Display

Choose how you want to view this site. Your choices are saved on this device.

Text size
Page width
Theme

In-depth articles · Privacy & compliance

Privacy and compliance for NZ websites: cookies, forms, analytics, and sensible defaults

Updated 2026-04-12 · In-depth article for NZ small businesses

Important. This is practical, plain-English guidance for NZ small-business website owners. It is not legal advice. For regulated sectors or complex data uses, engage a New Zealand privacy lawyer or qualified adviser.

The Privacy Act 2020 and related expectations shape how you collect, use, and protect personal information—from enquiry forms and newsletters to analytics and CRMs.

1. Personal information is broader than you think

Names, emails, phone numbers, IP addresses used with other data, and sometimes identifiers in analytics can all be personal information. Treat form submissions and customer accounts accordingly.

2. Transparency: privacy notices that earn trust

Your notice should answer, in human language:

  • What you collect and why.
  • Who you share it with (hosting, email tools, payment processors).
  • How long you keep it.
  • How people can access or correct their information.

Avoid copying a foreign policy verbatim—NZ readers (and regulators) expect relevance.

3. Cookies, analytics, and consent

Not every analytics cookie needs a theatrical banner, but misleading defaults and dark patterns backfire. Align your site behaviour with what your notice promises. If you use consent tools, test that tags truly respect choices—many implementations leak data anyway.

4. Marketing email and SMS

Keep evidence of consent where required; make unsubscribe obvious and honour it promptly. Segment operational email (“your order shipped”) from promotional mail clearly.

5. Retention: don’t hoard “just in case”

Define sensible retention for enquiries, CRM notes, and logs. Old data increases breach impact and complicates access requests.

6. Access requests and complaints

Have an internal playbook: who triages, where data lives, and timelines. Even small teams benefit from a single mailbox or ticket tag.

7. Subprocessors and SaaS tools

List major tools honestly (email marketing, booking, accounting integrations). Understand where data is stored geographically if that matters to your customers or contracts.

8. Security measures you can describe truthfully

Do not claim “bank-grade encryption” unless it is accurate. Document MFA, access reviews, and backup practices you actually follow.

9. Incidents and notifiable privacy breaches

Prepare steps to contain, assess serious harm, and notify where required. Document facts and decisions—you may need them later.

10. Frequently asked questions

Do I need a cookie wall?

Design for clarity and lawful basis—not theatre. The right approach depends on what you deploy; avoid nudging users into “accept all” if your claims say otherwise.

Is Google Analytics lawful for us?

Depends on configuration, data flows, and notices. Re-evaluate as tools and regulator guidance evolve; consider alternatives if your risk appetite is low.

What about health, finance, or children’s data?

Stop reading general guides and engage specialist advice—obligations intensify.

Related shorter guides. Continue with Privacy & compliance for cookies, analytics primers, consent, retention, and incident thinking.