Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
- What Does NZ Privacy Law Say About Collecting Children’s Data?
How Can Your Business Collect Children’s Data More Safely (Without Killing Conversions)?
- Step 1: Be Clear About What You Collect And Why
- Step 2: Use Plain-Language Notices (Designed For Real Humans)
- Step 3: Treat “Optional” Collection As A Separate Yes/No
- Step 4: Consider Age Gates Carefully (And Don’t Over-Collect)
- Step 5: If You Use Cookies Or Tracking, Make Sure Your Website Setup Matches Your Message
- Step 6: Have A Simple Process For Access And Corrections
- Key Takeaways
If your business collects customer information online (or even in person), you’ve probably wondered where children fit into the rules.
Maybe you run an e-commerce store with a loyalty programme, a tutoring business, a sports club, an app, or you’re building a platform that’s popular with young users. Either way, one question comes up quickly: what age can children consent to data collection in New Zealand?
The tricky part is that New Zealand privacy law doesn’t give you a single magic number that applies in every situation. Instead, you need to think about capacity, fairness, and how you can show you’re treating children’s information with extra care.
Below, we’ll break down what the law generally expects, when you should involve a parent or guardian, and practical steps you can build into your website, app, or sign-up processes so you’re protected from day one.
What Does NZ Privacy Law Say About Collecting Children’s Data?
In New Zealand, the key law is the Privacy Act 2020. It applies to most businesses (including small businesses and startups) when you collect, store, use, or share “personal information”.
“Personal information” is broadly anything about an identifiable individual. For children, that could include:
- name, email address, phone number
- date of birth (including “age verification” data)
- address or school information
- photos, videos, voice recordings
- location data
- device identifiers
- health or wellbeing info (often treated as highly sensitive)
The Privacy Act is built around the Information Privacy Principles (IPPs). These principles cover things like:
- why you’re collecting the information and whether it’s necessary
- how you collect it (fairness and transparency)
- how you store and secure it
- who you share it with
- what rights people have to access and correct it
Importantly, the Privacy Act doesn’t say “children can consent at X age” across the board. Instead, the overall expectation is that you collect personal information fairly, reasonably, and in a way that people (including children, where relevant) can understand.
That’s why the “child consent age for data collection” question is less about finding a number and more about building a defensible process.
Is There A Specific Child Consent Age For Data Collection In New Zealand?
For most business contexts in New Zealand, there isn’t a single fixed child consent age for data collection set out in privacy legislation.
Instead, the practical question is usually:
Can the child understand what information you’re collecting, why you’re collecting it, and what will happen to it?
In other words, consent (if you’re relying on consent) needs to be informed and meaningful. If a child can’t reasonably understand what they’re agreeing to, then their “consent” may not be worth much from a compliance perspective.
Why This Matters For Your Business
From a risk-management point of view, if you collect a child’s data based on “consent” that wasn’t genuinely informed, you could be exposed to:
- privacy complaints (including to the Office of the Privacy Commissioner)
- reputational damage (these issues can become public quickly)
- costly operational clean-up (deleting data, contacting users, changing systems)
- contract issues (for example, with schools, venues, or partners who expect higher standards)
Even if your intentions are good, children’s data is generally treated as higher-risk because children are less likely to understand long-term consequences (like marketing profiles or data sharing).
So When Do You Actually Need Consent?
A common misconception is that you always need consent to collect personal information. In reality, under the IPPs you can often collect personal information without “consent” where the collection is necessary for a lawful purpose connected with your functions or activities, and you collect it fairly and transparently (for example, to ship an order, administer a membership, or provide a booked service).
That said, consent is still an important tool in privacy compliance. It becomes far more important when you’re collecting information for optional or secondary purposes (or where people wouldn’t reasonably expect the collection or use), such as:
- direct marketing and promotional campaigns
- profiling users for targeted advertising
- sharing data with partners or sponsors (beyond what’s needed to deliver the service)
- collecting optional information that isn’t needed to deliver the core service
- collecting or using photos/videos for promotional use
In those situations, if your audience includes children, you should treat consent as a higher bar and consider parent/guardian involvement (including taking reasonable steps to ensure the person giving consent understands what they’re agreeing to).
