Privacy Law In New Zealand: What Businesses Need To Know

If you run a small business or startup, privacy probably isn’t the first thing you think about when you’re building your product, signing your first customers, or hiring your first team member.

But in practice, privacy comes up fast - because most businesses collect some form of personal information (even if it’s just names, email addresses, delivery details, or CCTV footage at your premises).

The good news is that privacy compliance doesn’t have to be complicated. If you understand what the law is trying to achieve and set up a few simple systems early, you’ll be protecting your customers, your team, and your business from day one.

This article is general information only and does not constitute legal advice. Privacy obligations can vary depending on your business model, industry, and the types of data you handle.

What Does “Privacy” Mean For A Business In New Zealand?

In a business context, privacy is mainly about how you collect, use, store, share and delete personal information.

In New Zealand, the key law you need to know is the Privacy Act 2020. It applies to most organisations (including small businesses and startups) that deal with personal information.

Personal information is information about an identifiable individual. This can include obvious details like a customer’s name and phone number, but it can also include:

• email addresses and shipping addresses
• customer account logins and order history
• IP addresses and device identifiers (depending on context)
• photos or video footage (including CCTV)
• employee files and payroll details
• health information (which is generally treated as sensitive)

Even if you don’t think of yourself as a “data business”, if you send invoices, take online bookings, run email marketing, use a CRM, or store files in cloud tools, privacy is part of your day-to-day operations.

Privacy compliance is also not just about avoiding legal risk. It’s about trust. When a customer gives you their information, they’re trusting you not to misuse it and not to leave it exposed.

Does The Privacy Act 2020 Apply To Small Businesses And Startups?

For most small businesses and startups, yes - the Privacy Act 2020 will apply in some way.

A common misconception is that privacy laws are only for large corporates. In reality, many privacy issues happen in small businesses because they’re moving quickly, wearing a lot of hats, and don’t always have processes in place yet.

You’re more likely to have privacy obligations if you:

• collect customer enquiries through your website
• sell products online and store delivery details
• take bookings or appointments
• have a membership program, subscriber list, or client database
• run CCTV or other monitoring at your workplace
• hire staff and keep employee records
• work with contractors who can access customer information

Even if you only collect a small amount of personal information, it still needs to be handled properly.

One of the simplest early wins is having a clear privacy policy that matches what you actually do in your business (not a generic template that doesn’t fit).

What Are Your Core Privacy Obligations As A Business Owner?

The Privacy Act 2020 sets out privacy principles (often called “information privacy principles”). You don’t need to memorise them - what matters is translating them into practical business habits.

Here are the core privacy obligations that most small businesses should focus on.

1. Only Collect What You Actually Need

Collect personal information because you have a real business reason - not “just in case”.

For example, if you’re selling a digital download, you probably don’t need someone’s home address. If you’re running a delivery-based business, you’ll need an address, but you might not need a date of birth.

This matters because the more information you collect, the more risk you carry (and the more you need to secure).

2. Be Clear And Transparent When You Collect Information

When you collect personal information, you should be upfront about:

• what you’re collecting
• why you’re collecting it
• who you might share it with (for example, delivery providers, payment processors, booking platforms)
• how people can access or correct their information

This is where a properly drafted privacy policy and privacy collection notices become really useful. If you’re collecting information through your website, having a privacy collection notice in the right places (for example, forms and checkout flows) can help you stay consistent and reduce confusion.

3. Use Information Only For The Purpose You Collected It For

If a customer gives you their details to place an order, using those details to send unrelated marketing without consent can create privacy risk (and customer frustration).

If you want to use personal information for a new purpose later, think carefully about whether you:

• need consent, or
• need to update your privacy communications, or
• should avoid using it altogether

This is a big one for startups that pivot quickly - your product may change faster than your legal documents and privacy practices. It’s worth building a habit of reviewing privacy impacts whenever your business model changes.

4. Keep Personal Information Secure

Your privacy obligations include taking reasonable steps to protect personal information from loss, unauthorised access, disclosure, or misuse.

