6 min read

New Zealand Privacy Act 2020: What Businesses Need to Know

The NZ Privacy Act 2020 introduced mandatory breach notification and stronger individual rights. Here's what every New Zealand business needs to know to stay compliant.

The Short Answer

Every business that operates in New Zealand and handles personal information about individuals is covered by the Privacy Act 2020 — regardless of size. Unlike Australia, New Zealand has no small business exemption.

If you collect names, email addresses, phone numbers, or any other personal information from New Zealand customers, employees, or suppliers, the Privacy Act applies to you.

This guide covers what the Act requires, what's changed since 2020, and what you need to have in place.

Table of Contents

Who the Privacy Act Covers

The Privacy Act 2020 applies to any agency that collects, holds, uses, or discloses personal information about individuals. "Agency" is defined broadly — it covers:

  • Businesses of any size (sole traders through to large corporations)
  • Charities and not-for-profits
  • Government agencies
  • Individuals acting in a commercial capacity

There is no small business exemption in New Zealand. A sole trader running a one-person tutoring business has the same Privacy Act obligations as a large retailer. This is a key difference from Australia, where businesses under $3 million turnover are currently exempt.

"Personal information" means any information about an identifiable individual — names, email addresses, phone numbers, IP addresses, purchase history, health information, and more.

The 13 Information Privacy Principles

The Privacy Act 2020 is built around 13 Information Privacy Principles (IPPs). These are the core rules governing how personal information must be handled.

Collection (IPPs 1–4)

  • IPP 1: Only collect personal information if it's necessary for a lawful purpose
  • IPP 2: Collect directly from the individual where reasonably practicable
  • IPP 3: Tell people what you're collecting, why, and who will receive it — at the time of collection
  • IPP 4: Don't collect information by unlawful means or unfair means

Storage and Security (IPP 5)

  • IPP 5: Take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure

Access and Correction (IPPs 6–7)

  • IPP 6: Give individuals access to their personal information on request
  • IPP 7: Correct inaccurate personal information on request

Accuracy and Retention (IPPs 8–9)

  • IPP 8: Ensure personal information is accurate and up to date
  • IPP 9: Don't keep personal information longer than necessary

Use and Disclosure (IPPs 10–11)

  • IPP 10: Only use personal information for the purpose it was collected, or a directly related purpose
  • IPP 11: Only disclose personal information in limited circumstances

Unique Identifiers (IPP 12)

  • IPP 12: Don't assign unique identifiers to individuals unless necessary, and don't share them

Overseas Disclosure (IPP 13)

  • IPP 13: Before disclosing personal information to an overseas recipient, take reasonable steps to ensure it receives comparable privacy protection

Your privacy policy must address all 13 IPPs. A US-generated template that hasn't been built for New Zealand law will miss these — particularly IPP 3 (collection notice requirements) and IPP 13 (overseas disclosure).

The Notifiable Privacy Breach Scheme

One of the most significant changes introduced by the Privacy Act 2020 was the Notifiable Privacy Breach (NPB) scheme — mandatory breach notification that didn't exist under the previous 1993 Act.

What triggers notification?

A notifiable privacy breach is one that has caused, or is likely to cause, serious harm to an affected individual. Serious harm includes:

  • Significant financial loss
  • Physical harm
  • Serious emotional distress
  • Damage to reputation or relationships
  • Safety risks

Examples relevant to NZ businesses:

  • A cyberattack exposing customer payment details or health information
  • Sending personal information to the wrong recipient
  • A lost or stolen device containing customer records
  • Unauthorised employee access to personal information

What you must do

If you experience a notifiable privacy breach, you must:

  1. Notify the Privacy Commissioner at privacy.org.nz as soon as reasonably practicable
  2. Notify affected individuals directly where possible
  3. Take steps to contain the breach and reduce harm

Penalties for not notifying

Failing to notify a notifiable breach when required is an interference with privacy — which can result in a complaint to the Privacy Commissioner, investigation, and orders requiring action or compensation. The Privacy Commissioner can also name businesses publicly in annual reports.

Your privacy policy must mention the NPB scheme

Your privacy policy must explain what a notifiable privacy breach is and how individuals can contact you — and the Privacy Commissioner — if they believe a breach has occurred involving their information.

What's Changed Since 2020

The Privacy Act 2020 replaced the Privacy Act 1993 and introduced several important changes:

Mandatory breach notification — The NPB scheme is entirely new. Under the 1993 Act, breach notification was voluntary.

Stronger individual rights — Individuals now have a clearer right to access their information and request corrections, with tighter timeframes for businesses to respond.

Overseas disclosure obligations — IPP 13 introduces explicit requirements before sending personal information offshore, including to cloud services hosted overseas. This catches many businesses that use US-based software.

