New Zealand Data Privacy Act 2020 Explained

By: James Ó Nuanáin, CIPP/E, CIPM, CIPT James Ó Nuanáin, CIPP/E, CIPM, CIPT | Updated on: March 6, 2024

Generate a Free Privacy Policy
New-Zealand-Data-Privacy-Act-2020-01

If you collect personal information from website users in New Zealand, you may be subject to the New Zealand Privacy Act 2020.

New Zealand’s data privacy law gives people in the country rights over how their information is collected and used and requires covered entities to explain their purposes for data collection, describe how data is used, and outline if it’s shared with others.

Keep reading to learn about the New Zealand Privacy Act 2020 requirements, how it impacts businesses and consumers, and the penalties for non-compliance.

Table of Contents
  1. What Is the New Zealand Privacy Act 2020?
  2. New Zealand Privacy Act 2020 Key Terms and Definitions
  3. What Does the New Zealand Privacy Act 2020 Cover?
  4. Requirements of the New Zealand Privacy Act 2020
  5. New Zealand Privacy Act 2020 vs. Global Data Privacy Laws: Similarities and Differences
  6. How Does the New Zealand Privacy Act 2020 Impact Consumers?
  7. How Does the New Zealand Privacy Act 2020 Impact Businesses?
  8. Who Must Comply With the New Zealand Privacy Act 2020?
  9. How Can Businesses Prepare for the New Zealand Privacy Act 2020?
  10. How Is the New Zealand Privacy Act 2020 Enforced?
  11. Fines and Penalties Under the New Zealand Privacy Act 2020
  12. How Does Termly Help With New Zealand Privacy Act 2020 Compliance?
  13. Are There Other Privacy Related Laws in New Zealand?
  14. Summary

What Is the New Zealand Privacy Act 2020?

The New Zealand Privacy Act 2020 is the county’s principal data protection law that provides guidelines and restrictions entities must follow to lawfully collect and process personal data from individuals in New Zealand.

The law also gives rights to individuals regarding how their data is used and outlines the penalties and fines for non-compliance.

When Did the New Zealand Privacy Act 2020 Take Effect?

The New Zealand Privacy Act 2020 officially took effect on December 1, 2020, replacing the previous Privacy Act 1993.

New Zealand Privacy Act 2020 Key Terms and Definitions

To help you better understand New Zealand’s leading privacy law, read through the following definitions of several key terms as they appear in the text of the law.

Note that under New Zealand’s privacy law, there’s no specific definition or differentiation between data controllers and processors; both are subject to the same strict guidelines.

What Does the New Zealand Privacy Act 2020 Cover?

The New Zealand Privacy Act 2020 covers any individual or organization’s personal information, regardless of their residential or citizenship status.

In other words, the law covers anyone who handles personal data concerning activities conducted within New Zealand or involving individuals in the country.

Requirements of the New Zealand Privacy Act 2020

Let’s walk through the main requirements of the New Zealand Privacy Act 2020.

Information Privacy Principles

The New Zealand Privacy Act 2020 outlines 13 information privacy principles (IPPs) in Section 3 of the law that covered entities must adhere to, which include:

  • IPP 1: Purpose of collection of personal information
  • IPP 2: Source of personal information
  • IPP 3: Collection of information from the subject
  • IPP 4: Manner of collection of personal information
  • IPP 5: Storage and security of personal information
  • IPP 6: Access to personal information
  • IPP 7: Correction of personal information
  • IPP 8: Accuracy of personal information to be checked before use or disclosure
  • IPP 9: Agency not to keep personal information for longer than necessary
  • IPP 10: Limits on the use of personal information
  • IPP 11: Limits on disclosure of personal information
  • IPP 12: Disclosure of personal information outside of New Zealand
  • IPP 13: Unique identifies

Covered entities must follow all of these IPPs to fully comply with the law, and they will be referenced by number throughout the rest of this guide.

Lawful Purpose for Processing Data

Under IPP 1 of the New Zealand Privacy Act 2020, businesses must establish a lawful purpose for processing personal information.

