The New Zealand Privacy Act 2020 came into force on December 5, 2020. The NZ Privacy Principles require you to inform Website Users located inside New Zealand about your website’s use of cookies and trackers. As well as how you are processing their personal information, and why.
Last December 2020 New Zealand’s Privacy Act 2020 replaced the 1993 version with a stronger data privacy regime. Including higher fines set at $10,000, with stronger cross-border data protection and new data breach requirements.
In this Blog post, we break down the NZ Privacy Act 2020 and shed light on what you need to know. Learn about what you need to implement for your website. Also learn how to manage website cookies in compliance with New Zealand’s data privacy regime.
Privacy Act 2020 requires you to inform website users about your website’s use of cookies and its processing of personal information.
New Zealand is also one of only 12 nations worldwide to have an adequacy agreement with the EU, ensuring unrestricted, free flow of personal data to and from the two. In December 2020, a new and amended NZ Privacy Act 2020 took effect, strengthening cross-border regulations, data breach requirements and more.
In short, New Zealand’s Privacy Act 2020 governs all handling of personal information through the 13 NZ Privacy Principles. Requiring you to notify and inform website users about collection, use and sharing of their personal information and empowering them with the right to access and correct their data. This is enforced by the Privacy Commissioner and applies to all websites, companies or organizations that handle personal information from inside New Zealand. Regardless of where in the world they themselves are located.
Advice for your website requirements and Cookie WordPress plugin
We advise you to seek professional advice to create your Company Privacy Policy. Next publish this information to your website. Once this is done you will need to have a Cookie notice plugin installed or contact a Cookie notice website service. You can contact https://www.cookiebot.com/. If you have a WordPress website you could use the GDPR Cookie Consent (CCPA Ready) WordPress plugin here. Or copy and paste the below text to the footer of your homepage.
This website uses cookies to ensure you get the best experience. Learn about cookies. Read Privacy Policy
Example below of Cookie notice display on a website
Example below of Cookie notice at www.google.co.nz
Google uses cookies and other data to deliver, maintain, and improve our services and ads. If you agree, we’ll personalize the content and ads you see based on your activity on Google services like Search, Maps, and YouTube. We also have partners that measure how our services are used. Click “See more” to review your options or visit g.co/privacytools anytime.
Other Cookie notice message examples
- This website uses cookies to ensure you get the best experience. Learn about cookies. Read Privacy Policy
- This website uses cookies. Cookies remember you so we can give you a better online experience. Learn more. OK
- This site uses cookies for analytics and personalized content. For more information visit our Privacy Policy Settings Allow cookies
- We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Cookie settings ACCEPT
- This website uses cookies to ensure you get the best experience. Learn more Cookie settings OK
- We use cookies so that Dropbox works for you. By using our website, you agree to our use of cookies. Learn more
NZ Privacy Act 2020 quick breakdown;
- NZ Privacy Act 2020 took effect on December 5, 2020. It repeals and replaces the older Privacy Act 1993.
- NZ Privacy Act 2020 governs all collection, processing, use and sharing of personal information from individuals located inside the territory of New Zealand.
- NZ Privacy Act 2020 defines personal information broadly as information about an identifiable individual.
- NZ Privacy Act 2020 applies to any website, company or organization (“agency” in the law) that collects, uses, shares or stores personal information from individuals inside New Zealand. This means that if your website is located outside New Zealand, but you have visitors from inside the country, you’re required to comply with the NZ Privacy Principles.
- NZ Privacy Act 2020 works through 13 Privacy Principles that map out the legal framework for handling personal information from inside New Zealand, among others the requirement to inform users about your website’s data collection, its purposes and who you share it with.
- NZ Privacy Act 2020 empowers users inside New Zealand with the right to access personal data which has been collected from them, and the right to correct it if inaccurate.
- Transfer of personal information outside of New Zealand is governed by adequacy principles in the NZ Privacy Act 2020. Cross-border data flow is only permitted if data can be protected by comparable privacy standards by the recipient.
