Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business collects customer details, employee information, mailing list sign-ups, enquiries through your website, or even CCTV footage, you’re dealing with “personal information” and the Privacy Act 2020 (NZ).
And when people hear “privacy compliance”, they often jump straight to one thing: consent.
Consent is important, but it’s also one of the most misunderstood parts of privacy law. In practice, you don’t always need consent to collect or use personal information - but when you do rely on consent, you need to do it properly (and be able to prove it later).
This guide breaks down consent forms under New Zealand’s Privacy Act 2020 from a small business perspective: when consent is useful (and when it’s not the right tool), what “good consent” looks like, what to include in your forms, and common traps to avoid when collecting permission.
What Is A Consent Form (And How Is It Different From A Privacy Policy)?
A consent form is a document (paper or digital) where someone actively agrees to you collecting, using, or disclosing their personal information for a defined purpose.
In other words, it’s your evidence that the person said “yes” to something specific.
But here’s the key point: a consent form is not the same thing as your privacy documentation more broadly.
Consent Form Vs Privacy Policy Vs Collection Notice
- Privacy policy: your public-facing explanation of how your business handles personal information overall (what you collect, why, how you store it, who you share it with, and people’s rights). Many businesses have this on their website as a baseline compliance document. A properly drafted Privacy Policy helps build trust and reduces confusion when customers ask “what will you do with my details?”
- Collection notice: the “just in time” information you give at the point of collection (for example, at checkout, on a form, or at sign-up). In NZ, this aligns with Privacy Principle 3 (often described as the duty to tell people you’re collecting their information and why). A Privacy Collection Notice is often the practical way to meet that obligation.
- Consent form: a specific permission mechanism for situations where you need consent, or where getting clear permission is the safest, clearest approach.
When people search for “NZ Privacy Act consent forms”, they’re usually trying to solve a real business problem: “How do I get permission in a way that won’t backfire later?”
The answer is usually a combination of all three: clear privacy settings, a collection notice, and consent wording where consent is genuinely needed (or strongly recommended).
When Do You Actually Need Consent Under The Privacy Act 2020?
Under the Privacy Act 2020, consent isn’t a blanket requirement for every type of personal information collection.
Instead, the Act is built around information privacy principles (IPPs). These principles cover things like collecting for a lawful purpose, collecting only what you need, being transparent about collection, storing information securely, and giving people access to their information.
That said, there are common situations where your business will either need consent under another rule/law, or be much safer getting it clearly (and in a way you can evidence).
1) When You’re Collecting High-Risk Or Sensitive Information
“Sensitive information” isn’t a single defined category under the Privacy Act 2020 in the way some overseas laws describe it. However, in NZ practice, certain types of data are higher-risk and typically require extra care and extra transparency - and in many cases, it’s sensible to seek clear, express consent to reduce misunderstanding and complaints.
- health information (including injury details, medical notes, and sometimes disability-related information)
- biometric information (like facial recognition templates, fingerprints, voiceprints)
- information about children (depending on context and how it’s used)
- information that could cause serious harm or distress if mishandled
In these cases, a well-drafted consent form can be an important part of demonstrating fair and transparent practice - especially if the collection isn’t obvious to the person, or the information could be used in a way they wouldn’t reasonably expect.
For example, if your business uses a health questionnaire or collects medical information for service delivery, a dedicated Medical Release Consent Form can help clarify what you’re collecting, why, and who it may be shared with (if anyone).
2) When You Want To Use Information For Marketing (Beyond What People Expect)
If someone gives you their email address to receive a receipt, they don’t necessarily expect ongoing marketing emails.
Also keep in mind: marketing isn’t only a Privacy Act issue. If you send commercial electronic messages (like promotional emails) in New Zealand, you’ll usually need to comply with the Unsolicited Electronic Messages Act 2007 (for example, consent rules and unsubscribe requirements).
In practice, marketing consent is often best handled through:
- an unticked checkbox (opt-in)
- clear wording about what they’re signing up for
- a simple unsubscribe process
This isn’t just good practice - it’s how you protect your brand reputation and reduce customer complaints.
3) When You’re Disclosing Personal Information To Third Parties In A Way People Wouldn’t Expect
Some disclosures are expected and may be permitted without asking again (for example, giving a courier the customer’s delivery address to complete delivery).