When Should You Get Parent Or Guardian Consent?
If there’s no single child consent age for data collection, how do you decide when a parent or guardian should be involved?
A practical approach is to look at risk and understanding. The younger the child and the more sensitive the data or the wider the use, the more you should lean towards parent/guardian consent.
The Office of the Privacy Commissioner (OPC) also generally expects agencies to take extra care with children and young people’s information, including taking reasonable steps to communicate in a way the child (or their parent/guardian) can understand.
Situations Where Parent/Guardian Consent Is Usually The Safer Option
- The child is very young (for example, primary school aged) and you can’t realistically say they understand the data use.
- You’re collecting sensitive information (health, disability, counselling, behavioural information, precise location data). If you’re handling sensitive personal information, you generally want stronger safeguards and clearer permissions.
- You want to use images or videos for marketing (think: posting photos of kids at an event on social media or using them on your website).
- You’re disclosing data to third parties (sponsors, analytics providers, advertising networks, affiliates).
- You’re using data for marketing (email/SMS marketing is an obvious example, but also in-app promotions and push notifications). If you do email marketing, make sure your practices also line up with email marketing laws.
Even where parent consent isn’t strictly “required” by a single rule, it can be the difference between a process that’s defensible and one that looks careless.
What If You’re Collecting Data Through A School Or Club?
If you’re providing services through a school, sports club, or community organisation, don’t assume they’ve handled consent for you.
You should be clear on:
- who is collecting the information (you, the school, or both)
- what the information will be used for
- whether you’re allowed to use it for your own marketing
- how long you’ll keep it
- how parents can request access or deletion
Where children are involved, it’s usually worth tightening up the wording and making sure the consent is explicit and easy to prove later.
How Can Your Business Collect Children’s Data More Safely (Without Killing Conversions)?
It’s normal to worry that “privacy compliance” will create extra steps and reduce sign-ups.
The goal isn’t to build a maze. It’s to build a process that is:
- clear (people understand it)
- proportionate (you collect what you need, not everything)
- documented (you can show what you did)
- secure (you protect the data)
Step 1: Be Clear About What You Collect And Why
Before you even touch consent, write down:
- what personal information you collect (and where it comes from)
- your purpose for collecting it
- who it gets shared with (including cloud tools and service providers)
- how long you keep it
This becomes the backbone of your privacy documents and helps you avoid “scope creep” later.
Step 2: Use Plain-Language Notices (Designed For Real Humans)
If kids (or parents) can’t understand what you’re doing, consent won’t be meaningful.
Consider a layered approach:
- a short “just-in-time” notice at the point of collection (1–3 sentences)
- a link to your full Privacy Policy
If you collect data online, it’s also common to need a Privacy Policy that matches what your website or app actually does in practice (not what you hope it does).
Step 3: Treat “Optional” Collection As A Separate Yes/No
A good rule of thumb: if the information isn’t necessary to deliver your service, don’t bundle it into a single “agree to everything” button.
Instead, separate optional collection and uses, such as:
- marketing emails
- SMS promos
- sharing data with partners
- using photos for promotional content
This is where a properly drafted Privacy Consent Form can be a practical tool, especially for offline sign-ups or events.
Step 4: Consider Age Gates Carefully (And Don’t Over-Collect)
Many businesses jump straight to “we’ll just collect date of birth to verify age.” But that can create extra privacy risk because you’re collecting even more personal information.
If you do use age gates, make sure you:
- only collect what you need (do you need DOB, or just a “I confirm I’m over X” tick box?)
