New Zealand Privacy Act 2020
ON THIS PAGE
- What Is the New Zealand Privacy Act 2020?
- Who Needs to Comply with the New Zealand Privacy Act 2020?
- The 13 Privacy Principles of the New Zealand Privacy Act 2020
- New Zealand Privacy Act 2000 Consumer Rights
- What Is Personal Information under the New Zealand Privacy Act 2020?
- Penalties for Non-Compliance
- How can CookieScript Help?
- Frequently Asked Questions
On December 1, 2020, the New Zealand Privacy Act 2020 replaced the previous Privacy Act of 1993.
The Privacy Act of 2020 introduced several changes compared to the 1993 Act. While the core principles remain similar, the 2020 Act requires you to inform New Zealand consumers about your website’s use of cookies and other trackers, as well as their personal information collection and management. The Privacy Act of 2020 strengthens individual privacy rights and sets additional requirements for businesses, bringing the requirements closer to international standards.
What Is the New Zealand Privacy Act 2020?
New Zealand Privacy Act 2020 is the county’s principal data protection law that governs the personal information management of New Zealand individuals. The law provides data protection rights for individuals through the 13 Privacy Principles and sets guidelines and restrictions for entities to collect and process personal data lawfully.
The New Zealand Privacy Act 2020 was enacted on December 1, 2020. It repealed and replaced the Privacy Act 1993.
In July 2024, a recent update was released that amended the December 2020 version.
The new and amended New Zealand Privacy Act 2020 strengthens cross-border regulations, data breach requirements, and more. New Zealand is one of 12 countries worldwide to have an adequacy agreement with the EU, ensuring unrestricted, free flow of personal data between New Zealand and the EU.
The New Zealand Privacy Act 2020 applies to all websites, businesses, or organizations that collect personal information from New Zealand consumers, regardless of where in the world they are based.
With CookieScript, you can easily comply with the New Zealand Privacy Act 2020. In 2024, CookieScript CMP was ranked by users on G2 as the best CMP for small and medium-sized companies.
Who Needs to Comply with the New Zealand Privacy Act 2020?
The New Zealand Privacy Act 2020 applies to:
- A New Zealand agency located within New Zealand;
- A New Zealand agency located outside New Zealand but offering goods or services to individuals in New Zealand; or
- A New Zealand agency located outside New Zealand but collecting personal information about individuals in New Zealand.
An agency refers to any organization or person to whom this Act applies. The Privacy Act 2000 applies to entities of all sizes and structures and even individuals. There is no organizational size limit on the application of the legislation.
Note that any agency that fulfills the criteria mentioned above does not necessarily need to have a physical presence within the country. The Law applies to any agency carrying on business in New Zealand without necessarily being a commercial operation; having a place of business in New Zealand; receiving any monetary payment from the selling of goods or services; or intending to make a profit from its business in New Zealand.
For example, if a business is located in Germany and intends to make a profit from New Zealand’s individuals, it will be subject to the Privacy Act of 2020.
In addition, it does not matter where the personal information was collected by the agency, where the personal information is held by the agency, or where the individual concerned is located.
Exemptions from Privacy Act 2020 compliance
Certain types of entities are excluded from coverage by the Act, including:
- Members of Parliament
- “A news entity, to the extent that it is carrying on news activities.”
- Entities, authorized by the Privacy Commissioner for the “collection, use, storage, or disclosure of personal information otherwise in breach of IPP 2 or IPPs 9 to 12.”
The 13 Privacy Principles of the New Zealand Privacy Act 2020
The Privacy Commissioner sets 13 Privacy Principles of the New Zealand Privacy Act 2020 that regulate the legal way to collect, process, share, store, or in any other way manage the Personal Information (PI) of New Zealand’s individuals.
There are the following 13 Privacy Principles:
- Purpose for collection
- Source of information
- Collection of Information from Subject
- Manner of collection
- Storage and security
- Access
- Correction
- Accuracy
- Retention
- Use
- Disclosure
- Disclosure outside New Zealand
- Unique identifiers.