The collection of personal information must come directly from the individual unless the agency believes they have reasonable grounds to collect it from other sources, as explained in IPP 2, which include:

  • The information is publicly available
  • Collecting the information from the individual would prejudice the purpose of the collection
  • The individual authorizes someone else to provide the information for them
  • Collecting the information from another source would not prejudice the interests of the individual
  • Collecting the information from the individual would not be reasonably practicable

The collection of personal data must be necessary for the purpose explained by the business, and individuals must not be required to provide any data that is not needed to meet these goals.

Technically, the law does not list specific lawful purposes that businesses must abide by.

Instead, if the covered entity is transparent about its reasoning and minimizes the collection of data to only that needed to achieve its stated purpose, it’s considered lawful processing.

Consent

Consent from individuals is not a specified legal basis for processing under the New Zealand Privacy Act 2020.

However, consent for direct marketing is required in New Zealand per the Unsolicited Electronic Messages Act 2007.

Transferring Personal Information Internationally

Most requirements regarding the international transfer of personal data under New Zealand’s Privacy Act 2020 are described in IPP 12, which states that:

  • Transferring data internationally must be authorized by the individual.
  • The covered entity must ensure the data is transferred to a location with safeguards equal to New Zealand’s privacy law.
  • A contract exists requiring the entity to match the requirements of the law.

The Office of Privacy Commissioner retains the authority to prohibit international data transfers out of New Zealand if it’s not satisfied that the transfer is conducted on reasonable grounds to a location with comparable safeguards.

Data Protection Officer

Covered entities must appoint a Data Protection Officer (DPO) to comply with the New Zealand Privacy Act 2020.

The DPO is responsible for helping the entity adequately follow all 13 IPPs.

Security and Data Breach Notification Requirements

According to IPP 5 of the New Zealand Privacy Act 2020, covered entities must implement appropriate security measures to protect collected personal information from:

  • Loss
  • Access, use, modification, or disclosure by an unauthorized agency or party
  • Other misuse

In addition, covered entities are required to report privacy breaches within a reasonable timeframe if the breach is likely to pose a risk of serious harm to affected individuals.

New Zealand Privacy Act 2020 vs. Global Data Privacy Laws: Similarities and Differences

Several data privacy laws exist around the world, including the following:

  • California Consumer Privacy Act (CCPA)
  • Europe’s General Data Protection Regulation (GDPR)
  • Argentina Personal Data Privacy Act (Argentina PDPA)
  • Brazil’s General Data Protection Law (LGPD)
  • Thailand’s Personal Data Protection Act (Thailand PDPA)
  • Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
  • South Africa’s Protection of Personal Information Act (POPIA)
  • Australia’s Privacy Act 1988 (the Privacy Act)

The table below compares New Zealand’s Privacy Act 2020 to the other global privacy laws.

Data Privacy Law Requires opt-in consent* Mandates publishing a privacy policy  Outlines contractual obligations with third parties Holds businesses accountable for data security Has specific requirements for international data transfers Requires additional guidelines for categories of sensitive (special) information
Privacy Act 2020
Argentina PDPA
CCPA
GDPR
LGPD
Thailand PDPA
PIPEDA
POPIA
Privacy Act 1988

*With some exceptions for some laws.

How Does the New Zealand Privacy Act 2020 Impact Consumers?

The New Zealand Privacy Act 2020 impacts consumers by giving them the following rights over their personal information:

  • Access their data
  • Correct their data
  • Delete their data
  • Opt into direct marketing
  • Be notified if their data is involved in a privacy breach
  • Lodge a complaint with the Privacy Commissioner

These rights give people in New Zealand more control over their personal information.

Who Does the New Zealand Privacy Act 2020 Apply To?

New Zealand’s data privacy law applies to individuals and organizations operating within the country, regardless of citizenship status.

It applies to citizens, residents, visitors, and even organizations that handle personal data as part of their activities.

How Does the New Zealand Privacy Act 2020 Impact Businesses?

Beyond the lawful processing, IPPS, and DPO requirements, businesses’ privacy and cookie policies are also impacted by New Zealand’s Privacy Act 2020.

How Does the New Zealand Privacy Act 2020 Affect My Privacy Policy?

The New Zealand Privacy Act 2020 impacts privacy policies because it emphasizes transparency in handling personal information.

Covered entities must inform individuals about the purpose for which they’re collecting and using personal data and state if it’s shared with any third parties.

