Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business in New Zealand, you’re probably collecting more personal information than you realise - customer names and emails, delivery addresses, staff details, CCTV footage, loyalty data, website analytics and more.
Most of the time, privacy compliance feels like a “nice to have” until something goes wrong: an email goes to the wrong person, a staff laptop gets stolen, your booking system is hacked, or someone complains you’re collecting more information than you need.
That’s when business owners start searching for penalties for breach of the Privacy Act and wondering what the actual consequences are in NZ.
In this article, we’ll break down what counts as a Privacy Act breach, what penalties and enforcement action you might face, and the practical steps you can take to reduce risk and protect your business from day one.
What Counts As A Breach Of The Privacy Act 2020 (And Why It Matters For Small Businesses)
The Privacy Act 2020 applies broadly to organisations that collect, hold, use or disclose personal information in New Zealand (with some exceptions).
Personal information is information about an identifiable individual. In a small business context, that often includes:
- customer contact details (name, email, phone number, address)
- employee information (payroll records, medical certificates, performance notes)
- ID verification documents (driver licence, passport details)
- CCTV footage where people can be identified
- online identifiers (IP address, account logins, device data) when linked to a person
- health information (even small things like allergy notes for catering orders)
A breach can happen in a few ways. Common examples we see in practice include:
- Accidental disclosure: sending an invoice to the wrong client, CC’ing instead of BCC’ing, or posting a spreadsheet in the wrong shared drive
- Unauthorised access: staff accessing information they don’t need for their role
- Poor security: weak passwords, no MFA, unencrypted devices, or outdated systems
- Over-collection: asking for personal details you don’t actually need for your business purpose
- Improper use: using customer data for marketing without appropriate permissions
- Mishandling access requests: refusing access without a valid reason, missing timeframes, or providing information without proper identity checks
Even if you didn’t mean to do anything wrong, the Privacy Act is still relevant. The focus is often on whether you had good systems and took reasonable steps to protect information.
From a business perspective, privacy compliance isn’t just about avoiding penalties. It also protects:
- your reputation and customer trust
- your ability to keep trading after an incident
- your relationships with suppliers, platforms, and commercial partners
- your internal culture (especially when employee data is involved)
Penalties For Breach Of Privacy Act: What The Law Actually Allows In NZ
Let’s get into what most business owners really want to know: what penalties can apply for a breach of the Privacy Act in New Zealand?
It helps to understand that NZ’s privacy regime is a mix of:
- regulatory action (through the Office of the Privacy Commissioner), and
- complaints and remedies (through the Human Rights Review Tribunal in some cases), and
- criminal offences for certain serious conduct (with fines).
1) Regulatory Consequences (Investigations, Compliance Pressure, Public Scrutiny)
Many Privacy Act issues start with a complaint. A customer, employee, or member of the public might complain to the Office of the Privacy Commissioner (OPC).
The OPC can:
- make enquiries and investigate privacy complaints
- work with parties to resolve a complaint
- issue guidance and expectations about what your business should do next
- in some situations, issue compliance notices (see below)
Even if you don’t end up in Tribunal or court, an investigation and remediation process can still be time-consuming and expensive - particularly if you need to overhaul systems quickly.
2) Compliance Notices (A Formal “You Must Fix This” Direction)
The Privacy Act 2020 introduced stronger tools for the OPC, including the ability to issue compliance notices in certain situations.
A compliance notice can require an organisation to do (or stop doing) particular things to comply with the Act. For example, it might require you to:
- correct a privacy practice
- provide access to information
- stop collecting unnecessary information
- improve security safeguards
If your business ignores a compliance notice, that can escalate the issue and create further legal risk.
3) Criminal Offences And Fines
While many privacy issues are dealt with through complaints and compliance steps, the Privacy Act also creates offences for certain conduct.
Examples (at a high level) can include things like:
- knowingly making a false or misleading statement to obtain access to someone else’s personal information
- destroying, concealing, or altering documents after receiving an access request (or doing something similar to frustrate access)
- obstructing the Privacy Commissioner (for example, in the course of an investigation)
These offences can involve fines. The precise penalty depends on the specific offence, your conduct, and how the matter is prosecuted.