“Reasonable steps” depends on your business - but as a minimum, many SMEs should consider:

• using strong passwords and multi-factor authentication
• restricting staff access to “need to know” only
• encrypting devices and using secure storage
• having clear rules about using personal devices for work
• setting retention timeframes (so you’re not keeping data forever)

If you use contractors or external service providers (like developers, virtual assistants, IT support, or marketing agencies), your contracts should match your privacy expectations. Depending on the arrangement, you might need tailored contract terms (or a specific agreement) so it’s clear who can access what information and what happens if something goes wrong.

5. Give People Access To Their Information (And Correct It If Needed)

Individuals generally have rights to request access to their personal information and to request corrections.

As a small business, you don’t need an enterprise-level process - but you do need a simple internal workflow so that if someone asks:

• you can verify their identity,
• find the information you hold, and
• respond within the required timeframe (or let them know if you need more time).

In New Zealand, agencies generally must respond to an access or correction request as soon as reasonably practicable and no later than 20 working days after receiving it (subject to limited grounds for refusing or extending time in certain situations).

If your business holds sensitive information (for example, health-related details), you’ll want to be extra careful about how access requests are handled. A structured access request form can make the process smoother and reduce the risk of accidentally releasing data to the wrong person.

What Counts As A Privacy Breach (And What Should You Do If One Happens)?

A privacy breach is basically any situation where personal information is:

• accessed without authorisation,
• disclosed incorrectly,
• lost, or
• compromised (including via hacking, phishing, or accidental sharing).

Common examples for small businesses include:

• sending an email to the wrong customer (with an invoice or personal details attached)
• losing a laptop or phone that contains customer or employee data
• a staff member sharing customer information without permission
• a cloud storage folder being publicly accessible by mistake
• your website being compromised and customer data being exposed

Do You Have To Notify Anyone?

Under the Privacy Act 2020, if a breach is a notifiable privacy breach (meaning it’s likely to cause serious harm), you may need to notify the Office of the Privacy Commissioner and affected individuals.

Whether it’s “notifiable” depends on factors like:

• the type of information involved (financial or health information is higher risk)
• who got access to it (a trusted staff member vs a malicious attacker)
• whether the information was encrypted or protected
• what harm could realistically result (identity fraud, financial loss, humiliation, safety risk)

If this sounds stressful - it can be. That’s why it’s smart to plan ahead, rather than trying to invent a response while you’re in the middle of a crisis.

Having a simple data breach response plan can help your team act quickly, preserve evidence, reduce harm, and make better decisions about notification.

Privacy Policies, Website Terms, And Contracts: What Documents Do You Actually Need?

Privacy compliance is a mix of what you do operationally and what you say publicly and contractually.

For most small businesses and startups, these are the documents that come up most often.

A Privacy Policy (Almost Always)

If you collect personal information through your website, forms, email, or your product itself, having a privacy policy is usually expected - and for many businesses, it’s essential.

A good privacy policy should match your real data practices, including:

• what information you collect (and how)
• how you use it (orders, customer support, marketing, analytics)
• who you share it with (suppliers, platforms, contractors)
• whether you disclose data overseas (common if you use cloud tools)
• how long you keep it
• how people can contact you about privacy issues

As mentioned earlier, a tailored Privacy Policy is a strong foundational step - especially if you’re scaling quickly and collecting more data over time.

Website Terms (Where Customers Interact With You Online)

Privacy often sits alongside your broader website and online business setup. If you sell online, take bookings, or provide a digital platform, your website terms help set the rules for how people use your site and what happens if things go wrong.

Depending on your setup, you might need Website Terms and Conditions to cover:

• acceptable use
• account registration rules
• intellectual property ownership
• disclaimers and limitations (where legally appropriate)
• payment, delivery, cancellations and refunds (for eCommerce)

These terms won’t replace privacy compliance, but they do work alongside your privacy documents to reduce disputes and clarify expectations.

Customer Contracts (For B2B And Service Businesses)

If you provide services to other businesses - particularly where you handle their customer data - your service agreement should address privacy clearly.

