Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Counts As A “Cookie Banner” (And Why Cookie Banner Compliance Matters)
Step-By-Step: A Practical Cookie Banner Compliance Checklist
- Step 1: Audit Your Cookies And Tracking Tools
- Step 2: Categorise Cookies (So Your Choices Are Real)
- Step 3: Decide What Needs Opt-In Consent (And What Doesn’t)
- Step 4: Build The Banner So It’s Not Misleading
- Step 5: Make Sure Non-Essential Cookies Don’t Load Before Consent
- Step 6: Keep Your Cookie Information Updated
- Key Takeaways
If your website uses analytics, embedded videos, chat widgets, or advertising tools, there’s a good chance you’re using cookies (or similar tracking tech) whether you realise it or not.
That’s where cookie banner compliance comes in. For small businesses, the goal isn’t to create a banner that looks “official” - it’s to put a privacy-compliant system in place that matches what your website actually does, and what New Zealand privacy law expects.
Below, we’ll walk through practical steps you can take to improve cookie banner compliance for your NZ website, including what to say, when it may make sense to ask for consent, and how to back your banner up with the right documents and internal processes.
What Counts As A “Cookie Banner” (And Why Cookie Banner Compliance Matters)
A cookie banner is the notice (often at the bottom or top of a website) that tells visitors your site uses cookies and gives them choices about tracking.
In practice, cookie banners often need to cover more than “cookies” alone. Many websites also use:
- Pixels and tags (e.g. advertising conversion tags)
- Local storage and similar browser storage tools
- SDKs in web apps
- Third-party embeds (maps, videos, social plugins) that drop cookies
So why does cookie banner compliance matter in New Zealand?
Because tracking technologies can involve collecting personal information (or making people identifiable when combined with other data). Under the Privacy Act 2020, if you’re collecting personal information from customers or site visitors, you need to do it in a way that’s fair, transparent, and secure.
Even where a cookie doesn’t directly identify someone by name, it may still relate to an identifiable person - for example, if it’s linked to a user account, an IP address, device identifiers, or behavioural profiles.
From a business perspective, good cookie banner compliance also helps you:
- build trust with customers (especially if you sell online)
- reduce complaints and reputational risk
- avoid messy “surprises” during fundraising, due diligence, or a business sale
- ensure your marketing and analytics data is collected more defensibly
It can feel like a small detail - but it’s part of getting your legal foundations right from day one.
How NZ Privacy Law Applies To Cookies (In Plain English)
NZ doesn’t have a single “cookie law” in the same way some other countries do. Instead, cookie banner compliance in NZ typically flows from broader privacy principles under the Privacy Act 2020.
For most small businesses, the key ideas to understand are:
1) Transparency: People Should Know What You’re Doing
If you’re collecting personal information through your website, you generally need to tell people (in clear language):
- what you’re collecting
- why you’re collecting it
- who you might share it with (including overseas providers)
- how people can access or correct their information
This is one reason a cookie banner should never be your only “privacy notice”. A banner is usually just the front door - your Privacy Policy and related disclosures do the heavy lifting.
2) Collect Only What You Need (And Don’t Be Sneaky About It)
A common cookie compliance mistake is loading every tracking tool by default because “we might use the data later”. If you don’t need it, don’t collect it.
This is also where it helps to understand the difference between privacy and confidentiality. Privacy is about how you collect and use personal information - not just whether you keep it secret. You can be “confidential” and still be non-compliant if you collect data unfairly or without proper notice.
3) Security Still Applies
Once you collect data (even via analytics), you’re responsible for keeping it safe. That includes choosing reputable providers, limiting access, and having a plan if something goes wrong.
In other words: cookie banner compliance isn’t just about the banner. It’s about your whole privacy posture.
4) Extra Care For Sensitive Personal Information
Some data types carry higher risk (for example, health-related information, children’s data, or detailed behavioural profiling). If your cookie tools collect or infer anything in that category, your obligations and risk level usually increase.
