Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

Compliance with New Zealand's Privacy Act with Cookiebot CMP.

Updated February 23, 2021.

New Zealand’s Privacy Act 2020 and the NZ Privacy Principles require you to inform users located inside New Zealand about your website’s use of cookies and trackers, as well as how you are processing their personal information, and why.

On December 1, New Zealand’s Privacy Act 2020 replaced the 1993 version with a stronger data privacy regime, including higher fines, stronger cross-border data protection and new data breach requirements.

In this blogpost, we break down the NZ Privacy Act 2020 and shed light on what you need to know about your website’s cookies and compliance with New Zealand’s data privacy regime.

Quick summary


New Zealand’s Privacy Act 2020, in brief

New Zealand’s Privacy Act was originally drafted and passed in 1993 and has been in place ever since, making it one of the earliest data privacy laws in the world.

New Zealand is also one of only 12 nations worldwide to have an adequacy agreement with the EU, ensuring unrestricted, free flow of personal data to and from the two.

In December 2020, a new and amended NZ Privacy Act 2020 took effect, strengthening cross-border regulations, data breach requirements and more.

In short, New Zealand’s Privacy Act 2020 governs all handling of personal information through the 13 NZ Privacy Principles; requiring you to notify and inform users about collection, use and sharing of their personal information and empowering them with the right to access and correct their data. It is enforced by the Privacy Commissioner and applies to all websites, companies or organizations that handle personal information from inside New Zealand – regardless of where in the world they themselves are located.

Scan your website for free to see where in the world you send data to



NZ Privacy Act and its NZ Privacy Principles require your website to inform users.

New Zealand’s Privacy Act 2020 requires you to inform users about your website’s use of cookies and its processing of personal information.



NZ Privacy Act 2020 quick breakdown –



NZ Privacy Act 2020

The NZ Privacy Principles demand that users be notified before their personal information is being collected.



Try Cookiebot consent management platform (CMP) for free

Scan your website to see what cookies and trackers are in operation

Cookies, trackers and the NZ Privacy Act 2020


Cookies and trackers are the most common way for websites to process personal information.

Most websites in the world process data that is defined as personal, meaning data that is able to identify a living person, either directly or indirectly through inference.

Personal information under New Zealand’s Privacy Act 2020 is defined very broadly as “information about an identifiable individual”, and this includes data that is commonly collected and processed by third-party trackers and cookies used by social media platforms (e.g., via a like button on your domain) or marketing services (e.g., advertisement on your website).

Cookies and trackers can be notoriously difficult to detect and control without any assisting technology, especially considering that –

72% of cookies are hidden inside other cookies – also known as trojan horses.

18% of cookies hide even deeper inside other hidden cookies, sometimes loaded by eight other cookies.

50% of trojan horses will have changed upon repeated visits by users.

Source: Beyond the Front Page, a 2020 study of more than ten thousand websites and their cookies.

At the end of the day, the legal responsibility under New Zealand’s Privacy Act 2020 and its NZ Privacy Principles rests with the website owner and operator to be in compliance with the notification and information requirements, including (but not limited to) to always have an updated privacy policy with all required information.



NZ Privacy Act 2020 compliance with Cookiebot CMP.

Non-compliance with New Zealand’s Privacy Act can cost up to $10,000 in fines.



The 13 NZ Privacy Principles

New Zealand’s Privacy Act 2020 revolves around 13 Privacy Principles.

Together, they form a map of the legal way to collect, process, share, store (and in any other way handle) the personal information of users located inside New Zealand.

The 13 Privacy Principles are (in detail later in this blogpost) –

  1. Purpose for collection
  2. Source of information
  3. What to tell an individual
  4. Manner of collection
  5. Storage and security
  6. Access
  7. Correction
  8. Accuracy
  9. Retention
  10. Use
  11. Disclosure
  12. Disclosure outside New Zealand
  13. Unique identifiers

Website owners and operators should be particularly aware of NZ Privacy Principle 3.

Why?

Well, websites most often collect and process personal information from their visitors through cookies and trackers embedded on their domain via analytics software, marketing services or social media integrations.

NZ Privacy Principle 3 is the part of the law that requires you to make sure that your website’s users from New Zealand are made aware



Practical example of NZ Privacy Principle 3

If your website uses a third-party service to get statistics about user visits on your domain (like Google Analytics) or use a third-party marketing service (like HubSpot), third-party cookies and trackers will be embedded and in operation on your website.