That might include:

• what personal information you’ll handle
• what security measures you’ll use
• whether you can use subcontractors
• what happens if there’s a data breach
• who is responsible for notifications and remediation

A properly drafted Service Agreement can be a practical way to align expectations - especially when privacy obligations sit on both sides.

Employment Documents And Workplace Policies

Privacy isn’t just about customers. As soon as you hire, you’ll be collecting employee personal information (bank details, addresses, emergency contacts, performance information, and sometimes health-related details like medical certificates).

Your Employment Contract and internal policies should support privacy-safe behaviour, including expectations about:

• confidentiality and information handling
• who can access employee records
• use of work devices and systems
• how monitoring (like CCTV) is handled, if relevant

This is also where many businesses accidentally create risk - for example, by collecting more information than necessary, sharing it too widely internally, or keeping records indefinitely without a reason.

Practical Privacy Tips For Startups (Especially If You’re Scaling Fast)

Startups often grow in bursts - a funding round, a new product launch, a big customer win. Privacy needs to keep pace with that growth.

Here are practical steps you can implement without slowing your momentum.

Map Your Personal Information (Even A Simple Version)

You don’t need a complicated compliance program to start. A simple “data map” can be a spreadsheet where you list:

• what personal information you collect
• where it comes from (website, app, sales calls, onboarding forms)
• where you store it (CRM, accounting software, email inboxes, cloud storage)
• who has access (roles, not names)
• who you share it with (vendors, platforms, contractors)
• how long you keep it (retention)

This makes privacy decisions easier because you can see your risk points clearly (for example, who has admin access, what’s stored in spreadsheets, or where data is copied unnecessarily).

Choose Tools With Security In Mind

Lots of modern tools are privacy-friendly - but not all. Before you adopt a new platform, ask:

• Does it use multi-factor authentication?
• Can you manage access by role?
• Where is the data hosted (and is it sent overseas)?
• What happens if the provider has a breach?

Overseas hosting or access isn’t automatically “bad” - it’s common - but you should understand it and make sure your privacy policy reflects what you actually do. In particular, New Zealand has specific rules for disclosing personal information overseas (including requiring you to take steps to ensure the recipient will protect the information in a way that’s comparable to New Zealand privacy standards, unless an exception applies).

Train Your Team Early (Even If Your Team Is Tiny)

Many privacy issues aren’t caused by sophisticated hackers - they’re caused by everyday mistakes. Training can be simple:

• don’t email customer lists to personal emails
• double-check recipients before sending attachments
• lock screens and protect devices
• don’t share customer details in public channels
• escalate any suspected breach immediately

It’s much easier to build privacy habits at 3 people than to fix a messy culture at 30 people.

Think About Privacy When You Build Your Product

If you run a tech startup, privacy shouldn’t be a last-minute “legal tick box”. It’s part of product design.

For example:

• If you can achieve the same feature without collecting personal information, that’s often safer.
• If you need personal information, collect the minimum and protect it properly.
• If you’re adding analytics, be clear about what’s tracked and why.

This approach often reduces risk, simplifies compliance, and improves customer trust - which is a real competitive advantage.

Key Takeaways

• Privacy matters for most small businesses and startups because even simple operations (sales, bookings, invoicing, marketing) involve personal information.
• The Privacy Act 2020 is the main privacy law in New Zealand, and it applies broadly across industries and business sizes.
• Focus on practical compliance: only collect what you need, be transparent, secure personal information, and have a clear process for access/correction requests (including meeting the 20 working day response requirement).
• Privacy breaches can happen in everyday situations (misdirected emails, lost devices, hacked accounts), so it’s worth having a response plan in place before anything goes wrong.
• Legal documents support your privacy practices, including a tailored Privacy Policy, website terms, customer contracts, and employment documents that set clear expectations.
• Startups should build privacy into their systems early by mapping what data they collect, using secure tools, and training the team from day one.

If you’d like help getting your privacy foundations right - whether that’s drafting a Privacy Policy, reviewing your website terms, or setting up privacy-ready contracts - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.