All Blog Posts

New Zealand’s Privacy Act 2020

New Zealand’s Privacy Act 2020 and the NZ Privacy Principles require you to inform users located inside New Zealand about your website’s use of cookies and trackers, as well as how you are processing their personal information, and why.

Updated February 23, 2021.

On December 1, New Zealand’s Privacy Act 2020 replaced the 1993 version with a stronger data privacy regime, including higher fines, stronger cross-border data protection and new data breach requirements.

In this blogpost, we break down the NZ Privacy Act 2020 and shed light on what you need to know about your website’s cookies and compliance with New Zealand’s data privacy regime.

Quick summary

New Zealand’s Privacy Act 2020, in brief

New Zealand’s Privacy Act was originally drafted and passed in 1993 and has been in place ever since, making it one of the earliest data privacy laws in the world.

New Zealand is also one of only 12 nations worldwide to have an adequacy agreement with the EU, ensuring unrestricted, free flow of personal data to and from the two.

In December 2020, a new and amended NZ Privacy Act 2020 took effect, strengthening cross-border regulations, data breach requirements and more.

In short, New Zealand’s Privacy Act 2020 governs all handling of personal information through the 13 NZ Privacy Principles; requiring you to notify and inform users about collection, use and sharing of their personal information and empowering them with the right to access and correct their data. It is enforced by the Privacy Commissioner and applies to all websites, companies or organizations that handle personal information from inside New Zealand – regardless of where in the world they themselves are located.

Scan your website for free to see where in the world you send data to

NZ Privacy Act and its NZ Privacy Principles require your website to inform users.
New Zealand’s Privacy Act 2020 requires you to inform users about your website’s use of cookies and its processing of personal information.

NZ Privacy Act 2020 quick breakdown –

  • NZ Privacy Act 2020 took effect on December 5, 2020. It repeals and replaces the older Privacy Act 1993.
  • NZ Privacy Act 2020 governs all collection, processing, use and sharing of personal information from individuals located inside the territory of New Zealand.
  • NZ Privacy Act 2020 defines personal information broadly as information about an identifiable individual.
  • NZ Privacy Act 2020 applies to any website, company or organization (“agency” in the law) that collects, uses, shares or stores personal information from individuals inside New Zealand. This means that if your website is located outside New Zealand, but you have visitors from inside the country, you’re required to comply with the NZ Privacy Principles.
  • NZ Privacy Act 2020 works through 13 Privacy Principles that map out the legal framework for handling personal information from inside New Zealand, among others the requirement to inform users about your website’s data collection, its purposes and who you share it with.
  • NZ Privacy Act 2020 empowers users inside New Zealand with the right to access personal data which has been collected from them, and the right to correct it if inaccurate.
  • Transfer of personal information outside of New Zealand is governed by adequacy principles in the NZ Privacy Act 2020. Cross-border data flow is only permitted if data can be protected by comparable privacy standards by the recipient.
  • Fines for non-compliance with the NZ Privacy Act and NZ Privacy Principles can reach $10,000.
  • NZ Privacy Act 2020 is enforced by the Office of the Privacy Commissioner.
Mirror in street reflecting a building - Cookiebot
The NZ Privacy Principles demand that users be notified before their personal information is being collected.

Try Cookiebot consent management platform (CMP) for free

Scan your website to see what cookies and trackers are in operation

Cookies, trackers and the NZ Privacy Act 2020

Cookies and trackers are the most common way for websites to process personal information.

Most websites in the world process data that is defined as personal, meaning data that is able to identify a living person, either directly or indirectly through inference.

Personal information under New Zealand’s Privacy Act 2020 is defined very broadly as “information about an identifiable individual”, and this includes data that is commonly collected and processed by third-party trackers and cookies used by social media platforms (e.g., via a like button on your domain) or marketing services (e.g., advertisement on your website).

Cookies and trackers can be notoriously difficult to detect and control without any assisting technology, especially considering that –

72% of cookies are hidden inside other cookies – also known as trojan horses.

18% of cookies hide even deeper inside other hidden cookies, sometimes loaded by eight other cookies.

50% of trojan horses will have changed upon repeated visits by users.

Source: Beyond the Front Page, a 2020 study of more than ten thousand websites and their cookies.

At the end of the day, the legal responsibility under New Zealand’s Privacy Act 2020 and its NZ Privacy Principles rests with the website owner and operator to be in compliance with the notification and information requirements, including (but not limited to) to always have an updated privacy policy with all required information.

View of a mountain range with a lake - Cookiebot
Non-compliance with New Zealand’s Privacy Act can cost up to $10,000 in fines.