Principle 1: Purpose of Collection of Personal Information. No agency can collect Personal Information (PI) except when the purpose is lawful, related to the activity or function of the agency, and requires the collection of this personal information. This means that an agency is not allowed to collect information from users that is not relevant to its function and content.
This purpose of the collection also sets a requirement to notify users about the data collection before collecting data from them.
Principle 2: Source of Personal Information. The agencies should always collect personal information directly from the individual concerned.
There are some exceptions to this principle. Information collection from another source is allowed in the following cases:
- Non-compliance wouldn’t endanger the individual, or
- Information is collected for research, legal proceedings, and public health, among other reasons.
Principle 3: Collection of Information from Subject. The principle regulates what to tell the individual about data collection. Agencies must be open about why they are collecting personal information and what they are planning to do with it. They should inform individuals that data collection is voluntary or required by law, and any repercussions for not providing it. If data is shared with third parties, agencies must disclose them. This principle ensures transparency.
Notify your website users about:
- Why does your entity collect personal information?
- Who will data be shared with?
- Is PI collection compulsory or voluntary?
- What can happen if an individual does not provide the data?
Providing a privacy policy is a good practice to comply with this principle.
Principle 4: Manner of Collection of Personal Information. This principle ensures ethical data collection. Only collect personal information fairly and legally. Personal information should not be collected by unlawful, unfair, or unreasonably intrusive means. Take special care when you collect personal information from children.
Principle 5: Storage and Security of Personal Information. Entities must ensure reasonable safeguards to prevent loss, misuse, and unauthorized use, access, modification, or disclosure of personal information.
In case of a serious privacy breach, an organization must notify the Office of the Privacy Commissioner as soon as possible (within 72 hours).
Principle 6: Access to Personal Information. Individuals have a right to ask for access to their own personal information. Organizations must provide means of requesting access, like a link or an e-mail address. The rules for how an organization must respond to this request are set out in Part 4, Subpart 1 of the Privacy Act 2020.
People can only ask for information about themselves.
In most cases, personal information should be provided free of charge. However, there are some circumstances where it may be appropriate for an agency to charge.
Principle 7: Correction of Personal Information. Individuals have a right to ask an organization to correct information about them if they believe it is inaccurate, misleading, or incomplete. The agency should take action to correct their personal information. If an agency does not agree that the information needs correcting, it is obligated to attach a statement of correction with the information.
Principle 8: Accuracy of personal information. An agency must check PI before using or disclosing it and must ensure that it is accurate, up-to-date, complete, relevant, and not misleading.
Principle 9: Retention of personal information. An agency should not store personal information for longer than is required for the purpose it may lawfully be used.
Principle 10: Limits on Use of Personal Information. An agency should use personal information only for the purpose it was collected unless individual consent or exceptions apply. There are limits to using personal information for different purposes.
Principle 11: Limits on Disclosure of Personal Information. An agency may only disclose personal information for the purpose for which it was originally collected or obtained. However, there are some circumstances for disclosure like protecting public revenue, for statistical or research-related purposes, or when disclosure is authorized by the individual concerned.
Principle 12: Disclosure of Personal Information Outside New Zealand. An agency may only disclose personal information to another organization outside New Zealand if an organization meets the following requirements:
- It is subject to the Privacy Act because they do business in New Zealand;
- It will adequately protect the information; or
- It is subject to privacy laws that provide comparable safeguards to the Privacy Act.
Otherwise, an organization may only make a cross-border disclosure with the permission of the person concerned.
Principle 13: Unique Identifiers. Agencies are not permitted to assign identifying numbers and other unique identifiers to individuals. An organization can only assign unique identifiers to people when it is necessary for its functions. Examples of unique identifiers include driver’s license numbers, passport numbers, IRD numbers, or National Health Index (NHI) numbers. An organization cannot assign a unique identifier to a person if that unique identifier has already been given to that person by another organization. However, an organization can record (and use) a person’s unique identifier so that they can communicate with another organization about the individual.
