Worried About Privacy Complaints? How To Make Sure Your Business Is Prepared (2026 Updated)

Most business owners don’t set out to “get privacy wrong”. Usually, it’s the opposite - you’re trying to do the right thing while juggling customers, staff, cashflow, and whatever new tech tool you’ve just added to your stack.

But privacy complaints can happen surprisingly easily. A marketing email sent to the wrong list. A staff member sharing more than they should. A spreadsheet stored somewhere it shouldn’t be. Or a customer asking, “What information do you have about me?” and you’re not sure how to answer.

This guide is updated to reflect the current way privacy complaints are being raised and handled in New Zealand - especially with more businesses operating online, using cloud tools, and collecting data through websites, apps, and social platforms.

Let’s walk through what your legal obligations generally look like under the Privacy Act 2020, what causes privacy complaints in the real world, and the practical steps you can take to be ready (without turning your business into a paperwork factory).

What Counts As A Privacy Complaint (And When Should You Worry)?

A privacy complaint usually starts when someone believes your business has mishandled their personal information. That could mean you:

• collected information unfairly or without telling them why you needed it
• used their information for a different purpose than what you originally said
• shared their information with someone else without a proper reason
• failed to keep their information secure
• refused (or delayed) giving them access to their information when they asked
• kept their information longer than you needed to

In New Zealand, privacy complaints are commonly made to the Office of the Privacy Commissioner (OPC). Not every complaint becomes a big formal investigation, but even a “small” complaint can chew up your time, disrupt your operations, and damage customer trust if you’re not prepared.

“Personal Information” Is Wider Than Most People Think

Personal information is information about an identifiable individual. Depending on what you do, this might include:

• names, email addresses, phone numbers
• delivery addresses and billing details
• purchase history and customer service messages
• photos or video footage where someone can be identified
• IP addresses, device identifiers, and online account information
• health information (for some industries) and other sensitive personal information

Even if you’re “just a small business”, you can still be responsible for personal information in a way that triggers privacy obligations.

What Are Your Core Obligations Under The Privacy Act 2020?

The Privacy Act 2020 is the main law governing how businesses (and other organisations) collect, use, store, and disclose personal information in New Zealand.

You don’t need to memorise the legislation to run a compliant business - but you do need to build a few good habits and systems. The general theme is simple: only collect what you need, be clear about what you’re doing, keep it safe, and respect people’s rights to access and correct their information.

Collecting Information: Be Clear And Fair

When you collect personal information, you should generally be able to answer:

• Why do we need this information?
• How will we use it?
• Who might we share it with (if anyone)?
• What happens if the person doesn’t provide it?

This is where a good Privacy Policy and collection notices help - they set expectations early and reduce misunderstandings that often turn into complaints.

Using And Sharing Information: Stay Within The Purpose

A common complaint trigger is when a customer thinks you used their data for “something else” - for example, they gave you an email to send a receipt, and then you added them to a marketing list without properly addressing consent and expectations.

It’s not that marketing is automatically “illegal”. It’s that marketing needs to be done thoughtfully: match your purpose, communicate clearly, and don’t be sneaky about opt-ins and unsubscribes.

If you’re running email campaigns, it’s also worth keeping your broader compliance in mind (for example, the way you describe offers and pricing should align with the Fair Trading Act 1986). Privacy and marketing compliance tend to overlap in practice.

Security: You Need Reasonable Protections (Not Perfect Ones)

You’re generally expected to take reasonable steps to protect personal information from:

• loss
• unauthorised access
• unauthorised use, modification, or disclosure
• other misuse

“Reasonable” depends on your business size, the type of information you hold, and the harm that could occur if it was exposed. For example, a business storing health information should typically have stronger protections than a business storing a simple enquiry form submission.