Under the Privacy Act, disclosure is often allowed where it’s connected to the purpose the information was collected for (or a directly related purpose), or where another exception applies. But if you’re disclosing information in a way a reasonable customer wouldn’t anticipate, getting clear consent is often the safest approach.
Common examples include:
- sharing a client list with a business partner
- publishing customer testimonials with identifiable details
- using customer photos or videos in marketing
This is where a clear written consent process can save you headaches later.
4) When Consent Is The Best Way To Prove You Acted Fairly
Even when the Privacy Act doesn’t strictly require consent, you may still choose to collect consent because it creates a clean paper trail.
That’s especially useful when:
- you’re a service business and disputes can arise about what was agreed
- you’re collecting information in a high-trust environment (like coaching, health, education, or childcare)
- you’re using new tools (like AI features, analytics, or behavioural tracking) and want to be transparent from day one
In short: consent forms are often about evidence and clarity - not just “ticking a compliance box”.
What Makes Consent “Valid” (So Your Consent Form Actually Holds Up)?
A consent form only helps if the consent itself is meaningful. If someone complains to the Office of the Privacy Commissioner, the question won’t be “Did you have a form?” - it will be “Was the person properly informed, and did they have a genuine choice?”
While the Privacy Act 2020 doesn’t give a single simple checklist for consent, strong consent usually has these features:
Informed
People need to understand what they’re agreeing to. That means your consent wording should be clear, readable, and not buried in unrelated text.
Specific
Consent should relate to specific purposes. If you say “I consent to anything you do with my data”, that’s vague and risky.
A better approach is to separate permissions, for example:
- consent to collect information to provide the service
- consent to share information with a named third party (or a clearly defined category)
- consent to receive marketing updates
Voluntary (A Real Choice)
Consent shouldn’t feel forced or misleading. If the person can’t realistically use your service unless they agree to unnecessary data use, that consent might be challenged.
This is why it’s smart to collect only what you need, and keep “optional” consents genuinely optional.
Current And Easy To Withdraw
Consent is not a “set and forget” permission slip forever. People should be able to withdraw consent, and your business needs a workable process for dealing with that request.
Having an internal process matters just as much as the wording. For example, it helps to have a simple way customers can request access or corrections, such as an Access Request Form for handling privacy requests consistently.
Documented
If it isn’t recorded, it’s hard to prove. For digital consent, keep logs (time, date, version of the wording agreed to, and what box was ticked).
For paper consent, store signed copies securely and only keep them as long as you actually need them.
How To Draft NZ Privacy Act Consent Forms For Your Small Business
Good consent forms are practical. They don’t try to cover every possible scenario under the sun - they focus on the specific permissions your business needs, in language your customers can understand.
Here’s a structure that works well for many small businesses.
1) Identify The “Consent Moments” In Your Business
Start by mapping where you collect personal information and where you might rely on consent, such as:
- website enquiry forms
- newsletter sign-ups
- online bookings
- in-store loyalty programs
- consultation or intake forms
- photo/video use for marketing
- referrals to third parties
Once you know where consent is needed, you can decide whether that consent should be:
- embedded in an online form (checkbox + wording),
- a standalone consent form, or
- a clause inside a broader customer agreement (only where that’s genuinely appropriate).
2) Write Plain-English Permission Statements
Your consent language should be short and direct. You’re aiming for clarity, not legal jargon.
For example:
- “I consent to [Business Name] collecting and using my personal information to provide the requested services.”
- “I consent to [Business Name] sharing my information with [Third Party / Category] for [Purpose].”
- “I would like to receive marketing emails and understand I can unsubscribe at any time.”
If you need multiple consents, separate them. Avoid bundling everything into one checkbox.
3) Include The Practical Privacy Details People Actually Need
A strong consent form usually also includes (or sits alongside) key collection notice information, such as:
- the purpose of collection
- what information is being collected
- whether providing it is optional or required (and what happens if they don’t provide it)
- who the information may be shared with (including overseas providers, if relevant)
- how people can access or correct their information
- how to contact you about privacy questions
This is also where your website’s Privacy Policy becomes useful - you can refer people to it for the bigger picture, while keeping the consent form focused and readable.