Organizations must also take reasonable steps to protect unique identifiers from misuse and make sure they verify someone’s identity before assigning a unique identifier.
New Zealand Privacy Act 2000 Consumer Rights
The Privacy Act 2000 allows people to control their personal information. New Zealand individuals have these rights under the Privacy Act:
- Right to Know: Individuals have the right to be informed about how organizations collect, use, and disclose their personal information. The most common way to provide this information is by disclosing it on a clear and concise privacy policy on your website. The Privacy Policy should explain: what information you collect, why you collect it, how long you keep it, and who you are sharing it with.
- Right to Access: People can request a copy of their personal information via email, letter, phone, or in person. This could be used to verify the accuracy of the data and ensure organizations are not holding anything unnecessary. Organizations must respond to these requests within 20 working days. New Zealand individuals can also use an easy AboutMe tool to ask for your personal information from any organization, business, or government agency in New Zealand.
- Right to Correct: If individuals think information held about them is wrong, they can ask organizations to correct it. An example of misleading information could be typos in people’s names, outdated addresses, incorrect date of birth, or anything else that's inaccurate. Organizations should have a clear process for individuals to submit correction requests. If organizations decline to correct the information, they must explain why and attach a statement of correction from you if you ask them to
- Right to Object: Individuals can object to how organizations are using their information, including opting out of marketing emails, targeted advertising, or any other use individuals don't consent to. Organizations must provide clear opt-out mechanisms on their website and respect people’s choices.
- Right to Erasure: In some situations, individuals can request organizations to delete their personal information altogether. This might apply if they no longer use the organization’s website, have withdrawn consent, or the information is no longer necessary. Organizations must erase their data unless they have a legal obligation to retain it.
What Is Personal Information under the New Zealand Privacy Act 2020?
New Zealand Privacy Act 2020 defines personal information as any kind of data that can identify an individual.
Personal information could include the following data:
- Name
- Contact information, like home address, email address, or telephone number
- Passport number
- Social security number
- Driver’s license number
- Date of birth
- Signature
- Racial or ethnic information
- Political opinions and religious beliefs
- Sexual orientation
- Health, genetic, and biometric information
- Employment information
- Education information
- IP addresses
- Unique IDs set by Google-cookies and other third-party services
- Search and browser history
- Data about devices, operating systems, updates
- Location data
- Purchase and online shopping history
- Settings and website preferences
- Behavioral data, such as speed of scrolling and hovering of mouse and cursor
- Most Third-Party Cookies, used for analytics, advertisement, or social media interactions.
Your website might not be collecting all this data such as passport number and sexual orientation of your users but it almost certainly collects about your users’ devices, shopping history, or behavior on the Internet. Thus, any website visited by people from New Zealand almost certainly possesses personal information.
Scan your website for free to see all your website cookies, local storage, and session storage in use.
Penalties for Non-Compliance
New Zealand Privacy Act 2020 does not set penalties very clearly, compared to many other data protection laws. The focus within the Act is on civil remedies for affected individuals. However, there are also limited financial penalties for certain offenses.
If an organization breaches one of the Privacy Principles and causes harm to an individual or fails to comply with the law, the Privacy Commissioner will act as a mediator between the organization and the affected individual(s).
The Privacy Act expects an organization to compensate individuals affected by data breaches or any other violation of their privacy.
If a settlement cannot be reached, the Commissioner can refer matters to the New Zealand Human Rights Review Tribunal which can compensate damages up to NZD 350,000 to an individual. Class actions are also able to be taken against an organization under the changes made under the Privacy Act 2020.
There are also specific offenses under the Privacy Act:
- Obstructing, hindering, or resisting the Privacy Commissioner;
- Refusing or failing to comply with a lawful requirement of the Privacy Commissioner;
- Making false or misleading statements to the Privacy Commissioner;
- Impersonating an individual to obtain access to, use, alter or destroy that individual’s personal information;
- Destroying a document containing personal information that is subject to a request for access; or
- Failing to comply with a compliance notice issued by the Privacy Commissioner.