Practical examples of reasonable steps include:

• unique user logins (no shared passwords)
• multi-factor authentication on key systems
• role-based access (staff only see what they need)
• encrypted devices and secure backups
• clear processes for onboarding/offboarding staff

Access Requests: People Can Ask What You Hold About Them

Individuals generally have the right to request access to their personal information, and to request corrections.

In real life, this might look like a customer emailing you with: “Please send me all the information you have on file about me.” If you’ve never handled this before, it can feel stressful - but a calm, documented process makes it manageable.

It helps to have a standard workflow and (where appropriate) a form, such as an Access Request Form, so your team can respond consistently and within a reasonable timeframe.

Why Privacy Complaints Happen In Small Businesses (Common Triggers)

Privacy complaints often aren’t caused by “bad intentions”. They’re usually caused by gaps between what you think your systems do and what they actually do.

Here are some of the most common triggers we see small businesses run into.

1. You Don’t Really Know What Data You Collect

If you have a website, you might be collecting data through:

• contact forms
• booking tools
• payment gateways
• newsletter sign-ups
• cookies and analytics tools

And that’s before you count what you collect offline (paper forms, phone calls, in-store CCTV, scanned IDs, and so on).

If someone complains and you can’t clearly explain what you collect and why, it’s harder to resolve quickly.

2. Staff Handle Data Inconsistently

One team member might forward customer emails to their personal account to “work on it later”. Another might store customer files on an unapproved drive. Another might share screenshots in a group chat.

This is why privacy compliance isn’t just a legal document problem - it’s a process and training problem too.

3. You Use Third-Party Tools Without Thinking About Privacy

Most businesses rely on third-party providers (for example, CRMs, scheduling tools, cloud storage, chat widgets, and marketing platforms). That’s normal.

The key is to understand:

• what information those tools collect on your behalf
• where that information is stored (including overseas storage)
• what security controls are available
• who in your business can access the tool

If a complaint relates to a third-party tool, you still need to manage the response - even if the underlying issue is “with the provider”.

4. You Don’t Have A Clear Plan For Data Breaches

If you have a data breach (for example, an email account gets hacked or a laptop is stolen), time matters. Confusion and delay can increase harm and make the situation harder to control.

Having a documented Data Breach Response Plan and a process for Data breach notification helps you respond quickly, consistently, and in a way that shows you take privacy seriously.

How To Prepare Your Business For Privacy Complaints (A Practical Checklist)

If you want to be “complaint-ready”, the goal isn’t to eliminate all risk (no business can). The goal is to make sure you can respond calmly, show you have systems in place, and fix issues quickly.

Step 1: Do A Quick “Data Map” Of Your Business

Start with a simple list of:

• what personal information you collect
• where you collect it from (website, phone, in-person, social media)
• why you collect it
• where you store it (email, CRM, cloud drive, accounting software)
• who you share it with (suppliers, payment providers, couriers)
• how long you keep it

This doesn’t need to be perfect on day one. Even a basic “map” makes it much easier to update your documents and train your team.

Step 2: Make Sure Your Privacy Policy Matches Reality

A privacy policy isn’t just a “website footer link”. It’s a plain-English explanation of how you handle personal information.

The fastest way to get into trouble is to publish a policy that doesn’t match what you actually do. If your policy says you “never share data with third parties”, but you use third-party email marketing and analytics tools, that mismatch can create complaints very quickly.

Many businesses also need supporting documents alongside the privacy policy, such as a Cookie Policy if you use tracking technologies.

Step 3: Set Internal Rules For Access, Storage, And Deletion

Privacy compliance usually improves dramatically when you set a few non-negotiables, such as:

• Access control: only give staff access to the data they need for their role
• Approved storage: specify which systems are allowed (and which aren’t)
• Deletion and retention: have a simple rule for how long you keep common records
• Device security: require passcodes, encryption, and screen locks on work devices
• Incident reporting: staff must report suspected breaches immediately

If you employ staff, these expectations should be reflected in your workplace documentation and reinforced through onboarding. Depending on your business, this might sit alongside an Employment Contract and internal policies, so there’s less ambiguity about what “acceptable handling” looks like.