- Fines for non-compliance with the NZ Privacy Act and NZ Privacy Principles can reach $10,000.
- NZ Privacy Act 2020 is enforced by the Office of the Privacy Commissioner.
Website Cookies, trackers and the NZ Privacy Act 2020
Cookies and trackers are the most common way for websites to process personal information.
Most websites in the world process data that is defined as personal, meaning data that is able to identify a living person, either directly or indirectly through inference.
Personal information under New Zealand’s Privacy Act 2020 is defined very broadly as “information about an identifiable individual”, and this includes data that is commonly collected and processed by third-party trackers and cookies used by social media platforms (e.g., via a like button on your domain) or marketing services (e.g., advertisement on your website).
Cookies and trackers can be notoriously difficult to detect and control without any assisting technology, especially considering that;
- 72% of cookies are hidden inside other cookies – also known as trojan horses.
- 18% of cookies hide even deeper inside other hidden cookies, sometimes loaded by eight other cookies.
- 50% of trojan horses will have changed upon repeated visits by users.
Source: Cornell University Beyond the Front Page, a 2020 study of more than ten thousand websites and their use of cookies.
Ultimately, the legal responsibility under New Zealand’s Privacy Act 2020 and its NZ Privacy Principles rests with the website owner and operator. They must ensure the website is in compliance with the notification and information collection requirements. Including (but not limited to) to always have an updated privacy policy with all required information.
The 13 NZ Privacy Principles
New Zealand’s Privacy Act 2020 revolves around 13 Privacy Principles. Together, they form a map of the legal way to collect, process, share, store (and in any other way handle) the personal information of users located inside New Zealand. The 13 Privacy Principles are;
- Purpose for collection
- Source of information
- What to tell an individual
- Manner of collection
- Storage and security
- Access
- Correction
- Accuracy
- Retention
- Use
- Disclosure
- Disclosure outside New Zealand
- Unique identifiers
Website owners and operators should be particularly aware of NZ Privacy Principle 3.
Most Websites collect and process personal information from their website visitors through cookies and trackers. These cookies are embedded on their domain via analytics software, marketing services or social media integrations.
NZ Privacy Principle 3 is the part of the law that requires you to make sure that your website’s users from New Zealand are made aware;
- That you collect personal information from them.
- Of the purposes for which their personal information is being collected by your website.
- Of whom you share their personal information with, including the name and address of the agency collecting the information and the agency who will store the information.
Practical example of NZ Privacy Principle 3
If your website uses a third-party service to get statistics about user visits on your domain (like Google Analytics) or use a third-party marketing service (like HubSpot), third-party cookies and trackers will be embedded and in operation on your website.
These cookies and trackers collect and process personal information from users – such as IP addresses, unique IDs, search and browser history, among many other kinds of data.
Under the NZ Privacy Act 2020 and the NZ Privacy Principle 3, you are required to notify users of all cookies and trackers and inform users about what kind of personal information they collect, how you use the data and who you share the data with, where it is stored and for how long.
When using third-party services, like Google Analytics or HubSpot, you need to inform your users about the third-party cookies and trackers that these services set on your domain; including what kind of data they collect, for what purposes, for how long the data is retained, and where in the world it is sent to and stored.
You are also required to notify and inform users about these things before any personal information has been collected (with exceptions).
NZ Privacy Act 2020, in detail
Let’s look at the New Zealand Privacy Act 2020 and its NZ Privacy Principles in closer detail, including what kind of data “personal information” covers, what the 13 NZ Privacy Principles are, and what new amendments have been made to the law in December 2020.
NZ Privacy Act 2020 and personal information
Personal information in New Zealand is any kind of data that can identify an individual.
This includes the more obvious information, such as;
- name, address
- telephone number
- social security numbers
- date of birth
- signature
- passport numbers
- racial or ethnic information
- political opinions and religious beliefs
- sexual orientation
- health, genetic and biometric information
But also, the not-so obvious yet very common information, such as –
- IP-addresses.
- Unique IDs set by Google-cookies and other third-party services.