Section 212 of Part 9 mentions the penalty of a maximum of NZD 10,000 in cases of offenses committed under the New Zealand Privacy Act. An unreasonable excuse for refusal or failure to comply with the transfer prohibition notice can result in a fine of up to NZD 10,000. Failure notifying the Commissioner of a privacy breach can result in a fine of up to NZD 10,000.
Section 104 (4) of Part 5 states that an agency’s failure to comply with an access order will be liable to pay a fine of up to NZD 10,000.
These are criminal offences that can result in conviction and a fine of up to NZD 10,000 per offense.
How can CookieScript Help?
Use a professional Consent Management Platform (CMP) to comply with the New Zealand Privacy Act 2020 and other data privacy laws.
CookieScript Consent Management Platform (CMP) provides you a cookie banner, Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager, so you can be sure your website is compliant with the PDPA and other privacy regulations 100%!
One of the most important features that many other CMPs are missing is the geo-targeting feature. The CookieScript geo-targeting feature determines your website’s user location and automatically presents the correct cookie banner. Thus, individuals from New Zealand will be presented with the right Cookie Banner that ensures your website’s compliance with the New Zealand Privacy Act 2020.
In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
It also received a GOLD Tier in the New Google Tiering System.
Frequently Asked Questions
Does New Zealand have a data privacy law?
Yes, New Zealand Privacy Act 2020 is new Zealand’s principal data protection law that governs the personal information management of New Zealand individuals. The New Zealand Privacy Act 2020 came into effect on December 1, 2020. It repealed and replaced the Privacy Act 1993. Use CookieScript CMP with its geo-targeting functionality to comply with the Act.
What is the New Zealand Privacy Act 2020?
New Zealand Privacy Act 2020 is new Zealand’s principal data protection law that governs the personal information management of New Zealand individuals. The law provides data protection rights for individuals through the 13 Privacy Principles and sets guidelines and restrictions for entities to collect and process personal data lawfully. Use CookieScript to comply with the Act.
What are the 13 Privacy Principles of the New Zealand Privacy Act 2020?
The Privacy Commissioner sets 13 Privacy Principles of the New Zealand Privacy Act 2020 to manage personal information. There are the following 13 Privacy Principles: purpose for collection, source of information, collection of Information, manner of collection, storage and security, access, correction, accuracy, retention, use, disclosure, disclosure outside New Zealand, and unique identifiers. Use CookieScript to comply with the 13 Privacy Principles.
Who Must Comply with the New Zealand Privacy Act 2020?
The New Zealand Privacy Act 2020 applies to: a New Zealand agency located within New Zealand; a New Zealand agency located outside New Zealand but offering goods or services to individuals in New Zealand; or a New Zealand agency located outside New Zealand but collecting personal information about individuals in New Zealand. Use CookieScript CMP to comply with the Act. In 2024, CookieScript CMP was ranked by users on G2 as the best CMP.
How is an agency defined under the New Zealand Privacy Act 2020?
An agency refers to any organization or person to whom this Act applies. The Privacy Act 2000 applies to entities of all sizes and structures and even individuals. There is no organizational size limit on the application of the legislation. Use CookieScript CMP to comply with the Act. In 2024, CookieScript CMP was ranked by users on G2 as the best CMP.
Is my website compliant with the New Zealand Privacy Act 2020?
The New Zealand Privacy Act 2020 requires websites to know of all cookies, local storage, session storage, and other trackers that collect, use or share personal information from New Zealand’s individuals, and to inform users about them before data collection. Scan your website with CookieScript CMP to detect all cookies, local storage, and session storage in use.
What is personal data under the New Zealand Privacy Act 2020?
Under New Zealand's Privacy Act of 2020, personal data is any information that relates to an identifiable individual. It's not just limited to obvious data such as name, home address, email address, or passport number, but also includes IP addresses, search and browser history, data about devices, operating systems, location data, cookies, etc. Scan your website with CookieScript CMP to detect all cookies, local storage, session storage in use.