Compliance notices — The Privacy Commissioner can now issue compliance notices requiring businesses to take specific actions, with court-enforceable consequences.

Broader definition of harm — The bar for what constitutes a privacy interference has been updated to better reflect modern privacy risks including digital harms.

What You Need to Have in Place

1. A Privacy Policy

Your privacy policy must:

  • Be freely available — on your website or provided on request
  • Address all 13 Information Privacy Principles
  • Include your collection notice obligations (what you collect, why, who receives it)
  • Explain overseas disclosure practices (if you use overseas cloud services, payment processors, or email platforms)
  • Include the Notifiable Privacy Breach scheme
  • Be written in plain English

2. A Collection Notice

When you collect personal information directly from individuals — on a website form, at point of sale, or during enrolment — you must notify them at the time of collection about:

  • Who you are and how to contact you
  • Why you're collecting the information
  • Who you might share it with
  • Whether providing it is voluntary or required

A short paragraph on your signup forms, checkout pages, or intake forms is typically sufficient.

3. A Breach Response Process

You need a documented process for identifying and responding to privacy breaches — even a simple one-page document covering:

  • What counts as a potential breach
  • Who in your business is responsible for assessing it
  • How to notify the Privacy Commissioner (privacy.org.nz)
  • How to notify affected individuals

4. Access and Correction Process

Individuals have the right to request their personal information and request corrections. You need a process for handling these requests — typically within 20 working days.

5. Overseas Disclosure Assessment

If you use any overseas services that process personal information — cloud storage, email marketing platforms, payment processors, CRMs — you need to have assessed whether they provide comparable privacy protection to the NZ Privacy Act. Most reputable US and EU services will satisfy this requirement, but you should document your assessment.

How This Compares to Australian Law

Many New Zealand businesses also operate in Australia — or are considering it. The two privacy frameworks are similar in structure but have important differences:

FeatureNZ Privacy Act 2020AU Privacy Act 1988
Small business exemptionNone — all businesses coveredUnder $3M turnover currently exempt (changing 2026-2027)
Core principles13 Information Privacy Principles13 Australian Privacy Principles
Breach notificationNotifiable Privacy Breach schemeNotifiable Data Breaches scheme
Overseas disclosureIPP 13 — comparable protectionAPP 8 — comparable protection
RegulatorPrivacy Commissioner (privacy.org.nz)OAIC (oaic.gov.au)
Maximum penaltyCourt-ordered compensationUp to $50M for serious/repeated breaches

If you operate in both countries, you need a privacy policy that covers both frameworks — or separate policies for each jurisdiction.

Frequently Asked Questions

I'm a sole trader in New Zealand. Do I need a privacy policy?

Yes — there's no small business exemption in New Zealand. If you collect personal information about customers or clients, the Privacy Act applies and you should have a privacy policy.

I use US-based software like Mailchimp or Stripe. Does that trigger IPP 13?

Yes — sending personal information to overseas recipients triggers IPP 13. You need to take reasonable steps to ensure the recipient provides comparable privacy protection. Most major US services (Mailchimp, Stripe, AWS, Google) have privacy programmes that satisfy this requirement. Document your assessment.

What's the difference between the NZ NPB scheme and Australia's NDB scheme?

The structures are very similar — both require notification to the regulator and affected individuals when a breach is likely to cause serious harm. The main differences are the regulator (Privacy Commissioner vs OAIC) and the penalty regime (NZ relies more on court-ordered compensation; Australia has direct financial penalties up to $50M).

My business operates in both Australia and New Zealand. Do I need two policies?

You can have one combined policy that addresses both frameworks — ComplianceKit's Trans-Tasman bundle covers both. Alternatively, separate policies for each jurisdiction are equally valid.

Summary

The NZ Privacy Act 2020 applies to every New Zealand business regardless of size. You need a privacy policy covering all 13 IPPs, a process for responding to breach notifications, and documentation of your overseas disclosure practices.

Unlike Australia, there's no exemption threshold — compliance is required now, not when future legislation passes.

Last updated: April 26, 2026

This guide provides general information about New Zealand privacy law. It is not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer or contact the Privacy Commissioner at privacy.org.nz or 0800 803 909.

Ready to Get Compliant?

ComplianceKit generates privacy policies built for New Zealand law — covering all 13 IPPs, the Notifiable Privacy Breach scheme, and overseas disclosure requirements.

Generate Your NZ Privacy Policy — $79 NZD →

Generate Your Compliant NZ Privacy Policy

ComplianceKit automatically includes all 13 Information Privacy Principles and the Notifiable Privacy Breach scheme. Generate your NZ policy in 5 minutes.

Get Started →

Last updated: 26 April 2026

This guide provides general information about New Zealand privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer or contact the Privacy Commissioner at privacy.org.nz.