (Without Killing Conversions)

A lot of small businesses worry that strict consent rules will slow growth. In reality, the best-performing email lists are usually built on clear opt-ins, because subscribers actually want to hear from you.

Here are practical ways to collect compliant consent for marketing emails:

1) Use Clear Opt-In Language

At the point of sign-up, spell out what the person is signing up for. For example:

• "Send me your weekly updates and special offers."
• "I'd like to receive marketing emails about new products and promotions."

Keep it specific. If you send different types of marketing emails (newsletters, product drops, events), consider giving people options to choose what they receive.

2) Avoid Pre-Ticked Boxes

Pre-ticked boxes are risky. They can create disputes about whether someone truly consented, and they often lead to more unsubscribes and spam complaints anyway.

3) Consider Double Opt-In For Higher-Risk Lists

A double opt-in process (where someone signs up, then confirms via email) can help you prove consent and reduce the risk of fake or incorrect sign-ups. It's not always necessary, but it can be a smart move if you're in a space where complaints are more likely or the audience is sensitive.

4) Keep Records Of Consent

If you ever receive a complaint, you'll want to show how and when you obtained consent.

Records might include:

• The date/time of sign-up
• The sign-up source (checkout, form, lead magnet)
• The wording shown at the time
• Any confirmation records (if using double opt-in)

This is one of those "set it up from day one" steps that can save major headaches later.

Common Marketing Email Compliance Mistakes Small Businesses Make

Most issues we see aren't caused by bad intentions. They usually happen because a business grows quickly and the systems don't keep up.

Here are some common marketing email mistakes to watch for:

• Buying email lists: this is a fast way to trigger spam complaints and consent issues. If you can't prove consent, you're on the back foot straight away.
• Assuming "customer = consent forever": even if someone bought from you once, it doesn't automatically mean you can market to them indefinitely, especially if time has passed or your marketing is unrelated to what they bought.
• Unsubscribe that doesn't work: broken links, log-in requirements, or "email us to unsubscribe" approaches can create legal and reputational risk.
• No clear sender identity: vague "no-reply" messages with no business details can look spammy and may not meet identification requirements.
• Poor internal controls: staff members exporting lists, using personal devices, or sharing passwords makes it easier for data leaks to happen.
• Collecting more data than you need: if you're only emailing a newsletter, you probably don't need a customer's date of birth, home address, and job title.

If you're working with contractors or external marketers to manage campaigns, it's also worth thinking about your agreements and responsibilities (especially where customer data is involved). Depending on the setup, you might need to formalise the relationship and data handling expectations through a Data Processing Agreement.

Practical Compliance Checklist For Sending Marketing Emails In NZ

If you want a simple way to sanity-check your marketing emails, here's a practical checklist you can work through.

Before You Send

• You can explain how you obtained consent (or why consent is inferred/deemed).
• Your sign-up forms and checkout pages clearly explain marketing use (where relevant).
• Your customer database or email list is stored securely with access controls.
• You have a written privacy position (usually a Privacy Policy) that reflects what you actually do.

In Every Marketing Email

• Your business name is clearly shown.
• Contact details are included (or easy to locate).
• An unsubscribe link or unsubscribe method is clear and functional.
• The unsubscribe process is simple (no unnecessary steps).

After Someone Unsubscribes

• You remove them from marketing sends within the required timeframe (generally within 5 working days).
• You ensure they're unsubscribed across all marketing lists (not just one segment).
• You keep a suppression list if needed (so you don't accidentally re-add them).

If your business is scaling and you're starting to handle larger volumes of customer information, it may also be worth tightening your internal privacy practices with policies and processes (for example, an Information Security Policy), so everyone in your team handles marketing data consistently.

Key Takeaways

• Marketing emails in New Zealand are mainly regulated by the Unsolicited Electronic Messages Act 2007 (consent, clear sender identification, and a working unsubscribe).
• The Privacy Act 2020 still applies to marketing emails because email addresses are personal information, so you need to collect, use, store, and disclose them in a lawful and transparent way.
• Express consent (clear opt-in) is usually the safest and simplest approach for small businesses sending marketing emails at scale.
• Every marketing email should clearly show who your business is and include an easy unsubscribe that works in practice, not just on paper (including staying available for at least 30 days).
• Good privacy habits (secure systems, limited access, and clear documents like a Privacy Policy) help you stay compliant and protect customer trust as you grow.

If you'd like help getting your marketing emails compliant, including putting the right privacy documents in place (and making sure your sign-up and unsubscribe processes are legally sound), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.