# [New Zealand’s Privacy Act 2020](https://www.cookiebot.com/en/new-zealand/) **Stay compliant with the New Zealand Privacy Act 2020 and protect your users' data privacy with Cookiebot's comprehensive CMP solution.** · [Try Cookiebot CMP free for 14 days](https://admin.cookiebot.com/signup) · [Scan your website for free to see all cookies and trackers in use](https://www.cookiebot.com/) · [Get started with Cookiebot CMP and Google Consent Mode](https://www.cookiebot.com/) --- ## Quick summary ### New Zealand’s Privacy Act 2020, in brief New Zealand’s Privacy Act was originally drafted and passed in 1993 and has been in place ever since, making it one of the earliest data privacy laws in the world. New Zealand is also one of only 12 nations worldwide to have an [adequacy agreement with the EU](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en/), ensuring unrestricted, free flow of personal data to and from the two. In December 2020, [a new and amended NZ Privacy Act 2020 took effect](https://www.justice.govt.nz/justice-sector-policy/key-initiatives/privacy/), strengthening cross-border regulations, data breach requirements and more. In short, New Zealand’s **Privacy Act 2020** governs all handling of personal information through the **13 NZ Privacy Principles**; requiring you to **notify and inform** users about collection, use and sharing of their personal information and empowering them with the **right to access** and **correct** their data. It is enforced by the **Privacy Commissioner** and **applies to all websites**, **companies** or **organizations** that handle personal information from inside New Zealand – **regardless of where in the world** they themselves are located. **NZ Privacy Act 2020 quick breakdown –** - **NZ Privacy Act 2020** took effect on December 5, 2020. It repeals and replaces the older Privacy Act 1993. - **NZ Privacy Act 2020** governs all collection, processing, use and sharing of personal information from individuals located inside the territory of New Zealand. - **NZ Privacy Act 2020** defines personal information broadly as information about an identifiable individual. - **NZ Privacy Act 2020** applies to any website, company or organization (“agency” in the law) that collects, uses, shares or stores personal information from individuals inside New Zealand. This means that if your website is located outside New Zealand, but you have visitors from inside the country, you’re required to comply with the NZ Privacy Principles. - **NZ Privacy Act 2020** works through 13 Privacy Principles that map out the legal framework for handling personal information from inside New Zealand, among others the requirement to inform users about your website’s data collection, its purposes and who you share it with. - **NZ Privacy Act 2020** empowers users inside New Zealand with the right to access personal data which has been collected from them, and the right to correct it if inaccurate. - Transfer of personal information outside of New Zealand is governed by adequacy principles in the **NZ Privacy Act 2020**. Cross-border data flow is only permitted if data can be protected by comparable privacy standards by the recipient. - Fines for non-compliance with the **NZ Privacy Act** and NZ Privacy Principles can reach $10,000. - **NZ Privacy Act 2020** is enforced by the Office of the Privacy Commissioner. *Used by: Brand A, Brand B, Brand C* ### The 13 NZ Privacy Principles New Zealand’s Privacy Act 2020 revolves around **13 Privacy Principles**. Together, they **form a map of the legal way** to collect, process, share, store (and in any other way handle) the personal information of users located inside New Zealand. The **13 Privacy Principles** are (in detail later in this blogpost) – 1. Purpose for collection 2. Source of information 3. What to tell an individual 4. Manner of collection 5. Storage and security 6. Access 7. Correction 8. Accuracy 9. Retention 10. Use 11. Disclosure 12. Disclosure outside New Zealand 13. Unique identifiers Website owners and operators should be particularly aware of **NZ Privacy Principle 3**. **NZ Privacy Principle 3** is the part of the law that **requires you to make sure that your website’s users from New Zealand are made aware** – - that you collect personal information from them - of the purposes for which their personal information is being collected by your website - of whom you share their personal information with, including the name and address of the agency collecting the information and the agency who will store the information. ***Practical example of NZ Privacy Principle 3*** If your website uses a third-party service to get statistics about user visits on your domain (like [Google Analytics](https://www.cookiebot.com/en/google-analytics-gdpr/)) or use a third-party marketing service (like [HubSpot](https://www.cookiebot.com/en/hubspot-and-gdpr/)), **third-party cookies** and **trackers** will be embedded and in operation on your website. Under