4) Build A “Consent Record” Process (Not Just A Form)
From a risk perspective, the form is only half the story. Make sure your business can actually:
- store the consent record securely
- pull it up quickly if there’s a complaint
- honour withdrawals of consent
- update consent wording when your processes change
Also make sure staff know what to do if someone asks privacy-related questions. For businesses with employees handling customer data day-to-day, an internal document like an Employee Privacy Handbook can help set consistent rules and reduce mistakes.
5) Don’t Forget About Data Breaches
Even careful businesses can face data breaches (lost devices, hacked accounts, accidental emails, software misconfigurations).
Under the Privacy Act 2020, you may have obligations around notifiable privacy breaches. Having a plan in place helps you react quickly and responsibly - including when customers ask what happened and what you’re doing about it.
Depending on your operations, it may be worth having a Data Breach Notification process ready to go so you’re not drafting critical communications under pressure.
Common Scenarios Where Consent Forms Matter (With Practical Examples)
If you’re trying to figure out what “good” looks like, it helps to ground this in real business scenarios. Here are some common ones where consent forms often come up.
Scenario 1: Newsletter Sign-Ups And Email Marketing
If you collect emails for marketing, make the consent obvious and separate from other steps (like purchasing or requesting a quote).
Practical tips:
- Use unticked opt-in boxes (avoid pre-ticked boxes).
- Say what the person will receive (e.g. “monthly updates and offers”).
- Keep a record of when/where the person opted in.
- Make unsubscribing easy.
Scenario 2: Taking Client Intake Notes (Including Health-Related Details)
Many service businesses collect more information than they realise - especially if you take notes in a booking system, CRM, or even a spreadsheet.
If you’re collecting health information (even occasionally), consider using a dedicated Medical Release Consent Form or consent clause that clearly explains:
- what you’re collecting
- why you need it
- how it will be stored
- who will have access
- how long it will be kept
This is one of the easiest areas for misunderstandings to happen, so clear written consent can be a real safeguard.
Scenario 3: Using Customer Photos, Testimonials, Or Case Studies
If you want to post “before and after” photos, client stories, or testimonials that identify the customer, it’s safest to use a specific consent statement.
Make the permission specific, including:
- where the content will be used (website, social media, ads, print)
- whether the person will be identified by name, initials, or anonymously
- whether they can withdraw permission later (and what “withdrawal” means in practice)
This is also where “bundling” causes problems. Consent to provide a service is not automatically consent to use someone’s image in your advertising.
Scenario 4: Website Tracking And Cookie Consent
If your website uses analytics, tracking pixels, or advertising tools, you should think carefully about transparency and consent - especially if tracking goes beyond what’s reasonably expected.
Depending on how your business operates and where your customers are located, you may need a cookie banner or consent tool. A practical starting point is to get your website privacy compliance documents aligned, including a Cookie Policy.
Scenario 5: Employee Information And Workplace Privacy
Even though this article is written for business owners (not employees), it’s worth calling out: your business also handles personal information about staff.
That can include:
- bank account and payroll details
- emergency contacts
- performance records
- health and safety incident reports
- CCTV footage (if used)
In some situations, employers use consent forms - but consent in employment can be tricky, because power dynamics can make “voluntary” consent harder to prove. In many cases, it’s better to focus on clear notices, reasonable collection, and strong internal policies (and sometimes an Employee Privacy Handbook).
Key Takeaways
- Consent forms can be a powerful way to collect and record permission, but they only help if the consent is clear, specific, informed, and genuinely voluntary.
- You don’t always need consent to collect personal information under the Privacy Act 2020 - but you do need to comply with the information privacy principles, including being transparent at the point of collection.
- Consent is especially useful (and sometimes required under other rules) when you’re dealing with high-risk information, unexpected uses (like marketing), or disclosures that go beyond what people would reasonably expect.
- A consent form works best when paired with good privacy documentation, such as a clear Privacy Policy and a practical Privacy Collection Notice.
- Your process matters as much as your paperwork - make sure you can store consent records, respond to access requests, and handle withdrawals of consent.
- It’s worth preparing for the “what if” moments too, including having a plan for handling privacy incidents and potential Data Breach Notification obligations.
If you’d like help setting up consent forms (or reviewing how your business collects and uses personal information), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
