If your website uses analytics, embedded videos, a live chat widget, or any kind of targeted marketing, there’s a good chance you’re using cookies (or similar tracking tech) whether you realise it or not.
And while cookies can be genuinely helpful for improving your site and growing your business, they also come with privacy obligations in New Zealand.
This article has been updated to reflect current expectations around online privacy and transparency, so you can confidently set your website up the right way from day one (and avoid awkward complaints later).
Let’s break down what cookies are, why a cookie policy matters, and what a “good” cookie policy should include for a New Zealand business.
What Are Cookies (And Do You Actually Use Them)?
A cookie is a small text file that a website places on a user’s device (like their phone or laptop). It helps the website remember information about that user and their activity.
Cookies aren’t automatically “bad” - in most cases, they’re just tools that help websites function properly and collect useful insights. The legal issues tend to arise when cookies are used to track people in ways they don’t expect, or where personal information is collected without clear notice.
Common Cookie Examples You’ll See On Business Websites
- Essential cookies (sometimes called “strictly necessary”): These help basic site functions work, like shopping carts, login sessions, and security features.
- Analytics cookies: These track how users move through your site (for example, what pages are most popular), often through tools like Google Analytics.
- Marketing/advertising cookies: These are used to build audience profiles and show targeted ads (for example, through the Meta Pixel or Google Ads).
- Preference cookies: These remember choices like language, region, or saved settings.
- Third-party cookies: These are set by external platforms you’ve added to your website, such as embedded YouTube videos, booking tools, payment tools, or social media plugins.
If you’re thinking, “My site is simple - surely I don’t use cookies,” it’s still worth checking. Many plugins and integrations drop cookies automatically, even if you didn’t deliberately set them up.
Under the Privacy Act 2020, “personal information” is information about an identifiable individual.
A cookie on its own might not always identify someone by name. But cookies often collect (or can be combined with) other data like IP addresses, device IDs, browsing behaviour, purchase history, or account details. In practice, cookies can quickly become part of a dataset that identifies someone - which means privacy compliance becomes relevant.
This is why a clear cookie policy is such a practical risk-management step: it helps you explain what’s happening on your website in plain language, before anyone needs to ask.
Why Do You Need A Cookie Policy In New Zealand?
A cookie policy is a public document (usually linked in your website footer) that explains how your site uses cookies and similar technologies, and what choices users have.
In New Zealand, a cookie policy matters for three big reasons.
1. Privacy Act 2020 Compliance (Collection Transparency)
The Privacy Act 2020 is built around the idea that people should know when their information is being collected, why it’s being collected, and who it might be shared with.
If your cookies collect personal information (or are used alongside other data that makes someone identifiable), you’ll generally need to:
- be transparent about what you’re collecting and why
- only collect what you genuinely need
- take reasonable steps to keep it secure
- avoid collecting in a way that’s unfair or unreasonably intrusive
A cookie policy supports these obligations because it gives users a clear explanation of what’s happening in the background while they browse your website.
In many cases, your cookie policy works alongside your Privacy Policy, which covers your broader approach to collecting and handling personal information (not just cookies).
2. Consumer Trust (Especially For E-Commerce And Lead Gen)
Even when you’re legally allowed to use certain cookies, users are more privacy-aware than ever. People want to know:
- Are you tracking them?
- Are you selling or sharing their data?
- Will they be followed around the internet with ads?
A clear cookie policy (and a well-set-up cookie banner, where relevant) helps build trust. It signals you’re running a professional business that takes compliance seriously.
Many advertising and analytics platforms expect you to provide disclosures and (in some setups) obtain consent. Even if those requirements aren’t strictly “New Zealand law,” they still matter because:
- they may be contractual requirements for using the platform
- you may have users from overseas jurisdictions with stricter cookie rules
- they’re increasingly part of normal best practice for reputable online businesses
The simple takeaway: having a cookie policy makes it easier to meet both legal expectations and platform expectations without scrambling later.
What Should A Cookie Policy Include?
A cookie policy doesn’t need to be long or filled with legal jargon - it just needs to be accurate, easy to understand, and aligned with what your website actually does.
Most cookie policies will include the following sections.
What Cookies Are And Why Your Website Uses Them
This is your plain-English explanation of cookies, including whether you use them for:
- essential site functions (e.g. logins, security, shopping carts)
- analytics and performance improvements
- personalisation (preferences)
- advertising and remarketing
Types Of Cookies Used (First-Party And Third-Party)
It’s helpful to separate:
- first-party cookies (set by your website)
- third-party cookies (set by other services you’ve embedded or integrated)
Third-party cookies are often where businesses get caught out, because they can involve data being sent to external providers.
You don’t need to list every technical data point, but you should describe the categories of information, such as:
- device type and browser information
- IP address (or partial IP address)
- location data (approximate)
- pages visited and time spent on the website
- referral sources (how someone found your site)
- actions taken (e.g. clicking buttons, submitting a form, adding items to cart)
This section should match the tools you actually use. If you’re not sure what your site collects, it’s worth doing a quick cookie audit with your developer or using a scanning tool.
How Users Can Manage Or Disable Cookies
A cookie policy should explain how users can control cookies, for example:
- changing browser settings to block or delete cookies
- using an on-site cookie banner or preference centre (if you have one)
- opting out of certain kinds of advertising cookies via third-party tools (where applicable)
Be careful not to promise controls you don’t actually offer. If you say “you can opt out of marketing cookies,” you need a real mechanism for that (or you need to be clear that the opt-out happens through browser settings or external tools).
