New Zealand Website Legal Requirements — Privacy Act 2020 and What to Display

Many New Zealand business owners launch a website and add a privacy policy as an afterthought — or copy one from a foreign template that does not reflect New Zealand law. Since the Privacy Act 2020 replaced the 1993 Act, the legal obligations on New Zealand websites have become more specific and the consequences of non-compliance more significant. This guide covers what your New Zealand business website must display and why.

Privacy Act 2020 — The Key Changes

The Privacy Act 2020 came into force on 1 December 2020. The two most significant changes for website operators are:

• Mandatory privacy breach notification — if your business suffers a privacy breach that causes or is likely to cause serious harm, you must notify both the Privacy Commissioner and the affected individuals. This applies to data collected through your website, including contact forms and email lists.
• Stronger individual rights — individuals have an enhanced right to request access to their personal information, correct it, or have it deleted.

The Act establishes 13 information privacy principles that govern how personal data is collected, stored, used, and disclosed. Your privacy policy must be written to reflect these principles in plain language, not legal boilerplate from a US or UK template.

What Your Privacy Policy Must Cover

A Privacy Act 2020-compliant privacy policy for a New Zealand website should clearly state:

• What personal information is collected and why
• How the information is stored and protected
• Who it may be shared with (including any overseas processors such as Google Analytics or Mailchimp)
• How individuals can request access to or correction of their information
• Your contact details for privacy-related enquiries

Fair Trading Act and Consumer Guarantees Act

The Fair Trading Act 1986 prohibits misleading and deceptive conduct in trade, including on websites. This means pricing must be accurate, claims about your product or service must be substantiated, and testimonials must be genuine. The Consumer Guarantees Act 1993 applies to business-to-consumer transactions and cannot be contracted out of for consumer sales — your terms and conditions cannot override statutory consumer guarantees, so do not copy overseas terms that attempt to do so.

The Unsolicited Electronic Messages Act 2007

New Zealand's anti-spam law — often called the Spam Act — requires that commercial electronic messages sent to New Zealand recipients must contain the sender's identity, a physical or electronic address, and an unsubscribe mechanism. If your website collects email addresses for marketing, your sign-up process must include clear consent to receive commercial messages, and every marketing email must include a functioning unsubscribe link.

NZBN and Business Identity on Your Website

While there is no blanket legal requirement to display your New Zealand Business Number on your website, displaying your NZBN in your footer or on your contact page is strongly recommended. It confirms your business is registered with the New Zealand Companies Office and provides an immediate trust signal to customers who can verify your registration at nzbn.govt.nz. For GST-registered businesses, displaying your GST number is standard practice and expected by B2B clients.