So, when people search for penalties for breach of the Privacy Act in NZ, the answer isn’t one simple “fine amount”. The risk profile depends heavily on what happened, whether it was deliberate, and whether you took reasonable steps.
4) Human Rights Review Tribunal Remedies (Compensation And Orders)
In some cases, privacy complaints can progress to the Human Rights Review Tribunal. This is where financial and other remedies can come into play.
Depending on the circumstances, outcomes may include:
- damages/compensation (for example, for harm such as humiliation, loss of dignity, or injury to feelings)
- orders requiring the business to do something (or stop doing something)
- declarations that your business interfered with someone’s privacy
This is one reason privacy issues can become much more serious than “just fix the problem”. If an individual can show harm, financial exposure can follow.
Notifiable Privacy Breaches: When You Must Report An Incident
Not every privacy incident is “notifiable” - but some are, and it’s important you don’t guess.
Under the Privacy Act 2020, you may have a legal obligation to notify:
- the Office of the Privacy Commissioner, and
- affected individuals,
if the breach has caused (or is likely to cause) serious harm.
Serious harm depends on the context. A small disclosure might be low risk in one situation, but high risk in another. Factors can include:
- the type of information involved (financial details, health data, identity documents are usually higher risk)
- how many individuals are affected
- who received the information (trusted service provider vs unknown third party)
- whether the information is encrypted or protected
- the likelihood of misuse (fraud, identity theft, harassment)
From a small business perspective, notifiable breaches often happen through everyday operations, like:
- a staff member emailing a customer list to the wrong recipient
- a shared admin login being compromised
- stolen devices without encryption
- an online store plugin being exploited
Even where you report promptly and do the right thing, notification can trigger further scrutiny - which is why having a plan before anything happens is so important.
If you don’t already have a Data Breach Response Plan, it’s worth putting one in place while things are calm.
What Increases Your Risk (And What Regulators Look At)
If you’re worried about penalties for breach of the Privacy Act, it helps to know what tends to make things worse in the eyes of regulators or decision-makers.
1) Lack Of Reasonable Security Safeguards
You don’t need enterprise-grade systems to comply with privacy law, but you do need reasonable safeguards.
“Reasonable” depends on your business size, the sensitivity of the information, and what safeguards are easy to implement. In practice, that usually means basics like:
- unique logins for staff (not one shared password)
- multi-factor authentication (MFA) where possible
- staff access limits (only access what they need)
- device security (PINs, encryption, remote wipe)
- secure disposal of information (shredding paper files, securely deleting data)
2) Collecting Too Much Information “Just In Case”
A common small business habit is collecting extra information because it might be useful later. The Privacy Act generally expects you to collect information only where you have a legitimate purpose connected to your business operations.
For example, if you run an online store, you probably need a delivery address - but you might not need a date of birth.
This is where having a clear Privacy Policy and Privacy Collection Notice helps you stay disciplined about what you collect and why.
3) Poor Internal Handling (Training And Process Gaps)
Many privacy incidents happen because staff weren’t trained on:
- how to respond to access requests
- how to verify identity before sharing information
- what information can be shared internally
- how to use BCC properly (it sounds basic, but it’s a common issue)
If you have employees handling customer data, your privacy approach should connect with your broader workplace documents and expectations (including what technology staff can use for work).
Depending on your business, you may also need to think about workplace monitoring, like CCTV. If that’s relevant for you, it’s worth considering how it fits with your broader compliance, including whether Cameras In The Workplace are being used in a privacy-compliant way.
4) Delayed Or Defensive Responses When Something Goes Wrong
When there’s an incident, regulators often care about what you did next. A calm, prompt response can reduce harm and also help show you take privacy seriously.
