Privacy Compliance for New Zealand Small Businesses: What You Need to Know in 2026

Quick Summary

Are you a small New Zealand business? Privacy law already applies to you — in full.

Unlike Australia, New Zealand has no small business exemption. The Privacy Act 2020 covers every business that collects personal information about individuals, regardless of turnover. A sole trader running a one-person operation has the same privacy obligations as a large corporation.

This guide explains what the Privacy Act requires, what you need to have in place, and how to get compliant quickly and affordably.

There Is No Small Business Exemption in New Zealand

This surprises many NZ small business owners, particularly those who are aware that Australian businesses under $3 million turnover are currently exempt from the Australian Privacy Act.

In New Zealand, that exemption doesn't exist.

If you:

Have a website that collects email addresses
Take bookings that require a name and phone number
Send marketing emails to customers
Keep client records

...then the Privacy Act 2020 applies to you, and you need a compliant privacy policy.

What the Privacy Act Requires

The Privacy Act 2020 is built around 13 Information Privacy Principles (IPPs). These govern how you collect, store, use, and disclose personal information.

The key obligations for small businesses:

1. Only collect what you need (IPP 1) Don't collect personal information unless it's necessary for your business. If you don't need a customer's date of birth, don't ask for it.

2. Tell people what you're collecting and why (IPP 3) When you collect personal information — on a form, at checkout, during a booking — you must notify people what you're collecting, why, and who might receive it. A short note on your forms is sufficient.

3. Keep it secure (IPP 5) Take reasonable steps to protect personal information from loss, unauthorised access, or disclosure. For a small business, this means: password-protected devices, secure cloud storage, strong email passwords, and disposing of physical records securely.

4. Let people access and correct their information (IPPs 6–7) If a customer asks to see the information you hold about them, or wants to correct inaccurate information, you must respond within 20 working days.

5. Don't keep it longer than necessary (IPP 9) When you no longer need personal information, dispose of it securely.

6. Address overseas disclosure (IPP 13) If you use overseas software — Mailchimp, Stripe, Xero, Google Workspace — personal information is being sent overseas. Your privacy policy must address this and you must take reasonable steps to ensure comparable privacy protection.

The Notifiable Privacy Breach Scheme

One of the most important requirements — and most commonly missed — is the Notifiable Privacy Breach (NPB) scheme.

If your business experiences a privacy breach that is likely to cause serious harm to an individual, you must:

Notify the Privacy Commissioner at privacy.org.nz
Notify affected individuals directly
Take steps to contain the breach and reduce harm

For a small business, a notifiable breach could be:

A cyberattack exposing customer data
Accidentally emailing one client's information to another
A lost phone containing customer contact details
Unauthorised access to your email account

Your privacy policy must explain the NPB scheme and how individuals can contact you — and the Privacy Commissioner — if they believe a breach has occurred.

What You Need to Have in Place

1. A Privacy Policy

Your privacy policy must:

Be freely available on your website or provided on request
Address all 13 Information Privacy Principles
Include a collection notice explanation
Address overseas disclosure (IPP 13)
Include the Notifiable Privacy Breach scheme
Be written in plain English

A US-generated privacy policy template won't cover NZ-specific requirements — the 13 IPPs and NPB scheme are specific to New Zealand law.

2. Collection Notices on Your Forms

Add a short paragraph to your signup forms, booking forms, and checkout pages explaining:

What you're collecting
Why you're collecting it
Who might receive it

This doesn't need to be long. Two or three sentences is typically sufficient.

3. A Basic Breach Response Process

Document how you'd handle a privacy breach:

Who in your business is responsible for assessing it
How to notify the Privacy Commissioner (privacy.org.nz)
How to notify affected individuals

Even a one-page document satisfies this requirement for most small businesses.

4. Basic Security Measures

Password-protect all devices and accounts holding personal information
Use strong, unique passwords (a password manager helps)
Store customer data in secure cloud services rather than unprotected spreadsheets
Dispose of physical records (paper forms, printed emails) securely

How Much Does Compliance Cost?

Privacy compliance doesn't need to be expensive for a small business.

Approach	Cost
Privacy lawyer	$1,500–$5,000+
US-based generator	$29–$99/month (won't cover NZ IPPs or NPB scheme)
ComplianceKit — Generate Once	$79 NZD one-time
ComplianceKit — Managed Compliance	$79 + $29 NZD/year

The main costs for most small businesses are the privacy policy and a small amount of time to implement collection notices and a breach response process. For most businesses, this is an afternoon's work and under $100.

Common Questions

I'm a sole trader. Does this really apply to me?

Yes — there's no size threshold in NZ. If you collect personal information about clients or customers, the Privacy Act applies.

I don't have a website. Do I still need a privacy policy?

If you collect personal information in any way — paper forms, phone, email — you should have a privacy policy available on request. If you do have a website, it should be published there.

I use Xero, Mailchimp, and Stripe. Does IPP 13 apply?

Yes — all three are overseas services that process personal information. Your privacy policy should mention that personal information may be disclosed to overseas service providers, and that you take reasonable steps to ensure they provide comparable privacy protection. Most major services (Xero, Stripe, Mailchimp) have privacy programmes that satisfy this requirement.

What happens if I don't have a privacy policy?

Operating without a privacy policy when required is an interference with privacy under the Privacy Act 2020. Individuals can complain to the Privacy Commissioner, who can investigate and issue compliance notices. There's also civil litigation risk from the privacy torts developing under case law.

My business also operates in Australia. Do I need two policies?

You can have one combined Trans-Tasman policy covering both NZ and AU requirements, or separate policies for each jurisdiction. ComplianceKit's Trans-Tasman bundle covers both.

Getting Compliant Quickly

For most NZ small businesses, compliance involves:

Get a privacy policy — covering all 13 IPPs and the NPB scheme (5 minutes with ComplianceKit)
Add collection notices to your forms — a short paragraph explaining what you collect and why
Write a one-page breach response plan — who does what if a breach occurs
Check your overseas services — make sure your policy mentions them

That's it for most small businesses. You don't need a legal team or a 50-page compliance programme.

Additional Resources

Official guidance:

Office of the Privacy Commissioner: privacy.org.nz
Privacy enquiries: 0800 803 909

ComplianceKit guides:

Last updated: April 26, 2026

This guide provides general information for small New Zealand businesses. It's not legal advice. For specific questions about your situation, consult a qualified privacy lawyer or contact the Privacy Commissioner at privacy.org.nz.

Ready to Get Compliant?

ComplianceKit generates privacy policies built specifically for New Zealand law — covering all 13 IPPs, the Notifiable Privacy Breach scheme, and overseas disclosure requirements. Get compliant in 5 minutes.

Generate Your NZ Privacy Policy — $79 NZD →