the NZ Privacy Act 2020 and the NZ Privacy Principle 3, **you are required to notify users** of all cookies and trackers and **inform users** about **what kind** of personal information they collect, **how you use** the data and **who you share** the data with, **where** it is stored and **for how long**. ### Cookiebot CMP offers plug-and-play control of all cookies and trackers [Cookiebot CMP](https://www.cookiebot.com/) is the world’s leading consent management platform, built **around a powerful website scanner** that detects all known cookies, trackers and trojan horses embedded and in operation on your domain. The biggest compliance issue for your website under the New Zealand’s Privacy Act 2020 is to ensure that you have notified and informed your users **in an exhaustive and correct manner**, before you collect and process their personal information. Using Cookiebot CMP takes the hard work out of this. Scan your entire website with [Cookiebot CMP](https://www.cookiebot.com/) and map out exactly what cookies are in use, see what kind of personal information they collect, for what purpose and which third parties they share this data with – all requirements under the New Zealand Privacy Act 2020. Cookiebot CMP is fully automated and offers you plug-and-play compliance with not only the NZ Privacy Act 2020, but all major data privacy laws, including [EU’s GDPR/ePR](https://www.cookiebot.com/en/gdpr/), [California’s CCPA/CPRA](https://www.cookiebot.com/en/ccpa/), [Brazil’s LGPD](https://www.cookiebot.com/en/lgpd/), [South Africa’s POPIA](https://www.cookiebot.com/en/popia/) and more. Whether your users are from Europe, the US, South America, Africa or New Zealand, Cookiebot CMP automatically geotargets their location and ensures that they are presented with the correct and fully compliant data privacy requirements – without you having to do anything. --- ## NZ Privacy Act 2020, in detail ### NZ Privacy Act 2020 and personal information Personal information in New Zealand is any kind of data that can identify an individual. This includes the more obvious information, such as – - name, address - e-mail - telephone number - social security numbers - date of birth - signature - passport numbers - racial or ethnic information - political opinions and religious beliefs - sexual orientation - health, genetic and biometric information But also, the not-so obvious yet very common information, such as – - IP-addresses - Unique IDs set by Google-cookies and other third-party services - Search and browser history - Data about device, operating systems, updates etc. - Location data - Purchase and online shopping history - Settings and website preferences - Behavioral data, such as speed of scrolling and hovering of mouse and cursor. **This is personal information** – and most third-party cookies and trackers in the world have it as their mission to collect exactly such kind of data for their operations, be it analytics, advertisement or social media interactions. If your website is in contact with such data [through its cookies and trackers](https://www.cookiebot.com/en/website-tracking/), **you are required by New Zealand’s Privacy Act 2020 and its NZ Privacy Principles** to notify users before collection and inform them of what, why and who you share it with. ### NZ Privacy Principles Of the **13 NZ Privacy Principles**, let’s look at the most relevant for your website and its use of cookies and personal information collection. **NZ Privacy Principle 1** concerns the **purpose of collection** - Your website is required to **only collect personal information if it is for a lawful purpose**, meaning in connection with and necessary for the functions and activities of your website. - In other words, you’re not allowed to collect information from users that is not relevant to your website and its function and content. - This **purpose of collection** is also part of the information that you are required to notify users about before collecting data from them. **NZ Privacy Principle 2** concerns the **sources of personal information** - Personal information should always be collected directly from the individual. - This is often the case anyway online, since your website will collect data from the user themselves, when they land on and move around on your domain. **NZ Privacy Principle 3** concerns the **information requirement to users** - Your website **must be open about** why you are collecting personal information and **what you will do** with it. - Your website is required to notify its users about: **why** the data is being collected, **who** it will be shared with, **whether** collection is compulsory or voluntary, **what** can happen if the data is not collected. - Offering a clear overview of such information to your users **via your privacy policy** is a good way to ensure that your website meets the notification and information requirements. **NZ Privacy Principle 4** concerns the **way you collect personal