- don’t use age data for unrelated purposes
- store it securely
- have a clear process for parent/guardian involvement where required
Step 5: If You Use Cookies Or Tracking, Make Sure Your Website Setup Matches Your Message
If your site uses cookies for analytics or advertising, you should be upfront about it-especially if your users may be under 16 or otherwise vulnerable.
New Zealand privacy law doesn’t impose a single blanket rule that every website must have a cookie banner. What matters is whether your cookie/tracking practices are transparent, fair, and consistent with what you tell users (and, if you’re relying on consent for certain tracking, that consent is clear and informed). Depending on your setup, a banner or consent tool may still be appropriate. If you’re unsure, it’s worth checking whether cookie pop-ups make sense for your website.
Step 6: Have A Simple Process For Access And Corrections
People generally have the right to request access to their personal information and ask for corrections. For children, those requests might come through a parent or guardian.
Having a documented intake process helps you respond consistently and on time. Many businesses use an access request form to keep it simple (and to ensure you’re verifying the requester appropriately).
Common Business Scenarios (And How To Handle Them)
To make this more concrete, here are a few common situations where the child consent age for data collection question comes up.
1) Online Stores And Loyalty Programmes
If kids can sign up for an account or loyalty programme, ask yourself:
- Is the product/service aimed at children, or are children just incidental users?
- What data do you really need to run the programme?
- Are you using the data for marketing (and if so, can the user understand that)?
For marketing sign-ups, avoid pre-ticked boxes and make sure the marketing opt-in is genuinely optional.
2) Competitions, Giveaways, And Event Registrations
Competitions are a classic example of “extra” data collection: you might be collecting names, emails, phone numbers, shipping addresses, and sometimes images.
If children can enter, consider:
- adding clear eligibility rules (for example, “under 16s must have parent/guardian permission”)
- limiting what you collect at entry
- having a follow-up step for parent/guardian details where appropriate
- being upfront if entries might be published publicly
If you’re collecting information in person (for example at a school gala, sports day, or community event), a Participant Consent Form can help you capture clear permission and keep a record.
3) Photos/Videos Of Children For Marketing
If your business takes photos or videos at events, classes, or sessions, this can quickly become a privacy issue-especially if content is posted publicly online.
Good practice includes:
- getting clear consent from a parent/guardian (and keeping a record)
- being specific about where you’ll post (website, social media, ads)
- allowing people to opt out without being excluded from the service
- having a quick takedown process if someone changes their mind
Even if you’re not “naming” children, images can still be personal information if individuals are identifiable.
4) Apps, Platforms, And Online Communities
If you run a platform where users generate content, message each other, or create profiles, you’re dealing with higher privacy and safety risks.
In these cases, you’ll usually want to think beyond basic compliance and consider:
- strong default privacy settings
- limits on public visibility for minors
- moderation tools and reporting features
- data minimisation (don’t make fields mandatory unless they’re needed)
- clear deletion and retention rules
It can feel like a lot, but getting these foundations right early is far easier than trying to retrofit them after a complaint.
Key Takeaways
- There isn’t one fixed child consent age for data collection in New Zealand; instead, you should focus on whether consent is informed and whether the child can reasonably understand what’s happening with their data.
- The Privacy Act 2020 applies to most NZ businesses and expects personal information (including children’s information) to be collected fairly, used for clear purposes, stored securely, and handled transparently.
- Parent/guardian consent is usually the safer option where children are young, where you’re collecting sensitive personal information, where data will be shared, or where you’re using data for marketing or publicity.
- Good compliance is practical: collect only what you need, use plain-language notices, separate optional consents, and keep records of permissions.
- Your privacy documents and website setup should match your real practices, including cookies/tracking, marketing sign-ups, and how you respond to access/correction requests.
- When in doubt, get advice early-especially if your product is aimed at children or you’re handling high-risk data or online community features.
If you’d like help getting your data collection and consent processes right (including privacy policies, consent wording, and customer-facing terms), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.








