New Zealand Privacy Laws: What Small Businesses Need To Know

If you’re running a small business, you’re probably collecting more personal information than you realise.

Even something as simple as taking online bookings, sending invoices, running a mailing list, or having CCTV at your premises can trigger obligations under New Zealand privacy laws.

The good news is that privacy compliance doesn’t have to be overwhelming. Once you understand what counts as “personal information”, what the Privacy Act 2020 expects, and what practical steps you should take, you’ll be able to build trust with customers and reduce the risk of complaints, investigations, or costly clean-up work later on.

Below, we break down what small businesses need to know about privacy laws in New Zealand, and the simple, practical steps you can take to protect your business from day one.

What Do “Privacy Laws” Mean For Small Businesses In New Zealand?

When people talk about “privacy laws” in New Zealand, they’re usually referring to the Privacy Act 2020.

In plain terms, the Privacy Act sets rules around how you collect, use, store, share, and dispose of personal information. It applies to most organisations (including most businesses), regardless of size, if you handle personal information in the course of running your business.

This matters because small businesses often handle:

• Customer details (names, phone numbers, email addresses, delivery addresses)
• Employee information (payroll details, bank accounts, emergency contacts)
• Marketing data (newsletter lists, customer preferences)
• Website data (IP addresses, tracking data, enquiry forms)
• Security footage (CCTV that records identifiable people)

If you’re thinking “we’re small, surely this doesn’t apply to us”, it’s worth being careful. The Privacy Act isn’t just for big corporates. If you collect personal info, you have privacy obligations.

And privacy compliance isn’t just about avoiding trouble. It’s also a business asset: customers are more likely to buy from (and stay loyal to) businesses that handle data responsibly.

What Counts As Personal Information (And When Are You Responsible For It)?

Personal information is information about an identifiable individual. It doesn’t have to be “sensitive” to be covered.

Common examples for small businesses include:

• A customer’s name + phone number stored in your booking system
• An email address in your mailing list
• A delivery address on an invoice
• CCTV footage showing a customer’s face
• A staff member’s performance notes or disciplinary records

You’re generally responsible for personal information when your business:

• Collects it (directly from the person, via your website, via a third party)
• Stores it (in your inbox, spreadsheets, CRM, cloud tools, paper files)
• Uses it (to deliver services, send marketing, verify identity, manage staff)
• Discloses it (to suppliers, contractors, couriers, payment providers, accountants)

A practical way to think about this is: if you’d be uncomfortable with the information being leaked (or you’d struggle to explain why you have it), it’s worth checking your privacy settings and processes.

Tip: privacy issues often pop up alongside broader customer-facing compliance. If you’re selling to consumers, you’ll usually be thinking about refunds, complaints, and marketing too. Having clear website terms and policies can help your business operate smoothly, including your Website Terms And Conditions.

What Are Your Key Obligations Under The Privacy Act 2020?

The Privacy Act 2020 is built around “information privacy principles”. You don’t need to memorise them, but you do need to understand what they mean in day-to-day business terms.

1) Only Collect What You Actually Need

As a small business, it can be tempting to collect lots of information “just in case”. Privacy laws push back against that.

Before collecting personal information, ask:

• Do we actually need this to provide the product or service?
• Is there a less intrusive way to do this?
• Are we collecting it in a fair and lawful way?

For example, if someone is just buying a digital product, you probably don’t need their physical address.

2) Tell People What You’re Doing With Their Information

One of the most common compliance gaps for small businesses is not clearly explaining what happens with customer data.

When you collect personal information, you should generally tell people things like:

• What information you’re collecting
• Why you’re collecting it
• Who will receive it (e.g. couriers, booking providers, payment processors)
• Whether it may be stored or accessed overseas (for example, if you use offshore cloud providers or support teams)
• How they can access or correct it

This is where a properly drafted Privacy Policy becomes important. It’s not just a “nice to have” document - it’s often the simplest way to meet your transparency obligations, especially if you collect information through a website, forms, or online checkout.

3) Keep Personal Information Secure

Under privacy laws, you must take reasonable steps to protect personal information from loss, unauthorised access, misuse, or disclosure.

What’s “reasonable” depends on your business, but common measures include:

• Using strong passwords and multi-factor authentication
• Restricting staff access to only what they need
• Keeping devices updated and protected (anti-malware, encryption)
• Training staff on phishing scams and safe handling of customer data
• Locking physical files away (if you store paper records)

If you handle more sensitive information (like health information), you’ll usually need stronger processes.

4) Only Use And Share Information For Legitimate Purposes

If you collected personal information for one purpose, you generally shouldn’t use it for a different purpose unless you have a valid reason (and sometimes, consent or another lawful basis).

For example, if someone gives you their email to receive an invoice, that doesn’t automatically mean you can add them to marketing emails. (There are also specific rules around electronic marketing and spam, including consent requirements under the Unsolicited Electronic Messages Act 2007, but privacy is still part of the picture.)

Also remember that “sharing” personal information isn’t just selling data. It includes everyday things like giving customer details to a delivery driver, sharing details with a booking platform, or sending employee information to a payroll provider.

5) Let People Access And Correct Their Information

People generally have the right to request access to their personal information and request corrections.

As a business owner, this means you should have a practical plan for:

• Finding the information (across emails, apps, spreadsheets)
• Confirming identity (so you don’t give data to the wrong person)
• Responding within the required timeframe (including the usual 20 working day response period for access requests)
• Correcting data (or noting a correction request if you don’t agree)

If you work in an industry where access requests are likely, having a simple internal process (or template) can save a lot of time.