The 13 NZ Privacy Principles

New Zealand’s Privacy Act 2020 revolves around 13 Privacy Principles.

Together, they form a map of the legal way to collect, process, share, store (and in any other way handle) the personal information of users located inside New Zealand.

The 13 Privacy Principles are (in detail later in this blogpost) –

  1. Purpose for collection
  2. Source of information
  3. What to tell an individual
  4. Manner of collection
  5. Storage and security
  6. Access
  7. Correction
  8. Accuracy
  9. Retention
  10. Use
  11. Disclosure
  12. Disclosure outside New Zealand
  13. Unique identifiers

Website owners and operators should be particularly aware of NZ Privacy Principle 3.

Why?

Well, websites most often collect and process personal information from their visitors through cookies and trackers embedded on their domain via analytics software, marketing services or social media integrations.

NZ Privacy Principle 3 is the part of the law that requires you to make sure that your website’s users from New Zealand are made aware –

  • that you collect personal information from them
  • of the purposes for which their personal information is being collected by your website
  • of whom you share their personal information with, including the name and address of the agency collecting the information and the agency who will store the information.

Practical example of NZ Privacy Principle 3

If your website uses a third-party service to get statistics about user visits on your domain (like Google Analytics) or use a third-party marketing service (like HubSpot), third-party cookies and trackers will be embedded and in operation on your website.

These cookies and trackers collect and process personal information from users – such as IP addresses, unique IDs, search and browser history, among many other kinds of data.

Under the NZ Privacy Act 2020 and the NZ Privacy Principle 3, you are required to notify users of all cookies and trackers and inform users about what kind of personal information they collect, how you use the data and who you share the data with, where it is stored and for how long.

When using third-party services, like Google Analytics or HubSpot, you need to inform your users about the third-party cookies and trackers that these services set on your domain; including what kind of data they collect, for what purposes, for how long the data is retained, and where in the world it is sent to and stored.

You are also required to notify and inform users about these things before any personal information has been collected (with exceptions).

Scan your website for free to see what cookies and trackers are in use

Learn more about cookies and website tracking

Learn more about NZ Privacy Principle 3 from the Privacy Commissioner

Get started with Cookiebot CMP and Google Consent Mode

Man walking through a green space with rocks around him - Cookiebot
Under New Zealand’s Privacy Act 2020, personal information is any kind of data that is able to identify an individual.

NZ Privacy Act Compliance with Cookiebot CMP

Cookiebot CMP offers plug-and-play control of all cookies and trackers

Cookiebot CMP is the world’s leading consent management platform, built around a powerful website scanner that detects all known cookies, trackers and trojan horses embedded and in operation on your domain.

The biggest compliance issue for your website under the New Zealand’s Privacy Act 2020 is to ensure that you have notified and informed your users in an exhaustive and correct manner, before you collect and process their personal information.

What does this mean in practice?

First of all, it means to make sure that all cookies, trackers and third-party technologies that collect and process personal information on your domain have been detected.

Second of all, it means to notify and inform your users about what kinds of data these cookies and similar tracking technologies collect from them.

Using Cookiebot CMP takes the hard work out of this.

Scan your entire website with Cookiebot CMP and map out exactly what cookies are in use, see what kind of personal information they collect, for what purpose and which third parties they share this data with – all requirements under the New Zealand Privacy Act 2020.

Cookiebot CMP is fully automated and offers you plug-and-play compliance with not only the NZ Privacy Act 2020, but all major data privacy laws, including EU’s GDPR/ePRCalifornia’s CCPA/CPRABrazil’s LGPDSouth Africa’s POPIA and more.

Whether your users are from Europe, the US, South America, Africa or New Zealand, Cookiebot CMP automatically geotargets their location and ensures that they are presented with the correct and fully compliant data privacy requirements – without you having to do anything.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Scan your website for free to see what cookies and trackers are in use

Get started with Cookiebot CMP and Google Consent Mode

NZ Privacy Act 2020, in detail

Let’s look at the New Zealand Privacy Act 2020 and its NZ Privacy Principles in closer detail, including what kind of data “personal information” covers, what the 13 NZ Privacy Principles are, and what new amendments have been made to the law in December 2020.

NZ Privacy Act 2020 and personal information

Personal information in New Zealand is any kind of data that can identify an individual.

