Privacy Rights NZ: What Businesses Can and Can't Do

Your personal information is valuable, and New Zealand's privacy laws exist to protect it. But what exactly can businesses do with your data, and what are they forbidden from doing? With significant changes coming into force on 1 May 2026, now's the time to understand your privacy rights and what organisations must do to comply.

Understanding New Zealand's Privacy Framework

New Zealand's privacy protection is governed by the Privacy Act 2020, which sets out 13 Information Privacy Principles (IPPs) that regulate how organisations collect, use, store, and share your personal information^[9]. These principles apply to both government agencies and private businesses, ensuring that whether you're dealing with your bank, your employer, or your local council, your data is handled responsibly.

The Privacy Act is administered by the Office of the Privacy Commissioner, an independent authority that investigates complaints and enforces privacy rights across New Zealand. If you believe an organisation has misused your personal information, you can lodge a complaint with the Privacy Commissioner at no cost.

What Businesses Can Do With Your Data

Collect Information Directly From You

Organisations can collect personal information directly from you when you provide it voluntarily—such as filling out a form, making a purchase, or signing up for a service. When they do, they must be transparent about it. They're required to tell you why they're collecting the information, what they'll do with it, and who they might share it with^[1].

Use Information for Stated Purposes

Businesses can use your personal information for the purposes you've agreed to. For example, if you provide your email address to receive a newsletter, they can use it to send you that newsletter. However, they can't suddenly use your email to sell your details to a third party without your consent.

Share Data With Service Providers

Organisations can share your information with trusted third parties who help them deliver services—such as payment processors, delivery companies, or IT support providers. However, they must have appropriate agreements in place to ensure these service providers handle your data securely and responsibly.

Collect Information Indirectly (With New Obligations)

From 1 May 2026, businesses can collect your personal information from third-party sources—such as purchasing email lists, obtaining data from lead generation partners, or receiving information from data brokers. However, they now face new and significant obligations under the new Information Privacy Principle 3A (IPP3A)^[1][4].

What Businesses Can't Do With Your Data

Collect Information Without Transparency

Organisations cannot collect your personal information secretly or without letting you know. They must be upfront about data collection and provide clear privacy notices explaining what they're doing with your information.

Use Your Data Beyond Agreed Purposes

If you've given permission for your data to be used for one purpose, businesses can't use it for something completely different without asking you first. For example, if you provide information for a product warranty, they can't use it for direct marketing without your consent.

Share Data Without Your Knowledge

Organisations cannot share your personal information with other companies or organisations without telling you who they're sharing it with and why. Vague statements like "we may share your data with business partners" are no longer sufficient under the new rules^[5].

Ignore Your Access and Correction Rights

You have the right to request access to your personal information and ask for corrections if it's inaccurate. Businesses must respond to these requests within a reasonable timeframe (usually 20 working days). They can't simply refuse or ignore your requests.

Hold Onto Data Indefinitely

Organisations must not keep your personal information longer than necessary. Once they no longer need it for the stated purpose, they should delete or securely destroy it.

The Major 2026 Privacy Law Change: IPP3A Explained

What Is IPP3A?

On 1 May 2026, a new Information Privacy Principle 3A (IPP3A) comes into force, marking the most significant update to New Zealand's privacy laws since 2020^[3]. IPP3A introduces strict new notification requirements when organisations collect your personal information indirectly—meaning from sources other than you directly^[1][4].

Previously, the Privacy Act only required organisations to notify you when collecting information directly from you. IPP3A closes this transparency gap by requiring notification even when your data comes from third parties^[4].

What Must Businesses Tell You?

Under IPP3A, organisations collecting your information indirectly must take reasonable steps to notify you as soon as practicable. They must tell you^[1][2][5]:

• That your personal information has been collected
• The organisation's name and address
• Exactly what information was collected (not vague descriptions)
• The specific purposes for collection (not generic "business purposes")
• The names of organisations the data will be shared with
• Your rights to access and correct your information
• Any legal authority for the collection

Crucially, simply updating a privacy policy isn't enough. Organisations must proactively contact you directly to provide this information^[4]. For example, if a business purchases your email address from a data broker, they must notify you about this collection in their first communication with you.

Who Is Affected?

IPP3A applies to all organisations in New Zealand—from large corporations to small businesses, charities, and government agencies. If you collect personal information indirectly, you must comply^[1].

Are There Exceptions?

Yes, IPP3A includes exceptions where notification isn't required. Organisations don't need to notify you if the information is^[1]:

• Publicly available
• Collected for national security or international relations purposes
• Related to trade secrets or commercial factors
• Necessary to prevent serious risks to public health or safety

Practical Examples: What This Means for You

Email Marketing

A business purchases an email list from a data broker and wants to send you marketing emails. Under IPP3A, they can't just start emailing you. They must first notify you that they've obtained your email address from a third party, explain what information they collected, and tell you who they got it from^[5]. Only then can they seek your consent to receive marketing emails.

Credit Checks

A lender obtains information about you from a credit reporting agency. They must notify you about this collection and tell you what information was gathered and how it will be used.

Insurance Applications

An insurance company collects information about you from previous insurers or medical providers. They must notify you about what information was collected and from whom.

Your Privacy Rights in Action

Right to Access

You can request to see what personal information an organisation holds about you. They must provide this within 20 working days (or a reasonable extension). There's no fee for this request.

Right to Correct

If information about you is inaccurate or incomplete, you can ask the organisation to correct it. If they disagree, you can request that they note your correction request on your file.

Right to Privacy

You can object to certain uses of your information, particularly for direct marketing. You also have the right to know who has access to your data and why.

Right to Complain

If you believe an organisation has breached your privacy, you can lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz. The Privacy Commissioner can investigate and order remedies if a breach is found.

What Organisations Must Do to Comply

Businesses have until 1 May 2026 to prepare for IPP3A. They should^[1]:

• Review their data collection practices to identify all instances where they receive personal information from third parties
• Update privacy policies to reflect indirect collection scenarios and new notification obligations
• Revise contracts with data suppliers and partners to address IPP3A compliance
• Implement new systems and processes to ensure proactive notification to individuals
• Train staff on the new requirements and update internal procedures

The Office of the Privacy Commissioner has released draft guidance on IPP3A implementation, with final guidance expected. Organisations should consult this guidance to ensure full compliance.

Taking Control of Your Privacy

Understanding your privacy rights is the first step in protecting your personal information. New Zealand's privacy laws give you real protections, and the 2026 changes strengthen these further by requiring greater transparency about indirect data collection.

Here's what you can do now:

• Review privacy notices from organisations you deal with regularly
• Exercise your rights by requesting access to your personal information if you're curious about what organisations hold
• Opt out of direct marketing if you don't want to receive unsolicited messages
• Report concerns to the Privacy Commissioner if you believe your privacy has been breached
• Stay informed about the IPP3A changes coming into force on 1 May 2026

Your personal information belongs to you, and New Zealand's privacy laws exist to ensure organisations treat it with the respect it deserves. With clearer rules and stronger notification requirements coming into force this May, you'll have even greater visibility and control over how your data is used.