information** - Your website must only collect personal information in a way that is fair and legal. - Unfair and illegal ways of collecting personal information is to threaten, coerce or mislead users to give out their personal information. **NZ Privacy Principle 5** concerns the **storage and security** - Your website must ensure safeguards around personal information collected from individuals, e.g. to ensure secure storage and prevent loss, misuse or disclosure of their data. **NZ Privacy Principle 6** concerns a user’s right to access their personal information - Users have the right to request **access** to the personal information that you have collected about them, e.g. through your website’s cookies and trackers. - You must provide means of requesting access, e.g. a **link** or an **e-mail address**. **NZ Privacy Principle 7** concerns a user’s right to correct their personal information - Users have the right to request **corrections** to the personal information that you have collected about them, e.g. through your website’s cookies and trackers. - You must provide means of requesting access, e.g. a link or an e-mail address. **NZ Privacy Principle 8** concerns the **accuracy of personal information** - Users have the right to request **corrections** to the personal information that you have collected about them, e.g. through your website’s cookies and trackers. - You must provide means of requesting access, e.g. a link or an e-mail address. **NZ Privacy Principle 9** concerns the **retention** (i.e. for how long you store data) - Your website is not allowed to store and use personal information for longer than necessary to fulfill the purpose intended by the collection of the data in the first place. - As an example, your website is not allowed to keep personal information about a user that was collected only to be used in the session in which they visited your website. **NZ Privacy Principle 10** concerns the **use of personal information** - Your website is only allowed to use collected personal information for the purpose already given to the individual before collection. - Using personal information for longer or for different purposes requires you to notify and inform the user again. **NZ Privacy Principle 11** concerns the **disclosure of personal information** - Your website is only allowed to use collected personal information for the purpose already given to the individual before collection. - Using personal information for longer or for different purposes requires you to notify and inform the user again. **NZ Privacy Principle 12** concerns the **cross-border disclosure of personal information** - Your website is only allowed to send personal information from users inside New Zealand to other countries, if the data privacy laws in the recipient’s country provide comparable security and can protect the data adequately. - As an example, your website can use New Zealand’s [model contract clauses](https://privacy.org.nz/responsibilities/your-obligations/disclosing-personal-information-outside-new-zealand/) to do so. - To help you determine whether the NZ Privacy Principle 12 applies to you, [check out the Principle 12 Decision Tree by the Privacy Commissioner](https://privacy.org.nz/responsibilities/disclosing-personal-information-outside-new-zealand/decision-tree-page/). **NZ Privacy Principle 13** concerns **unique identifiers** - Your website is only allowed to assign unique identifiers (individual identification sequences, such as a driver’s license or a unique ID from a third-party cookie) when it is necessary. - In other words, collecting personal information through technologies that assign unique identifiers must be done with care. Make sure to inform your users about exactly what kind of data you intend to collect, how, why and who you share it with. --- ## What’s new in NZ Privacy Act 2020 On December 5, a new and amended version of the NZ Privacy Act went into effect, repealing and replacing the 1993 version. The new amendments to the NZ Privacy Act include – - **Stronger data breach security and control** – if your website experiences a data breach (e.g. an unintended disclosure of personal information from its users), you are required to notify the individuals affected to the Privacy Commissioner. - **Stronger enforcement tools for the Privacy Commissioner**. - **Decisions on access requests** will now be made by the Privacy Commissioner and not the Human Rights Review Tribunal. - **Stronger cross-border transfer regulations** – your website must take steps to ensure that personal information transferred out of New Zealand can be protected adequately and comparable to the New Zealand’s data privacy standards. - **Stronger fines for non-compliance** – of up to $10,000. - **Class action lawsuits for non-compliance**. --- ## Summary of New Zealand’s Privacy Act 2020 New Zealand’s Privacy Act 2020 and its NZ Privacy Principles governs all handling of personal information from individuals