NZ Privacy Act basics for small websites: cookies, analytics, and forms (primer)

Important: this is educational, not legal advice. If you collect personal information at scale, run health/finance services, or use sensitive data, get professional privacy guidance.

New Zealand’s privacy regime expects businesses to handle personal information fairly and securely. For a typical SME website, the practical focus is: what you collect via forms, what analytics/marketing tags run, how you store enquiries, and how you respond if someone asks what you hold about them.

What counts as personal information?

Names, emails, phone numbers, addresses, and anything that can identify a person—often including IP-derived data depending on configuration. Treat form submissions and customer accounts as information you must protect.

What should your privacy statement cover (at minimum)?

• What you collect and why.
• Who you share it with (e.g., email marketing tool, CRM).
• How long you keep it.
• How people can contact you about access/correction.
• Security measures at a high level (not exposing internal secrets).

How should you think about cookies and analytics?

Not all analytics are equal. Some tools lean on cookies and advertising identifiers. Your obligations depend on what you deploy and how you explain it. Many NZ SMEs start with privacy-preserving configurations and clear notices, then tighten as they add remarketing.

What are pragmatic operational habits?

• Minimise data: ask only for fields you need.
• Restrict admin accounts and enable MFA.
• Do not store credit card data unless you are PCI-compliant (usually you should not).
• Have a process for data breaches (even a simple runbook).

Does your web partner matter here?

Yes—misconfigured forms, leaky plugins, and sloppy tracking deployments create risk. If you want a NZ team that builds business sites with sensible defaults, start at NZDH and bring privacy questions early.

Frequently asked questions