They must also inform users about the rights they have under the law and how to act on them.

If your business falls under this law, updating your privacy policy to ensure it includes all of these notification requirements is necessary.

How Does the New Zealand Privacy Act 2020 Affect My Cookie Policy?

New Zealand’s privacy law most likely affects your cookie policy because of the transparency requirements and the rights it gives to protected individuals.

Cookies collect personal information, and protected individuals have the right to know why those cookies collect data from them, how it’s used, and who it’s shared with.

They must also provide their consent to targeted advertising, which typically involves the deployment of internet cookies.

Ensure you update your cookie policy so it clearly explains why your website uses specific cookies and how people can follow through on their rights.

Who Must Comply With the New Zealand Privacy Act 2020?

Any business with services available in New Zealand that collects personal information from people in the country must comply with the New Zealand Privacy Act 2020, as explained in Subpart 1, Preliminary Provisions.

The act also applies to all businesses located in New Zealand.

Businesses overseas can still be considered to carry out business in the country even if no monetary payment or commercial operations occur.

Who Is Exempt From the New Zealand Privacy Act 2020?

Some exemptions to the New Zealand Privacy Act 2020 include some New Zealand government agencies:

  • Parliament
  • Courts and tribunals
  • News media in relation to collecting and reporting news

However, the law does not exempt government intelligence agencies.

How Can Businesses Prepare for the New Zealand Privacy Act 2020?

To prepare for complying with the New Zealand Privacy Act 2020, businesses should update their privacy policy to ensure all notification and transparency requirements are met.

It’s important to also update your cookie policy to ensure New Zealand residents are properly informed and know how to follow through on their right to consent to any cookies used for targeted advertising.

Implement the proper security measures to protect the personal data you collect.

Finally, appoint a DPO familiar with the law who can help ensure you’re adequately following the IPPs.

How Is the New Zealand Privacy Act 2020 Enforced?

The Office of the Privacy Commissioner (OPC) has the authority to enforce the New Zealand Privacy Act 2020 by:

  • Providing guidance to individuals and organizations on privacy issues
  • Investigating complaints about breaches of privacy
  • Monitoring compliance with the act
  • Conducting inquiries and investigations into systemic privacy issues
  • Advocating for the protection of privacy rights in New Zealand

Additionally, the Human Rights Review Tribunal has the authority to oversee complaints related to breaches of the Privacy Act 2020 and take actions to remedy the breach and/or compensate the impacted individuals.

Fines and Penalties Under the New Zealand Privacy Act 2020

Entities that violate New Zealand’s Privacy Act 2020 could receive compliance notices or access directions from the Privacy Commissioner.

Fines can reach up to $10,000 for individuals and $50,000 for organizations that commit specific offenses under the act.

The Act also provides for criminal offenses in certain circumstances, including where an Agency destroys personal information knowing that a request has been made for it.

How Does Termly Help With New Zealand Privacy Act 2020 Compliance?

Termly helps businesses comply with the New Zealand Privacy Act 2020 by providing the proper information in our Privacy Policy Generator to help you meet the transparency and notification requirements.

It asks easy questions about your business and makes a unique policy based on your answers, which you can easily embed on your website or app.

We also provide a Consent Management Platform (CMP) configurable to meet the opt-in consent requirements for targeted advertising outlined by the law.

Several other privacy-related laws exist in New Zealand besides the New Zealand Privacy Act 2020, including the following:

Summary

If your business is subject to the New Zealand Privacy Act 2020, make sure you take the following steps to help with compliance:

  • Update your privacy and cookie policies to meet notification and transparency guidelines and allow users to opt into targeted advertising.
  • Implement security measures to protect the data from unauthorized breaches or access.
  • Appoint a DPO to help you comply with all IPPs described by the law.
  • Only collect data for the lawful purpose described in your privacy policy, and do not collect more than required or retain it for longer than necessary.
  • Establish a way for users to act on their rights to access and correct their data, like using a Data Subject Access Request form on your site.

You can make it extra easy to comply with New Zealand’s privacy law by using our Privacy Policy Generator and Consent Management Platform.

James Ó Nuanáin, CIPP/E, CIPM, CIPT
More about the author

Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT

James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author

Related Articles

Explore more resources