It’s worth getting advice if your site touches sensitive personal information, because your disclosures and consent settings may need to be more cautious.
Step-By-Step: A Practical Cookie Banner Compliance Checklist
If you want a cookie banner that supports compliance (and not just one that looks good), you’ll usually get the best result by working through these steps in order.
Step 1: Audit Your Cookies And Tracking Tools
Before you change your banner text, you need to know what your website is actually doing.
Make a list of:
- analytics tools (traffic measurement, heatmaps, session recordings)
- advertising tools (remarketing, conversion tracking)
- embedded content (maps, videos, social feeds)
- website plugins/widgets (live chat, booking systems)
- eCommerce tools (cart, checkout, payment integrations)
For each tool, ask:
- Does it drop cookies or store data in the browser?
- Is it necessary for the site to function, or is it “nice to have”?
- Does it share data with third parties or send data overseas?
This audit becomes the foundation for your cookie banner categories and your cookie policy wording (if you have one).
Step 2: Categorise Cookies (So Your Choices Are Real)
Many cookie banners group cookies into categories, such as:
- Strictly necessary (e.g. security, shopping cart, login)
- Functional (e.g. remembering preferences)
- Analytics (e.g. understanding site usage)
- Marketing (e.g. advertising and retargeting)
The point isn’t to copy a generic list - it’s to match categories to what you actually run on your website.
If you can’t explain what a cookie category does in plain language, it’s usually a sign you need to revisit the audit step.
Step 3: Decide What Needs Opt-In Consent (And What Doesn’t)
This is where cookie banner compliance gets practical.
As a general rule of thumb:
- Strictly necessary cookies can often be used without opt-in (because the site can’t work properly without them).
- Analytics and marketing cookies are typically higher risk and are often handled through an opt-in model (particularly where there’s behavioural profiling, targeted ads, or third-party tracking).
Even though NZ law doesn’t set a single one-size-fits-all consent rule for cookies, many NZ businesses choose opt-in for analytics/marketing as a privacy-forward best-practice approach because:
- it’s a safer and more future-proof position
- it’s clearer and more transparent for customers
- it reduces disputes about whether someone “agreed”
If you serve customers offshore (or run ads targeting people in other jurisdictions), you may also need to consider overseas privacy regimes. Getting your cookie banner compliance right early can save a lot of rework later.
Step 4: Build The Banner So It’s Not Misleading
Your banner should do what it says it does. That sounds obvious, but a lot of banners fail here.
As a practical cookie banner compliance checklist, it’s generally a good idea to include:
- Clear notice that cookies/tracking are used
- Genuine choice (not just “OK”)
- Granular settings (often by category)
- A link to your Privacy Policy (and cookie information if you have it)
- A record of preferences (so you can respect the choice and not ask every visit)
- An easy way to change choices later (e.g. “Cookie settings” link in the footer)
Also watch out for dark patterns - designs that push people into accepting tracking (for example, a huge “Accept All” button and a hidden “Reject” link). Apart from trust issues, this can undermine the quality of any consent you’re relying on.
Step 5: Make Sure Non-Essential Cookies Don’t Load Before Consent
This is one of the biggest technical gaps we see with cookie banner compliance: the banner appears, but tracking cookies have already loaded in the background.
To address this, you (or your developer) will often need to configure your site so that:
- analytics scripts are blocked until the visitor opts in (where you’re relying on opt-in), and
- marketing tags do not fire until the visitor opts in (where you’re relying on opt-in).
If you’re not sure whether your website currently does this, it’s worth running a basic test in an incognito browser and checking which scripts fire before you click anything.
This is also why it can be risky to rely on a generic banner plugin without proper configuration - you can end up with a banner that looks compliant but doesn’t actually control anything.
Step 6: Keep Your Cookie Information Updated
Cookie setups change all the time. A new email marketing platform, a new booking plugin, or a new ad campaign can add new trackers overnight.
Build a habit of reviewing cookies:
- after website redesigns
- when new plugins are installed
- when you change marketing agencies or platforms
- at least every 6–12 months as a general check
Cookie banner compliance isn’t a “set and forget” task - but it doesn’t need to be painful if you schedule a quick recurring review.