inside the country and map out the legal way for your website to collect, use and share such data. The NZ Privacy Act 2020 requires your website to notify and inform users in New Zealand of your website’s intended collection of personal information, including the purposes for which you collect and who you will be sharing it with (e.g. Google or Facebook). Using Cookiebot CMP takes all the hard work out of data privacy law compliance by offering plug-and-play compliance with New Zealand’s Privacy Act 2020 – and a host of other major data laws like [EU’s GDPR](https://www.cookiebot.com/en/gdpr/), [California’ CCPA](https://www.cookiebot.com/en/ccpa/), [Brazil’s LGPD](https://www.cookiebot.com/en/lgpd/), [South Africa’s POPIA](https://www.cookiebot.com/en/popia/) and more. --- ## Frequently asked questions What is New Zealand’s Privacy Act 2020? The New Zealand Privacy Act 2020 is the country’s national data privacy law in effect since December 2020. The NZ Privacy Act 2020 repeals and replaces the Privacy Act of 1993 with stronger requirements for websites, companies and organizations who handle personal information from inside the territory of New Zealand. Who does the NZ Privacy Act 2020 apply to? New Zealand’s Privacy Act 2020 applies to any website, company, organization or individual who collects personal information from individuals located inside the territory of New Zealand. Even if your website is not located in New Zealand, but you have visitors from the country and you handle their personal information via cookies and trackers on your domain, you are required to comply with the New Zealand Privacy Act 2020. Is my website compliant with the NZ Privacy Act 2020? The New Zealand Privacy Act 2020 requires your website to know of all cookies, trackers and similar technologies that collect, use or share personal information from individuals inside New Zealand, and to notify and inform users about this before collection begins, including what kind of data is to be collected, for what purposes and with whom you share it. --- ## Resources [New Zealand’s Privacy Act 2020 (official law text)](http://www.legislation.govt.nz/act/public/2020/0031/latest/whole.html#LMS23227) [The New Zealand Privacy Commissioner](https://www.privacy.org.nz/) [New Zealand’s Privacy Principles overview](https://www.privacy.org.nz/privacy-act-2020/privacy-principles/) [A guide to your responsibilities under the New Zealand Privacy Act 2020](https://www.privacy.org.nz/responsibilities/your-obligations/) [NZ Privacy Act 2020 enters into force (IAPP)](https://iapp.org/news/a/nz-privacy-act-2020-enters-into-force/) --- ## Product [Cookiebot™ Consent Solution](https://www.cookiebot.com/en/cookie-consent-solution/) · [Usercentrics for Wix](https://www.cookiebot.com/en/cookiebot-for-wix-by-usercentrics-app/) · [WordPress Plugin](https://www.cookiebot.com/en/new-wp-cookie-plugin/) · [Pricing](https://www.cookiebot.com/en/pricing/) ## Regulations [DMA (EU)](https://www.cookiebot.com/en/digital-markets-act-dma/) · [GDPR (EU)](https://www.cookiebot.com/en/gdpr/) · [CCPA (California)](https://www.cookiebot.com/en/what-is-ccpa/) · [VCDPA (Virginia)](https://www.cookiebot.com/en/virginia-vcdpa/) · [LGPD (Brazil)](https://www.cookiebot.com/en/lgpd/) · [TCF v2.3 (IAB)](https://www.cookiebot.com/en/tcf/) · [Google Consent Mode](https://www.cookiebot.com/en/cookiebot-cmp-google-consent-mode/) · [Microsoft UET Consent Mode](https://www.cookiebot.com/en/microsoft-consent-mode-cmp/) ## Partners [Become an affiliate](https://www.cookiebot.com/en/affiliates/) · [Become a partner](https://www.cookiebot.com/en/resellers/) · [Find a partner](https://www.cookiebot.com/en/cookiebot-reseller/) ## Resources [Blog](https://www.cookiebot.com/en/blog/) · [Digital Markets Act Hub](https://www.cookiebot.com/en/digital-markets-act-dma-resources/) · [Google Consent Mode Hub](https://www.cookiebot.com/en/google-consent-mode-resources/) · [Google Consent Mode V2 Certification](https://courses.usercentrics.com/course/google-consent-mode-v2) · [Google Consent Audit Fixes](https://www.cookiebot.com/en/google-consent-audit-fixes/) · [Developer documentation](https://www.cookiebot.com/en/developer/) · [Cookiebot vs CookieYes](https://www.cookiebot.com/en/cookiebot-best-cookieyes-alternative/) · [Cookiebot vs OneTrust](https://www.cookiebot.com/en/onetrust-alternative/) · [Cookie Banner Cost Calculator](https://www.cookiebot.com/en/cookie-banner-pricing-calculator/) ## Company [About us](https://www.cookiebot.com/en/about/) · [Careers](https://usercentrics.com/career/) · [Support](https://support.cookiebot.com/hc/en-us/) --- [Privacy Policy](https://www.cookiebot.com/en/privacy-policy/) · [Terms of Service](https://www.cookiebot.com/en/terms-of-service/) · [Cookie Declaration](https://www.cookiebot.com/en/cookie-declaration/) · [Data Processing Agreement](https://www.cookiebot.com/en/data-processing-agreement/) ©2026 Cookiebot™ by [Usercentrics](https://usercentrics.com/)