This includes the more obvious information, such as –

  • name, address
  • e-mail
  • telephone number
  • social security numbers
  • date of birth
  • signature
  • passport numbers
  • racial or ethnic information
  • political opinions and religious beliefs
  • sexual orientation
  • health, genetic and biometric information

But also, the not-so obvious yet very common information, such as –

  • IP-addresses
  • Unique IDs set by Google-cookies and other third-party services
  • Search and browser history
  • Data about device, operating systems, updates etc.
  • Location data
  • Purchase and online shopping history
  • Settings and website preferences
  • Behavioral data, such as speed of scrolling and hovering of mouse and cursor.

Your website might not be collecting or processing much data from the more obvious set, such as passport numbers and sexual orientation of your users, but it almost certainly collects data from the not-so obvious set, namely information about your users’ online presence, their devices, history of preference and behavior on the Internet.

Auckland waterfront - Cookiebot
Your website’s cookies likely collect personal information from its visitors – use Cookiebot CMP to detect and control them.

This is personal information – and most third-party cookies and trackers in the world have it as their mission to collect exactly such kind of data for their operations, be it analytics, advertisement or social media interactions.

If your website is in contact with such data through its cookies and trackers, you are required by New Zealand’s Privacy Act 2020 and its NZ Privacy Principles to notify users before collection and inform them of what, why and who you share it with.

Scan your website for free to see all cookies and trackers

Learn more about website cookies and trackers

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

NZ Privacy Principles

Of the 13 NZ Privacy Principles, let’s look at the most relevant for your website and its use of cookies and personal information collection.

All 13 NZ Privacy Principles are vital for full compliance with the New Zealand Privacy Act 2020, but we’ll focus particularly on the ones that are paramount to websites, who processes personal information via cookies and trackers.

For a full overview of the 13 New Zealand Privacy Principles, visit the Office of the Privacy Commissioner

Man looking out over a lake with mountain in the background - Cookiebot
New Zealand’s 13 Privacy Principles empower users with the right to know, to access and to correct their data.

NZ Privacy Principle 1 concerns the purpose of collection

  • Your website is required to only collect personal information if it is for a lawful purpose, meaning in connection with and necessary for the functions and activities of your website.
  • In other words, you’re not allowed to collect information from users that is not relevant to your website and its function and content.
  • This purpose of collection is also part of the information that you are required to notify users about before collecting data from them.

NZ Privacy Principle 2 concerns the sources of personal information

  • Personal information should always be collected directly from the individual.
  • This is often the case anyway online, since your website will collect data from the user themselves, when they land on and move around on your domain.

NZ Privacy Principle 3 concerns the information requirement to users

  • Your website must be open about why you are collecting personal information and what you will do with it.
  • Your website is required to notify its users about: why the data is being collected, who it will be shared with, whether collection is compulsory or voluntary, what can happen if the data is not collected.
  • Offering a clear overview of such information to your users via your privacy policy is a good way to ensure that your website meets the notification and information requirements.

NZ Privacy Principle 4 concerns the way you collect personal information

  • Your website must only collect personal information in a way that is fair and legal.
  • Unfair and illegal ways of collecting personal information is to threaten, coerce or mislead users to give out their personal information.

NZ Privacy Principle 5 concerns the storage and security

  • Your website must ensure safeguards around personal information collected from individuals, e.g. to ensure secure storage and prevent loss, misuse or disclosure of their data.

NZ Privacy Principle 6 concerns a user’s right to access their personal information

  • Users have the right to request access to the personal information that you have collected about them, e.g. through your website’s cookies and trackers.
  • You must provide means of requesting access, e.g. a link or an e-mail address.

NZ Privacy Principle 7 concerns a user’s right to correct their personal information

  • Users have the right to request corrections to the personal information that you have collected about them, e.g. through your website’s cookies and trackers.
  • You must provide means of requesting access, e.g. a link or an e-mail address.

NZ Privacy Principle 8 concerns the accuracy of personal information

  • Users have the right to request corrections to the personal information that you have collected about them, e.g. through your website’s cookies and trackers.
  • You must provide means of requesting access, e.g. a link or an e-mail address.

NZ Privacy Principle 9 concerns the retention (i.e. for how long you store data)

  • Your website is not allowed to store and use personal information for longer than necessary to fulfill the purpose intended by the collection of the data in the first place.
  • As an example, your website is not allowed to keep personal information about a user that was collected only to be used in the session in which they visited your website.

NZ Privacy Principle 10 concerns the use of personal information

  • Your website is only allowed to use collected personal information for the purpose already given to the individual before collection.
  • Using personal information for longer or for different purposes requires you to notify and inform the user again.

NZ Privacy Principle 11 concerns the disclosure of personal information

  • Your website is only allowed to use collected personal information for the purpose already given to the individual before collection.
  • Using personal information for longer or for different purposes requires you to notify and inform the user again.