These cookies and trackers collect and process personal information from users – such as IP addresses, unique IDs, search and browser history, among many other kinds of data.

Under the NZ Privacy Act 2020 and the NZ Privacy Principle 3, you are required to notify users of all cookies and trackers and inform users about what kind of personal information they collect, how you use the data and who you share the data with, where it is stored and for how long.

When using third-party services, like Google Analytics or HubSpot, you need to inform your users about the third-party cookies and trackers that these services set on your domain; including what kind of data they collect, for what purposes, for how long the data is retained, and where in the world it is sent to and stored.

You are also required to notify and inform users about these things before any personal information has been collected (with exceptions).

Scan your website for free to see what cookies and trackers are in use

Learn more about cookies and website tracking

Learn more about NZ Privacy Principle 3 from the Privacy Commissioner

Get started with Cookiebot CMP and Google Consent Mode



Become compliant with New Zealand Privacy Act 2020 through Cookiebot CMP.

Under New Zealand’s Privacy Act 2020, personal information is any kind of data that is able to identify an individual.



NZ Privacy Act Compliance with Cookiebot CMP


Cookiebot CMP offers plug-and-play control of all cookies and trackers

Cookiebot CMP is the world’s leading consent management platform, built around a powerful website scanner that detects all known cookies, trackers and trojan horses embedded and in operation on your domain.

The biggest compliance issue for your website under the New Zealand’s Privacy Act 2020 is to ensure that you have notified and informed your users in an exhaustive and correct manner, before you collect and process their personal information.

What does this mean in practice?

First of all, it means to make sure that all cookies, trackers and third-party technologies that collect and process personal information on your domain have been detected.

Second of all, it means to notify and inform your users about what kinds of data these cookies and similar tracking technologies collect from them.

Using Cookiebot CMP takes the hard work out of this.

Scan your entire website with Cookiebot CMP and map out exactly what cookies are in use, see what kind of personal information they collect, for what purpose and which third parties they share this data with – all requirements under the New Zealand Privacy Act 2020.

Cookiebot CMP is fully automated and offers you plug-and-play compliance with not only the NZ Privacy Act 2020, but all major data privacy laws, including EU’s GDPR/ePR, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA and more.

Whether your users are from Europe, the US, South America, Africa or New Zealand, Cookiebot CMP automatically geotargets their location and ensures that they are presented with the correct and fully compliant data privacy requirements – without you having to do anything.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website for free to see what cookies and trackers are in use

Get started with Cookiebot CMP and Google Consent Mode



Cookiebot CMP offers compliance with the NZ Privacy Act 2020.



NZ Privacy Act 2020, in detail


Let’s look at the New Zealand Privacy Act 2020 and its NZ Privacy Principles in closer detail, including what kind of data “personal information” covers, what the 13 NZ Privacy Principles are, and what new amendments have been made to the law in December 2020.

NZ Privacy Act 2020 and personal information

Personal information in New Zealand is any kind of data that can identify an individual.

This includes the more obvious information, such as –

But also, the not-so obvious yet very common information, such as –

Your website might not be collecting or processing much data from the more obvious set, such as passport numbers and sexual orientation of your users, but it almost certainly collects data from the not-so obvious set, namely information about your users’ online presence, their devices, history of preference and behavior on the Internet.



NZ Privacy Act applies to all websites who process personal data in New Zealand.

Your website’s cookies likely collect personal information from its visitors – use Cookiebot CMP to detect and control them.



This is personal information – and most third-party cookies and trackers in the world have it as their mission to collect exactly such kind of data for their operations, be it analytics, advertisement or social media interactions.

If your website is in contact with such data through its cookies and trackers, you are required by New Zealand’s Privacy Act 2020 and its NZ Privacy Principles to notify users before collection and inform them of what, why and who you share it with.

Scan your website for free to see all cookies and trackers

Learn more about website cookies and trackers

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

NZ Privacy Principles

Of the 13 NZ Privacy Principles, let’s look at the most relevant for your website and its use of cookies and personal information collection.

All 13 NZ Privacy Principles are vital for full compliance with the New Zealand Privacy Act 2020, but we’ll focus particularly on the ones that are paramount to websites, who processes personal information via cookies and trackers.

