The Privacy Act 2020 New Zealand, governed by 13 information privacy principles (IPP 3) requires websites to inform users about cookies and trackers that process identifiable data—detailing their purpose, who they share data with, and providing opt-in transparency. This ensures users see consent prompts before cookies deploy. Are you compliant?
The Privacy Act 2020, effective from 1 December 2020, modernizes and replaces the 1993 Act. It strengthens protections for personal information and aligns New Zealand with international standards via 13 Information Privacy Principles (IPP) covering collection, storage, security, correction, access, disclosure, and cross-border data flow.
Organizations both public and private that operate in or target individuals in New Zealand and collect or handle personal information from individuals in New Zealand must comply with the Privacy Act, regardless of where their business is located.
To ensure compliance, organizations must respect and follow the 13 IPPs:
Purpose:
Demonstrate and explain the purpose for data collection
Data source:
Information should only be collected directly from the person it is about
Openness:
Organizations must inform about why they are collecting data, who will receive it, whether giving the data is required or voluntary, and what will happen if it is not shared
Lawful collection:
Fair and reasonable manner of data collection must be ensured
Data protection:
Organizations must make every effort to secure and protect data
Right of access:
Individuals have the right to request access to their own information
Right to correct:
Individuals have the right to request that misinformation and inaccuracies be corrected
Accuracy:
Organizations must check before using or disclosing personal information that it is accurate and up to date
Retention:
Information may not be kept longer than required for stated purpose
Limits on use of personal information:
Personal information may only be used for the purposes for which it was collected
Disclosure:
Organizations can only disclose personal information for the purpose for which it was collected
Data outside New Zealand:
Organizations must adhere to rules about sending personal information to organizations outside of New Zealand
Use of unique identifiers:
Organizations can only assign unique identifiers to people when it is necessary for its functions
Most individuals and organizations that collects, holds, processes, or uses personal data in New Zealand must comply with IPP 3/New Zealand’s privacy act. This includes both private businesses and public entities, as well as foreign companies offering goods or services to New Zealand residents. The only exceptions include members of parliament operating in an official capacity, the courts, and media engaging in news activities.
The Privacy Act gives NZ residents a number of rights concerning their data, including allowing consumers to:
Request access to their personal data held by businesses
Correct inaccuracies in their data
Request the deletion of their personal data, with certain exceptions
Opt out of the processing of their personal data for targeted advertising, the sale of their data, or for profiling
Cookies that handle personal information—such as IP addresses or device identifiers—fall under the Act’s definition of personal data. Websites must include cookie management in their privacy notices, and cookies should only be used with proper disclosure and valid user consent.
Fines of up to 10,000 NZD may be issued for individuals or organizations for offenses like misleading information or failure to comply with access requests.
The Privacy Commissioner can issue compliance notices and force organizations to change practices, release data, or redress harm; breaches may be escalated to the Human Rights Review Tribunal, which could involve further costs and penalties.
Businesses can get ahead of compliance and implement a consent-first posture by introducing some data privacy best practices:
Conduct data and cookie audits:
Review current data practices to identify areas that need adjustment to align with the Privacy Act 2020 and document cookie and tracker purposes
Update privacy and cookie policies:
Revise privacy notices to clearly outline data practices, consumer rights, and how to exercise those rights
Implement consent management:
Get effective management and control of cookie use with a comprehensive consent management platform like CookieHub
Educate employees:
Offer staff education programs on the importance of data privacy and Privacy Act compliance
Implement breach processes:
Develop internal systems to detect, evaluate, and notify breaches within specified time period
Assign a privacy champion:
Appoint a privacy officer to oversee compliance
A consent management platform like CookieHub automates detection and disclosure of cookies/trackers, offering geo-targeted consent pop-ups before any personal data is collected—streamlining and reinforcing compliance with IPP 3 under the Privacy Act 2020.
The Privacy Act 2020 applies to all agencies (including businesses, government departments, and organizations) that collect, store, and use personal information in New Zealand. It also applies to overseas agencies that carry out business in New Zealand, even if they do not have a physical presence in the country.
Personal data—referred to as personal information—includes any information about an identifiable individual. This can include names, contact details, financial records, health information, and other data that can be used to identify someone.
While the Act does not use the term “sensitive data” specifically, certain types of personal information, such as health records, biometric data, and information about someone's race, ethnicity, or political views, are generally considered more sensitive and may require greater protection and care in handling.
The Office of the Privacy Commissioner (OPC) is the independent authority responsible for enforcing and overseeing the Privacy Act 2020. The OPC provides guidance, investigates complaints, and ensures compliance with privacy principles.
Certain individuals and entities are exempt, including members of parliament in their official capacity, courts and tribunals (in relation to their judicial functions), news media (when engaged in news activities), and personal or household affairs (e.g., individuals managing their own personal contact lists).
You can visit the Office of the Privacy Commissioner’s website for detailed guidance, resources, and tools related to the Privacy Act 2020.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