- Search and browser history.
- Data about device, operating systems, updates etc.
- Location data.
- Purchase and online shopping history.
- Settings and website preferences.
- Behavioral data, such as speed of scrolling and hovering of mouse and cursor.
Your website might not be collecting or processing much data from the more obvious set, such as passport numbers and sexual orientation of your users, but it almost certainly collects data from the not-so obvious set, namely information about your users’ online presence, their devices, history of preference and behavior on the Internet.
This is personal information – and most third-party cookies and trackers in the world have it as their mission to collect exactly such kind of data for their operations, be it analytics, advertisement or social media interactions.
If your website is in contact with such data through its cookies and trackers, you are required by New Zealand’s Privacy Act 2020 and its NZ Privacy Principles to notify users before collection and inform them of what, why and who you share it with.
NZ Privacy Principles
Of the 13 NZ Privacy Principles, let’s look at the most relevant for your website and its use of cookies and personal information collection.
All 13 NZ Privacy Principles are vital for full compliance with the New Zealand Privacy Act 2020, but we’ll focus particularly on the ones that are paramount to websites, who processes personal information via cookies and trackers.
For a full overview of the 13 New Zealand Privacy Principles, visit the Office of the Privacy Commissioner website.
NZ Privacy Principle 1 concerns the purpose of collection
- Your website is required to only collect personal information if it is for a lawful purpose, meaning in connection with and necessary for the functions and activities of your website.
- In other words, you’re not allowed to collect information from users that is not relevant to your website and its function and content.
- This purpose of collection is also part of the information that you are required to notify users about before collecting data from them.
NZ Privacy Principle 2 concerns the sources of personal information
- Personal information should always be collected directly from the individual.
- This is often the case anyway online, since your website will collect data from the user themselves, when they land on and move around on your domain.
NZ Privacy Principle 3 concerns the information requirement to users
- Your website must be open about why you are collecting personal information and what you will do with it.
- Your website is required to notify its users about: why the data is being collected, who it will be shared with, whether collection is compulsory or voluntary, what can happen if the data is not collected.
- Offering a clear overview of such information to your users via your privacy policy is a good way to ensure that your website meets the notification and information requirements.
NZ Privacy Principle 4 concerns the way you collect personal information
- Your website must only collect personal information in a way that is fair and legal.
- Unfair and illegal ways of collecting personal information is to threaten, coerce or mislead users to give out their personal information.
NZ Privacy Principle 5 concerns the storage and security
- Your website must ensure safeguards around personal information collected from individuals, e.g. to ensure secure storage and prevent loss, misuse or disclosure of their data.
NZ Privacy Principle 6 concerns a user’s right to access their personal information
- Users have the right to request access to the personal information that you have collected about them, e.g. through your website’s cookies and trackers.
- You must provide means of requesting access, e.g. a link or an e-mail address.
NZ Privacy Principle 7 concerns a user’s right to correct their personal information
- Users have the right to request corrections to the personal information that you have collected about them, e.g. through your website’s cookies and trackers.
- You must provide means of requesting access, e.g. a link or an e-mail address.
NZ Privacy Principle 8 concerns the accuracy of personal information
- Users have the right to request corrections to the personal information that you have collected about them, e.g. through your website’s cookies and trackers.
- You must provide means of requesting access, e.g. a link or an e-mail address.
NZ Privacy Principle 9 concerns the retention (i.e. for how long you store data)
- Your website is not allowed to store and use personal information for longer than necessary to fulfill the purpose intended by the collection of the data in the first place.
- As an example, your website is not allowed to keep personal information about a user that was collected only to be used in the session in which they visited your website.
NZ Privacy Principle 10 concerns the use of personal information
- Your website is only allowed to use collected personal information for the purpose already given to the individual before collection.
- Using personal information for longer or for different purposes requires you to notify and inform the user again.
NZ Privacy Principle 11 concerns the disclosure of personal information
- Your website is only allowed to use collected personal information for the purpose already given to the individual before collection.