For a full overview of the 13 New Zealand Privacy Principles, visit the Office of the Privacy Commissioner



NZ Privacy Principles require that you notify users about collecting their data.

New Zealand’s 13 Privacy Principles empower users with the right to know, to access and to correct their data.



NZ Privacy Principle 1 concerns the purpose of collection

NZ Privacy Principle 2 concerns the sources of personal information

NZ Privacy Principle 3 concerns the information requirement to users

NZ Privacy Principle 4 concerns the way you collect personal information

NZ Privacy Principle 5 concerns the storage and security

NZ Privacy Principle 6 concerns a user’s right to access their personal information

NZ Privacy Principle 7 concerns a user’s right to correct their personal information

NZ Privacy Principle 8 concerns the accuracy of personal information

NZ Privacy Principle 9 concerns the retention (i.e. for how long you store data)

NZ Privacy Principle 10 concerns the use of personal information

NZ Privacy Principle 11 concerns the disclosure of personal information

NZ Privacy Principle 12 concerns the cross-border disclosure of personal information

Learn more about sending personal information overseas in New Zealand


NZ Privacy Principle 13 concerns unique identifiers



Get compliance with the NZ Privacy Act 2020 with Cookiebot CMP:

New Zealand’s Privacy Act has been in effect since 1993 but updated in 2020 to match new tech developments.



What’s new in NZ Privacy Act 2020


On December 5, a new and amended version of the NZ Privacy Act went into effect, repealing and replacing the 1993 version.

The new amendments to the NZ Privacy Act include –

Visit the Privacy Commissioner for an overview of the new amendments in the NZ Privacy Act 2020

Summary of New Zealand’s Privacy Act 2020


New Zealand’s Privacy Act 2020 and its NZ Privacy Principles governs all handling of personal information from individuals inside the country and map out the legal way for your website to collect, use and share such data.

The NZ Privacy Act 2020 requires your website to notify and inform users in New Zealand of your website’s intended collection of personal information, including the purposes for which you collect and who you will be sharing it with (e.g. Google or Facebook).

Using Cookiebot CMP takes all the hard work out of data privacy law compliance by offering plug-and-play compliance with New Zealand’s Privacy Act 2020 – and a host of other major data laws like EU’s GDPR, California’ CCPA, Brazil’s LGPD, South Africa’s POPIA and more.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website for free to see all cookies and trackers in use

Get started with Cookiebot CMP and Google Consent Mode

FAQ


What is New Zealand’s Privacy Act 2020?

The New Zealand Privacy Act 2020 is the country’s national data privacy law in effect since December 2020. The NZ Privacy Act 2020 repeals and replaces the Privacy Act of 1993 with stronger requirements for websites, companies and organizations who handle personal information from inside the territory of New Zealand.

Scan your website to see where in the world you send data to

Who does the NZ Privacy Act 2020 apply to?

New Zealand’s Privacy Act 2020 applies to any website, company, organization or individual who collects personal information from individuals located inside the territory of New Zealand. Even if your website is not located in New Zealand, but you have visitors from the country and you handle their personal information via cookies and trackers on your domain, you are required to comply with the New Zealand Privacy Act 2020.

Scan your website to see what cookies and trackers are in operation

Is my website compliant with the NZ Privacy Act 2020?

The New Zealand Privacy Act 2020 requires your website to know of all cookies, trackers and similar technologies that collect, use or share personal information from individuals inside New Zealand, and to notify and inform users about this before collection begins, including what kind of data is to be collected, for what purposes and with whom you share it.

Scan your website with Cookiebot CMP to detect all cookies and trackers

How can I manage user consents on my website?

Using Cookiebot CMP as your consent solution gives you deep-scanning technology that detects all cookies and trackers on your website. Cookiebot CMP offers automatic control of your domain’s personal data processing in compliance with all major data privacy laws, like the EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA, Singapore’s PDPA and New Zealand’s Privacy Act 2020.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Resources


New Zealand’s Privacy Act 2020 (official law text)

The New Zealand Privacy Commissioner

New Zealand’s Privacy Principles overview

A guide to your responsibilities under the New Zealand Privacy Act 2020

NZ Privacy Act 2020 enters into force (IAPP)

New Google Consent Mode 

Cookiebot™ CMP integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free