Do You Need A Privacy Policy, And What Should It Include?

If your business collects personal information online (or even offline, in many cases), having a privacy policy is one of the most practical ways to show you take privacy laws seriously.

A privacy policy is also a trust tool - it helps customers feel comfortable buying from you, booking with you, or signing up to your newsletter.

At a high level, a good privacy policy should cover:

• What personal information you collect (and how)
• Why you collect it (e.g. fulfil orders, provide services, respond to enquiries)
• How you store and secure it
• Who you share it with (suppliers, contractors, service providers)
• Overseas storage and disclosure (if you use cloud services, offshore support, or otherwise disclose information outside New Zealand)
• How people can access or correct their info
• How to make a complaint (and how you’ll respond)

It’s also important that your privacy policy matches what you actually do. Copying a generic template can create risk if it says you do (or don’t do) things that aren’t true for your business.

If you use cookies, analytics tools, or tracking for marketing, you may also need to think about cookie disclosures. Many businesses address this in their privacy policy, and some use separate cookie wording depending on the setup.

Also, privacy doesn’t exist in a vacuum. If you’re operating online, your privacy policy should work alongside your broader customer documents, like your E-Commerce Terms And Conditions, so your customer journey is clear and consistent.

What If There’s A Privacy Breach? (And Why Small Businesses Should Have A Plan)

A privacy breach is basically when personal information is accessed, shared, lost, or exposed in a way it shouldn’t be.

For small businesses, common causes include:

• Falling for a phishing email and having an inbox compromised
• Sending an invoice to the wrong customer
• Publishing a spreadsheet publicly by mistake
• Losing a laptop or phone that has customer information on it
• Accidentally giving staff wider access to data than intended

Under the Privacy Act 2020, some breaches are considered notifiable - meaning you must notify affected individuals and (in many cases) the Office of the Privacy Commissioner if the breach has caused (or is likely to cause) serious harm. Notification generally needs to happen as soon as practicable after you become aware of the breach.

Even where notification isn’t required, the way you respond matters. A slow or messy response can escalate the damage, frustrate customers, and create reputational harm.

That’s why many small businesses choose to have a simple written plan in place, including:

• Who in the business handles privacy issues
• Immediate steps to contain the breach
• How you investigate what happened
• How you decide whether notification is required
• How you communicate with customers
• How you prevent it happening again

If you want something practical and ready to use, having a Data Breach Response Plan can make the “what do we do now?” moment far less stressful.

How Do Privacy Laws Affect Your Staff, Contractors, And Everyday Operations?

Privacy compliance isn’t just a “website issue”. It can affect your day-to-day operations, especially once you start hiring or outsourcing.

Employees And HR Records

If you employ staff, you’ll likely collect personal information such as:

• Identification and contact details
• Bank and tax information
• Performance notes and disciplinary records
• Medical or leave-related information (sometimes)

You should keep this information secure, limit access (not everyone needs to see everything), and be clear about how it’s used and stored.

It also helps to have the basics legally documented from the start. For example, your Employment Contract can align expectations around confidentiality, acceptable use of business systems, and handling sensitive information.

Contractors And Service Providers

Many small businesses rely on contractors - think virtual assistants, bookkeepers, IT providers, marketing consultants, or delivery drivers.

If a contractor can access customer or employee information, you should be thinking about:

• What information they can access (and whether that access is necessary)
• How they must store and handle the information
• Whether they can use subcontractors
• What happens if there’s a breach

This is where a tailored Contractor Agreement (or contractor terms in your broader service agreement) can help you set the rules clearly.

CCTV And Workplace Monitoring

If you have CCTV or other monitoring in your workplace, privacy considerations come up quickly. Recording customers and staff can be lawful, but you need to do it carefully - including being transparent about it and not collecting more than you need.

If you’re considering installing cameras, it’s worth checking what’s acceptable and how to manage it responsibly, including signage, access controls, and retention periods. This topic often overlaps with general workplace compliance, so it’s worth getting advice if you’re unsure.

Customer Disputes And Reputation Risk

Privacy problems often show up when something goes wrong - a customer complaint, a dispute, a bad review, or a staff issue.

Even if you’ve done nothing intentionally wrong, unclear processes can create misunderstandings, like:

• A customer asking “why do you still have my data?”
• A subscriber saying “I never consented to marketing”
• A contractor disputing who’s responsible for a breach

Having clear privacy messaging and good contracts in place can reduce these headaches and help you respond quickly and confidently.

Key Takeaways

• Privacy laws in New Zealand mainly come from the Privacy Act 2020, and they apply to most organisations (including most small businesses) if you collect, store, use, or share personal information.
• Personal information can be as simple as a name and email address, and it can include CCTV footage or employee records if individuals are identifiable.
• Your core privacy obligations include collecting only what you need, being transparent about what you’re doing with it, keeping it secure, and allowing access/corrections when requested.
• A Privacy Policy is a practical way to meet transparency requirements and build trust, especially if you collect info through a website, online bookings, or e-commerce.
• Privacy breaches can happen to any business, and having a clear response plan can help you act quickly and reduce legal and reputational risk.
• Privacy compliance affects day-to-day operations, including staff records, contractor access, workplace monitoring, and how you handle customer communications.

If you’d like help making sure your business is compliant with privacy laws (or you need a privacy policy, breach response plan, or tailored contracts), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.