Articles
Our articles are an important source of information and commentary on matters that affect you.
Privacy and data protection continue to be a major focus for New Zealand individuals and businesses. With the increasing use of digital systems, cloud storage, AI tools, and online customer platforms, businesses are collecting more personal information than ever before. Recent changes to the Privacy Act 2020, including amendments introduced through the Privacy Amendment Act 2025, mean that organisations must take greater care when collecting, storing, and using personal information.
One of the most significant developments is the introduction of new Information Privacy Principle 3A (“IPP 3A”), which came into force on 1 May 2026. The new rule applies where a business collects personal information indirectly — that is, from someone other than the individual concerned. Examples include obtaining customer data from a third-party marketing provider, referral partner, public database, or social media platform. Under IPP 3A, businesses must take reasonable steps to ensure individuals are informed about the collection of their information and how it will be used.
For many small businesses, this represents a shift toward greater transparency obligations. Businesses that rely on mailing lists, online lead generation, recruitment platforms, or shared customer databases should review their privacy policies and data collection practices now.
Importantly, privacy obligations apply to businesses of all sizes. Even small businesses holding customer contact details, employee records, or payment information can face complaints, reputational damage, and legal consequences if privacy obligations are not met.
Businesses should consider taking the following practical steps:
Review and update privacy policies;
- Audit how personal information is collected and stored;
- Ensure staff are trained on privacy obligations and phishing risks;
- Put procedures in place for responding to data breaches;
- Review agreements with third-party service providers; and
- Assess whether customer consent processes remain compliant.
Privacy compliance is no longer simply an IT issue — it is now a core governance and risk management responsibility for business owners and directors.
If you would like advice on reviewing your business privacy practices our team would be happy to assist.