- Using personal information for longer or for different purposes requires you to notify and inform the user again.
NZ Privacy Principle 12 concerns the cross-border disclosure of personal information
- Your website is only allowed to send personal information from users inside New Zealand to other countries, if the data privacy laws in the recipient’s country provide comparable security and can protect the data adequately.
- As an example, your website can use New Zealand’s Privacy Act 2020 model contract clauses template to do so.
NZ Privacy Principle 13 concerns unique identifiers
- Your website is only allowed to assign unique identifiers (individual identification sequences, such as a driver’s license or a unique ID from a third-party cookie) when it is necessary.
- In other words, collecting personal information through technologies that assign unique identifiers must be done with care. Make sure to inform your users about exactly what kind of data you intend to collect, how, why and who you share it with.
What’s new in NZ Privacy Act 2020
On December 5, a new and amended version of the NZ Privacy Act went into effect, repealing and replacing the 1993 version.
The new amendments to the NZ Privacy Act include;
- Stronger data breach security and control – if your website experiences a data breach (e.g. an unintended disclosure of personal information from its users), you are required to notify the individuals affected to the Privacy Commissioner.
- Stronger enforcement tools for the Privacy Commissioner.
- Decisions on access requests will now be made by the Privacy Commissioner and not the Human Rights Review Tribunal.
- Stronger cross-border transfer regulations – your website must take steps to ensure that personal information transferred out of New Zealand can be protected adequately and comparable to the New Zealand’s data privacy standards.
- Stronger fines for non-compliance – of up to $10,000.
- Class action lawsuits for non-compliance.
Visit the Privacy Commissioner for an overview of the new amendments in the NZ Privacy Act 2020
Summary of New Zealand’s Privacy Act 2020
New Zealand’s Privacy Act 2020 and its NZ Privacy Principles governs all handling of personal information from individuals inside the country and map out the legal way for your website to collect, use and share such data.
The NZ Privacy Act 2020 requires your website to notify and inform users in New Zealand of your website’s intended collection of personal information, including the purposes for which you collect and who you will be sharing it with (e.g. Google or Facebook).
NZ Privacy Act 2020 FAQ
What is New Zealand’s Privacy Act 2020?
The New Zealand Privacy Act 2020 is the country’s national data privacy law in effect since December 2020. The NZ Privacy Act 2020 repeals and replaces the Privacy Act of 1993 with stronger requirements for websites, companies and organizations who handle personal information from inside the territory of New Zealand.
Who does the NZ Privacy Act 2020 apply to?
New Zealand’s Privacy Act 2020 applies to any website, company, organization or individual who collects personal information from individuals located inside the territory of New Zealand. Even if your website is not located in New Zealand, but you have visitors from the country and you handle their personal information via cookies and trackers on your domain, you are required to comply with the New Zealand Privacy Act 2020.
Is my website compliant with the NZ Privacy Act 2020?
The New Zealand Privacy Act 2020 requires your website to know of all cookies, trackers and similar technologies that collect, use or share personal information from individuals inside New Zealand, and to notify and inform users about this before collection begins, including what kind of data is to be collected, for what purposes and with whom you share it.
How can I manage user consents on my website?
Using Cookiebot CMP as your consent solution gives you deep-scanning technology that detects all cookies and trackers on your website. Cookiebot CMP offers automatic control of your domain’s personal data processing in compliance with all major data privacy laws, like the EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA, Singapore’s PDPA and New Zealand’s Privacy Act 2020.
NZ Privacy Act 2020 Resources
- New Zealand’s Privacy Act 2020 (official law text)
- New Zealand Privacy Commissioner
- New Zealand’s Privacy Principles overview
- A guide to your responsibilities under the New Zealand Privacy Act 2020
- NZ Privacy Act 2020 enters into force (IAPP)
Source: https://www.cookiebot.com/en/new-zealand/
WordPress Pros.
Work with one team of professionals. One easy payment for website developers, website hosting, tech support, maintenance, reporting, business email & WordPress training.