NZ Privacy Principle 12 concerns the cross-border disclosure of personal information

  • Your website is only allowed to send personal information from users inside New Zealand to other countries, if the data privacy laws in the recipient’s country provide comparable security and can protect the data adequately.
  • As an example, your website can use New Zealand’s model contract clauses to do so.
  • To help you determine whether the NZ Privacy Principle 12 applies to you, check out the Principle 12 Decision Tree by the Privacy Commissioner.

Learn more about sending personal information overseas in New Zealand

NZ Privacy Principle 13 concerns unique identifiers

  • Your website is only allowed to assign unique identifiers (individual identification sequences, such as a driver’s license or a unique ID from a third-party cookie) when it is necessary.
  • In other words, collecting personal information through technologies that assign unique identifiers must be done with care. Make sure to inform your users about exactly what kind of data you intend to collect, how, why and who you share it with.
Three people sitting on a hill watching the sunset over a city - Cookiebot
New Zealand’s Privacy Act has been in effect since 1993 but updated in 2020 to match new tech developments.

What’s new in NZ Privacy Act 2020

On December 5, a new and amended version of the NZ Privacy Act went into effect, repealing and replacing the 1993 version.

The new amendments to the NZ Privacy Act include –

  • Stronger data breach security and control – if your website experiences a data breach (e.g. an unintended disclosure of personal information from its users), you are required to notify the individuals affected to the Privacy Commissioner.
  • Stronger enforcement tools for the Privacy Commissioner.
  • Decisions on access requests will now be made by the Privacy Commissioner and not the Human Rights Review Tribunal.
  • Stronger cross-border transfer regulations – your website must take steps to ensure that personal information transferred out of New Zealand can be protected adequately and comparable to the New Zealand’s data privacy standards.
  • Stronger fines for non-compliance – of up to $10,000.
  • Class action lawsuits for non-compliance.

Visit the Privacy Commissioner for an overview of the new amendments in the NZ Privacy Act 2020

Summary of New Zealand’s Privacy Act 2020

New Zealand’s Privacy Act 2020 and its NZ Privacy Principles governs all handling of personal information from individuals inside the country and map out the legal way for your website to collect, use and share such data.

The NZ Privacy Act 2020 requires your website to notify and inform users in New Zealand of your website’s intended collection of personal information, including the purposes for which you collect and who you will be sharing it with (e.g. Google or Facebook).

Using Cookiebot CMP takes all the hard work out of data privacy law compliance by offering plug-and-play compliance with New Zealand’s Privacy Act 2020 – and a host of other major data laws like EU’s GDPR, California’ CCPA, Brazil’s LGPD, South Africa’s POPIA and more.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Scan your website for free to see all cookies and trackers in use

Get started with Cookiebot CMP and Google Consent Mode

FAQ

What is New Zealand’s Privacy Act 2020?

The New Zealand Privacy Act 2020 is the country’s national data privacy law in effect since December 2020. The NZ Privacy Act 2020 repeals and replaces the Privacy Act of 1993 with stronger requirements for websites, companies and organizations who handle personal information from inside the territory of New Zealand.

Scan your website to see where in the world you send data to

Who does the NZ Privacy Act 2020 apply to?

New Zealand’s Privacy Act 2020 applies to any website, company, organization or individual who collects personal information from individuals located inside the territory of New Zealand. Even if your website is not located in New Zealand, but you have visitors from the country and you handle their personal information via cookies and trackers on your domain, you are required to comply with the New Zealand Privacy Act 2020.

Scan your website to see what cookies and trackers are in operation

Is my website compliant with the NZ Privacy Act 2020?

The New Zealand Privacy Act 2020 requires your website to know of all cookies, trackers and similar technologies that collect, use or share personal information from individuals inside New Zealand, and to notify and inform users about this before collection begins, including what kind of data is to be collected, for what purposes and with whom you share it.

Scan your website with Cookiebot CMP to detect all cookies and trackers

How can I manage user consents on my website?

Using Cookiebot CMP as your consent solution gives you deep-scanning technology that detects all cookies and trackers on your website. Cookiebot CMP offers automatic control of your domain’s personal data processing in compliance with all major data privacy laws, like the EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA, Singapore’s PDPA and New Zealand’s Privacy Act 2020.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Resources

New Zealand’s Privacy Act 2020 (official law text)

The New Zealand Privacy Commissioner

New Zealand’s Privacy Principles overview

A guide to your responsibilities under the New Zealand Privacy Act 2020

NZ Privacy Act 2020 enters into force (IAPP)

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.