Cookie Retention (How Long Cookies Stay On A Device)
Many cookie policies also explain the difference between:
- session cookies (deleted when the browser closes)
- persistent cookies (stay on the device for a set period)
You don’t have to list every retention period, but your policy should avoid being vague or misleading.
How Cookies Fit With Your Broader Privacy Approach
Cookies are usually just one part of your overall data handling. Your cookie policy should sit neatly alongside your main privacy documentation, including any privacy collection notices you use on forms and sign-up pages.
For many websites, the best approach is to have both:
- a Privacy Policy (your full privacy framework)
- a cookie policy (your cookie-specific explanation and controls)
Do You Need A Cookie Banner Or Consent Pop-Up In New Zealand?
This is the question we get asked all the time: “Do I legally need one of those cookie pop-ups?”
In New Zealand, there isn’t a single cookie-consent rule that applies in the same way as some overseas regimes. But that doesn’t mean you can ignore consent and transparency.
Instead, think of it like this: if your cookies are doing more than basic site functionality - especially if they’re used for advertising, tracking, or profiling - then it’s wise to give users a clear choice and a clear explanation.
When A Cookie Banner Is Usually A Good Idea
You should strongly consider a cookie banner (with preferences/consent options) if your website uses:
- remarketing pixels (e.g. Meta Pixel)
- behavioural advertising tools
- third-party tracking across sites
- advanced analytics tied to identifiable customer profiles
It’s also a smart move if you have customers outside New Zealand (or plan to scale internationally), because you may be expected to meet higher consent standards.
What About A Simple “By Using This Website…” Banner?
Some businesses rely on a passive banner that says something like “By continuing to use this website, you agree to cookies.”
That approach can be risky if you’re using non-essential tracking, because it may not reflect meaningful user choice. If you’re collecting data in a way that users wouldn’t reasonably expect, transparency alone might not be enough - you may need a clearer opt-in/opt-out model and a cookie preference tool.
If you’re not sure what level of consent you need, getting tailored privacy advice early can save you a messy website rebuild later. This is also where having the right policies in place matters, including a Cookie Policy that matches your actual tracking setup.
Common Cookie Compliance Mistakes (And How To Avoid Them)
Most cookie issues we see aren’t caused by bad intentions - they happen because website tools are easy to install, and privacy compliance is easy to overlook when you’re busy launching.
Here are some of the most common mistakes (and what to do instead).
Using A Generic Template That Doesn’t Match Your Website
A cookie policy that lists tools you don’t use (or fails to mention tools you do use) can create real problems. If a user complains, the first thing anyone will look at is what your policy said you were doing.
Instead, make sure your cookie policy reflects your actual website setup, including plugins, embedded media, tracking pixels, and booking systems.
Forgetting About Third-Party Cookies
Businesses often focus on their own analytics, but forget that third-party tools may also collect data. This can include:
- video hosting platforms
- payment gateways
- live chat tools
- social media embeds
- appointment booking systems
If those tools collect or receive personal information, your policies should reflect that reality.
Not Explaining Advertising And Remarketing Properly
If you’re running ads and using pixels to measure conversions, you’re not just “collecting analytics.” You may be building profiles and serving targeted advertising.
This is exactly the kind of tracking users want clarity on, so it’s worth spelling it out in your cookie policy.
Collecting Leads Without A Clear Privacy Message
Cookies are one piece of the puzzle. If your website also collects leads through forms (like a “Contact Us” form or newsletter signup), you should ensure you’re using the right privacy wording at the point of collection and that it aligns with your Privacy Collection Notice.
This is especially important if you’re using email marketing and tracking user behaviour. If you’re sending marketing emails, you should also keep an eye on your obligations around unsubscribes and lawful marketing practices, including Email Marketing Laws that affect how you grow (and keep) your mailing list.
Not Having The Rest Of Your Website Legals In Place
Cookies rarely sit alone. If your website is customer-facing, you’ll typically also need terms that set expectations and reduce misunderstandings.
For example, an online store should usually have Website Terms And Conditions and (where relevant) specific e-commerce terms that cover payments, shipping, returns, and limits of liability.
The bigger picture is simple: when your website grows, the risks grow too - so it’s worth building your legal foundations early.
Key Takeaways
- Cookies can collect (or contribute to collecting) personal information, which means your website’s tracking setup may trigger obligations under the Privacy Act 2020.
- A cookie policy helps you stay transparent, build customer trust, and reduce the risk of privacy complaints by clearly explaining what cookies you use and why.
- A strong cookie policy should cover the types of cookies used (including third-party cookies), what information is collected, how users can manage cookies, and how cookies fit into your wider privacy approach.
- Even if a cookie consent banner isn’t always strictly required in every situation, it’s often a sensible step when you use advertising, remarketing, or non-essential tracking tools.
- Cookie compliance problems usually come from using generic templates, forgetting third-party tools, or having policies that don’t match what the website actually does.
- Cookies are only one part of online compliance - many businesses also need a Privacy Policy, privacy notices for forms, and website terms to properly protect the business from day one.
If you’d like help getting your Cookie Policy and website privacy documents sorted (and tailored to what your website actually does), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