That typically looks like:
- containing the breach (disable access, recover emails, reset passwords)
- assessing what data was involved and the likelihood of harm
- notifying where required
- documenting what happened and what you changed
How To Reduce The Chances Of A Privacy Act Breach In Your Business
Privacy compliance doesn’t need to be overwhelming. For most small businesses, it’s about building simple, repeatable systems and getting your legal foundations right early.
1) Map The Personal Information You Collect
Start with a practical audit:
- What personal information do you collect (customers, staff, contractors)?
- Where does it come from (website forms, phone calls, email, POS system)?
- Where is it stored (Google Drive, Xero, CRM, paper files)?
- Who has access (and who shouldn’t)?
- How long do you keep it?
This process often reveals hidden risks, like old spreadsheets sitting in inboxes or shared admin accounts that everyone uses.
2) Put The Right Privacy Documents In Place
Most businesses collecting customer data online should have a Privacy Policy that matches what they actually do (not what a generic template assumes).
If you market to customers, you should also make sure your email and SMS practices are compliant with NZ’s spam rules. Practically, your privacy practices and marketing practices should match - for example, don’t say you won’t use data for marketing and then send promotional emails anyway. If email marketing is part of your growth strategy, Email Marketing Laws are worth checking.
If you’re collecting information through online forms, registrations, or subscriptions, a short, clear collection notice (plus good consent language where appropriate) can go a long way.
And if you run a website, don’t forget the broader legal pages that often interact with privacy (like the terms that govern how people use your site). A properly drafted Website Terms And Conditions can help set rules around accounts, acceptable use, and risk allocation.
3) Strengthen Your Contracts With Suppliers Who Handle Data
Many small businesses outsource critical functions like payment processing, email marketing, customer support tools, cloud storage, and IT support.
If a supplier is handling personal information on your behalf, you’ll want to check:
- what they can do with the data
- where the data is hosted (especially offshore storage)
- their security standards and breach response obligations
- whether they can subcontract processing
- what happens to data when the contract ends
This is where contractual protection matters. Depending on the relationship, you might use a tailored services contract (or add privacy clauses to an existing agreement), and in some cases a Data Processing Agreement is a smart move.
4) Train Your Staff On The “Everyday” Privacy Risks
Privacy training doesn’t need to be a long formal course. For many small businesses, a practical checklist and a short onboarding session is enough to drastically reduce risk.
Key topics to cover:
- how to identify personal information
- how to share information internally (and when not to)
- how to handle customer requests for access or correction
- how to use email safely (and when to use BCC)
- what to do immediately if something goes wrong
If you want privacy expectations to actually stick, make sure they align with your workplace rules and employment documentation too. In many businesses, privacy obligations are reinforced through workplace policies and an Employment Contract.
5) Have A Plan For Access Requests And Complaints
Under the Privacy Act, people can ask for access to their personal information (and request corrections).
Small businesses sometimes trip up here because:
- they don’t have a documented process
- they don’t know where the data is stored
- they release information too quickly without verifying identity
Having a simple internal procedure can reduce the chances of a mistake that escalates into a complaint - and reduces the risk that you end up learning about penalties for breach of the Privacy Act the hard way.
Key Takeaways
- The Privacy Act 2020 applies to most small businesses that collect, store, use, or disclose personal information about customers, employees, or other individuals.
- When people look up penalties for breaching the Privacy Act, it’s important to understand NZ’s approach includes investigations, compliance notices, Tribunal remedies (including compensation), and fines for certain offences.
- Some privacy incidents are notifiable privacy breaches, meaning you may need to notify both the Privacy Commissioner and affected individuals if serious harm is likely.
- Your risk increases when you lack reasonable security safeguards, collect more data than you need, fail to train staff, or respond slowly/defensively after an incident.
- Practical risk-reduction steps include mapping your data, putting the right privacy documents in place, tightening supplier contracts, training staff, and having a clear breach response plan.
- Because privacy compliance depends on your systems, industry, and data types, it’s worth getting tailored advice so you’re protected from day one.
If you’d like help reviewing your privacy practices, preparing a Privacy Policy, or putting a Data Breach Response Plan in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