Step 4: Have A Clear “Privacy Complaint” Process (So You Don’t Panic)

When a complaint lands in your inbox, your response should be structured and calm. A simple internal process might look like:

1. Acknowledge receipt and let the person know you’re looking into it.
2. Identify the issue: what information is involved, what happened, and when?
3. Contain risk: stop further disclosure (for example, recall an email, suspend access, reset passwords).
4. Investigate: check records, talk to staff involved, review system logs if relevant.
5. Respond with outcome: explain what happened (as appropriate), what you’ve done, and what you’ll change.
6. Document everything in case the complaint escalates.

If the issue involves a broader system weakness (for example, your booking platform collects more data than needed), it’s worth fixing the root cause rather than just responding to the individual complaint.

Step 5: Prepare For Access And Correction Requests

Access requests are a common source of complaints because businesses delay, respond inconsistently, or don’t know what to provide.

To prepare, decide:

• who in your business receives and manages access requests
• how you verify identity (so you don’t accidentally disclose to the wrong person)
• where you’ll search for information (email, CRM, shared drive, paper files)
• how you’ll provide it securely (for example, password-protected file transfer)

This is also where having an access request workflow and template (like an Access Request Form) can keep things consistent, especially as your team grows.

What To Do If You Receive A Privacy Complaint (Immediate Steps)

If you’ve received a complaint, don’t ignore it and don’t go on the defensive. The early response is often what determines whether a complaint becomes a quick fix or a long, expensive distraction.

1. Don’t Admit Liability Too Early (But Don’t Be Vague)

You can be polite, responsive, and helpful without making statements that lock you into a legal position before you understand the facts.

A good early response is usually:

• acknowledging the concern
• confirming you’re investigating
• giving a timeframe for next steps

2. Preserve Evidence And Keep Notes

As soon as a complaint is raised, start a file (even if it’s just a secure folder) with:

• the original complaint and any follow-up messages
• internal notes about what happened
• screenshots or system logs (if relevant)
• what changes you made as a result

This documentation is useful if the complaint escalates to the OPC, but it’s also useful internally - it helps you learn from the incident and improve your processes.

3. Check If This Is Actually A Data Breach

Sometimes what starts as a “complaint” is also a breach (for example, unauthorised access to customer accounts, misdirected emails with personal data, or leaked spreadsheets).

If there’s a breach element, you may need to use your breach response process and consider notification steps. This is where it’s important to have a plan already, rather than deciding everything in the moment.

4. Get Advice If The Complaint Is Serious Or Complex

If the complaint involves sensitive personal information, high volumes of data, public-facing risk, or a complicated third-party tool chain, it’s worth getting tailored legal advice early. The cost of “waiting to see what happens” is often higher than dealing with it properly from the start.

Privacy issues can also overlap with other areas (for example, employment if a staff member was involved, or consumer law if the complaint relates to account cancellations or marketing). Getting clear advice helps you respond confidently without creating new problems.

Key Takeaways

• Privacy complaints often come down to everyday business practices - not dramatic hacks - so having clear systems and training matters.
• Under the Privacy Act 2020, you should collect only what you need, use it fairly, keep it secure, and be ready to respond to access and correction requests.
• A practical “data map” (what you collect, where it’s stored, who has access, and who it’s shared with) is one of the quickest ways to reduce privacy risk.
• Your Privacy Policy and cookie disclosures should match what your business actually does, especially if you use third-party tools and analytics.
• A documented breach and complaint response process helps you act quickly, reduce harm, and show that you take privacy seriously.
• If a complaint involves sensitive data, a breach, or reputational risk, it’s smart to get legal advice early rather than trying to patch it up later.

If you’d like help getting your privacy compliance sorted - whether that’s a Privacy Policy, a breach response plan, or advice on handling a complaint - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.