Do I need a privacy policy on my website (New Zealand)
TL;DR
If your website collects any personal information, even just names and emails through a contact form, you’re legally required under New Zealand’s Privacy Act 2020 to have a privacy policy. It explains what data you collect, why you collect it, and how it’s stored or shared. Privacy policies are about more than compliance; they show you take people’s trust seriously.
This is not legal advice - only awareness of what you need to know to make your website compliant with current New Zealand law. If you have any questions, please reach out to a data privacy consultant or lawyer.
Why data privacy matters
Today almost everything we do leaves a trail of personal information. And how and what brands do with this information has become one of the cornerstones of trust.
When someone fills in a form, subscribes to your newsletter, or makes a purchase, they’re giving you a piece of themselves - their name, contact details, maybe even their address or payment information.
They expect you to treat that data with care.
They expect you to protect it.
And they expect you to be transparent about what happens next.
That’s where data privacy comes in. It’s about respecting your customers’ right to control their own information, and your responsibility as a business to handle that information ethically and securely.
Why there’s privacy legislation in New Zealand
New Zealand’s Privacy Act 2020 was designed to strengthen people’s control over their personal information and to hold organisations accountable for how they collect, use, and store it.
It’s based on 13 Privacy Principles that outline how data should be handled, from collecting it only when necessary, to keeping it secure, to allowing individuals to see and correct their own information.
In plain terms:
If you’re running a business or organisation in New Zealand and you collect personal information, the Privacy Act applies to you.
Even small businesses. Even if it’s “just a contact form.”
The Office of the Privacy Commissioner takes an education-first approach, but they also have the power to investigate complaints and issue compliance notices when organisations don’t follow the rules. You can learn more about the Privacy principles here.
Why your NZ website needs a privacy policy
Here’s the simple truth: if your website collects personal information in any way, New Zealand law requires you to have a privacy policy.
Under the Privacy Act 2020, every organisation or business that collects, stores, or uses personal information must clearly explain what information they’re collecting, why they’re collecting it, and how it will be used or shared.
That requirement applies to everyone - from large corporations to sole traders, from e-commerce sites to small local businesses with a one page site and a single contact form.
Your website often captures this information - a newsletter sign-up, enquiry form, online booking, e-commerce checkout, or even analytics tracking through tools like Google Analytics or Meta Pixel, you’re gathering data about real people.
And once that happens, you’re responsible for being open and transparent about what you do with it.
A privacy policy (also called a privacy statement) is the easiest and most transparent way to meet that obligation. It’s your public explanation of what information you collect, how you handle it, and how people can contact you about it.
It’s not just about ticking a compliance box, it’s about showing your visitors that you take their trust seriously. A clear, accessible privacy policy helps you:
Meet your legal responsibilities – comply with the Privacy Act 2020 and its 13 principles.
Build trust – people feel safer engaging with businesses that respect their privacy.
Demonstrate professionalism – it shows you take your business and your customers seriously.
What is a privacy policy?
A privacy policy is a clear explanation, usually published as a dedicated page on your website, that covers:
What information you collect (names, email addresses, phone numbers, IP addresses).
How you collect it (forms, cookies, analytics, third-party tools).
Why you collect it (responding to enquiries, sending updates, processing orders).
How you store and protect that information.
Who you share it with, if anyone.
How visitors can access or correct their information.
It doesn’t need to sound like legalese, it just needs to be accurate, transparent, and easy to understand.
What your privacy policy should include
Every business is different, but at minimum, your privacy policy should include:
Introduction – who you are and how to contact you.
What data you collect – including form submissions, payment details, and analytics.
How data is used – for what purpose and how long it’s retained.
Cookies and tracking – mention analytics, advertising pixels, or plug-ins.
Data storage and security – outline how information is kept safe.
Access and correction – explain how people can view or update their information.
Contact details – who to reach for privacy matters.
How to create a privacy policy (three simple options)
1. Do it yourself – for free
The Privacy Commissioner’s free tool Priv-o-matic helps you build a custom privacy statement in minutes. Perfect for small or start-up businesses.
2. Use a professional template
If you want something more comprehensive, On Your Terms provides NZ-specific templates written by lawyers and tailored for everyday business websites.
3. Get a lawyer to write it
For complex businesses, those handling sensitive data, or anyone operating internationally, getting a lawyer to review or write your privacy policy ensures you’re fully compliant and covered.
Other legal pages your website might need
A privacy policy is one piece of your website’s legal foundation. Depending on what you do, you might also need:
Website Terms and Conditions – outlines how visitors can use your site and limits your liability. Recommended for all business websites, including service-based sites and blogs.
E-commerce Terms of Sale – covers prices, payment, shipping, delivery, returns, and refunds. Legally required if you sell products or services online.
Disclaimer or medical disclaimer – protects you if your website shares advice or educational content. Might be important for health, finance, or professional service websites.
Professional service agreements – may be needed for regulated professions like law, accounting, finance, or healthcare. Check your industry’s requirements.
Cookie policy – not legally required in New Zealand, but worth including if your site uses tracking tools like Google Analytics or Meta Pixel. You can also mention this within your privacy policy.
Questions about privacy pages
This is not legal advice - only awareness of what you need to know to make your website compliant with current New Zealand law. If you have questions, please reach out to a privacy consultant or lawyer.
1. Do I really need a privacy policy if I only have a contact form?
Yes. Even one form that collects a name or email counts as collecting personal data.
2. Does my privacy policy need to mention cookies or analytics?
Yes, if you use Google Analytics, Meta Pixel, or similar tools.
3. Where should I put my privacy policy?
Link to it in your footer and on any page where you collect personal information.
4. How often should I update it?
Review yearly or when you add new data-collecting tools or third-party integrations.
5. Can I copy someone else’s privacy policy?
No. Every business collects and uses data differently. Start with a template or use Priv-o-matic to build one that fits.
Key takeaway
Privacy isn’t just about compliance, it’s about trust.
When people know their information is respected and protected, they feel safer doing business with you.
If your website doesn’t have a privacy policy (or if it hasn’t been touched in years), it’s a great time for a website refresh. Let’s make sure your site looks good, reads well, and ticks all the right boxes for compliance and credibility.
Book a call to talk about refreshing your website and bringing your content up to date.