What Should Your Cookie Banner And Website Documents Say?
Once your banner behaviour is configured, the next step is to make sure your wording matches your actual practices.
Cookie Banner Wording: Keep It Simple And Accurate
A good cookie banner message usually covers:
- that you use cookies/tracking to run the site and improve it
- that some cookies are optional
- how to accept/reject/manage settings
- where to read more (privacy/cookie info)
Avoid broad statements like “We do not share data” if you use third-party services that receive analytics or advertising data. It’s better to be transparent and explain what’s happening.
Privacy Policy: Back Up The Banner
Your banner is typically only a summary. Your site should also have a properly drafted Privacy Policy that aligns with your cookie practices.
For cookie banner compliance, your privacy policy (or a separate cookie policy) commonly includes:
- what cookies/tracking technologies you use
- why you use them (necessary, analytics, marketing, etc.)
- who receives the data (including third parties)
- overseas disclosures (if relevant)
- how users can change their preferences
- contact details for privacy questions
If your business is collecting personal information via web forms, sign-ups, accounts, or online sales, a well-drafted Privacy Policy is one of the simplest ways to strengthen compliance.
Do You Need A Cookie Pop-Up At All?
Not every website needs the same setup, and not every site needs to ask for consent in the same way. The right approach depends on what cookies you use and how you use them.
If you’re unsure where your website sits, it can help to start with the question: Cookie pop-ups are often recommended where you use non-essential tracking, third-party marketing tags, or more advanced analytics.
Don’t Forget Your Wider Website Terms
Cookies often sit alongside other legal “website basics”, like rules for acceptable use and user behaviour (especially if you have accounts, comments, or user-generated content).
Depending on your setup, it may also be sensible to have an Acceptable Use Policy so it’s clear how users can interact with your website or platform.
Common Cookie Banner Compliance Mistakes NZ Small Businesses Make
Most cookie banner issues aren’t caused by bad intentions - they usually happen because website builds evolve quickly, and the legal side gets left behind.
Here are common cookie banner compliance traps to watch for:
The Banner Doesn’t Match Reality
Your banner says “We only use cookies for analytics” but you’re running retargeting ads and conversion tags.
Or your banner says “Reject” is available, but the scripts still load anyway.
No Real Choice (Or Too Much Friction)
If visitors can’t easily reject optional cookies, or if “Manage settings” is buried, you risk undermining the quality of consent and damaging trust.
Marketing Consent Is Confused With Cookie Consent
If you collect email addresses, cookie banner compliance is only one part of the picture - your marketing messages also need to comply with spam rules and privacy rules.
For example, if you send promotional emails, you should also consider your broader email marketing laws obligations, not just your cookie banner settings.
No Process For Updates
Imagine you launch a new campaign, your agency adds additional tags, and nobody updates your cookie categories or disclosures. That’s how small compliance gaps creep in.
A simple internal process (even a recurring calendar reminder) can go a long way.
Key Takeaways
- Cookie banner compliance isn’t just about displaying a banner - it’s about making sure tracking only happens in the way you’ve told users it will.
- In NZ, cookie compliance obligations usually tie back to the Privacy Act 2020, especially transparency, fair collection, and security of personal information.
- Start with a cookie and tracker audit, then build categories that reflect what your website actually uses (necessary, functional, analytics, marketing).
- Where cookies are non-essential (especially analytics and marketing), an opt-in consent model is often a safer and more trust-building approach.
- Your banner should be backed up by a properly drafted Privacy Policy and a system that lets users change their choices later.
- Avoid common pitfalls like cookies loading before consent, misleading wording, and “set and forget” banners that don’t get updated as your site changes.
If you’d like help improving cookie banner compliance for your NZ website - including reviewing your cookie practices and drafting the right privacy documents - contact Sprintlaw on 0800 002 184 or email team@sprintlaw.co.nz for a free, no-obligations chat.
