Most businesses that collect information from customers will legally need a privacy statement. Having a clear policy in place will help you comply with the Privacy Act and manage business risks. Further, it ensures that your customers are aware of:

  • which information you collect from them; 
  • how you store their data; and 
  • what you use it for.

Telling website visitors how your business collects and uses their personal information is good practice and helps you build public trust and confidence. This article explains what you should include in your website privacy statement to comply with New Zealand law.

What Is a Privacy Statement?

Your website privacy statement should outline how your business collects and manages your users’ personal information and how you will respect their privacy. It gives your visitors confidence that they can trust you to hold their data, and it helps protect your business. You must ensure that your privacy statement complies with the principles outlined in the Privacy Act.

When writing a privacy statement, you should be clear and explicit so that any user can understand it. Your privacy statement should describe:

  • exactly what personal information you collect;
  • the purpose behind it; 
  • whether your business discloses personal information to outside parties or overseas entities; 
  • how individuals can access their personal data; 
  • any consequences of not receiving the requested information, for example, if you are unable to provide specific services as a result; 
  • reassure people that their data is kept secure; and 
  • inform people about the length of time you will keep the data for and how you will dispose of it.

You can use the New Zealand Privacy Commissioner’s online tool to draft your privacy statement. If you are not sure whether you have a valid purpose for collecting information from your website users or how long you should keep the data for, you should seek legal advice.  

Tip: You need a purpose related to a function of your business for each piece of information you collect. The information you collect must be necessary for these purposes and needs to support your business in a clearly defined way. If you do not actually need the information, it is better to not collect it, especially from children and young people. 

When Do You Need a Privacy Statement?

Almost everyone who holds personal information about their website users’ needs to have a privacy statement. The Privacy Act refers to this as an agency, and it includes public or private sector organisations. 

The Act broadly defines information, and it includes: 

  • contact details such as name and address;
  • physical documents such as written records or photos;
  • electronic documents such as email address, audio and video recordings; and 
  • it can consist of information held in the mind of your employees as long as that information is readily retrievable.

If you can use the information to identify a living person, it is considered “personal information” by New Zealand law, even if no names appear. The information does not need to be secret or sensitive. 

You may handle personal information while conducting some of these activities:

  • providing services;
  • running marketing campaigns;
  • handling customer complaints;
  • managing your employee records;
  • running your website; 
  • using tools that collect information from your website, such as website analytics, online forms, or chat widgets; and
  • sending email newsletters.

Before you use or disclose personal information, you must take reasonable steps to check its accuracy and completeness. You also need to make sure it is relevant, up to date and not misleading.

Tip: When collecting information, it is almost always best to get it directly from people themselves rather than third party sources if you can. By knowing what information you have and what you’re doing with it, people are far less likely to be surprised or upset.

Key Takeaways

Under New Zealand law, you must have a privacy statement or policy in place if you are a public or private sector organisation unless you are exempt under the Privacy Act. A website privacy statement informs your users on what type of data you collect from them, and what you do with that data. It also generally provides information about how you collect this data, whether it is through a form of cookies on your website. Your privacy statement should include your policy for storing user data, who has access to it and the process to request access. You should also provide your contact information so that users can contact you if they have any questions. You may also want to give them the option to opt-out if they disagree with the policy and what security measures you take to safeguard their data. This will make your policy stronger.  

If you need help with drafting or reviewing your website’s privacy statement, LegalVision’s IT lawyers can help. Call 0800 005 570 or fill out the form on this page.

FAQs

Do you need a privacy statement on your website?

Almost everyone who holds personal information about their website users’ needs to have a privacy statement. The Privacy Act refers to this as an agency, and it includes public or private sector organisations.

What do you write in a privacy policy?

Your privacy statement should describe precisely what personal information you collect from your website users and why. The statement should also include whether your business discloses personal information to outside parties or overseas entities and how people can access their personal data. You should include if there are any consequences of not receiving the requested information, for example, if you are unable to provide specific services as a result. You can make your policy stronger by reassuring people that their data is kept securely and informing them about how long you will keep the data and how you will dispose of it.

Can your users opt-out of your data collection?

It is best practice to provide an opt-out notice for users that do not agree with your privacy statement.

How do you write a privacy policy for an app or online store?

While you can write a standard privacy policy using an online generator such as the New Zealand Privacy Commissioner’s online tool, you should seek legal advice if you want to customise it to the specific needs of your app or online store, and ensure it is legally valid and you are adequately protected.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited legal consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer