Reading time: 5 minutes

When you deal with customers, you will likely handle their personal information in some way. This is doubly likely for an e-commerce business that collects a wide variety of personal data. Your business must take the necessary steps to protect this kind of information, and customers have more confidence in businesses that value their privacy. You have certain obligations under the law when dealing with private information, and you need to reflect that in your business practices. This article will explain what kind of personal data your e-commerce business need to take extra precautions with, and what those precautions may be.

What Is Personal Information?

If your e-commerce business deals with personal data, NZ privacy law applies to you. This happens regardless of whether you have a physical or legal presence here. Personal information is information that can be used to identify a person, such as:

  • full names;
  • IP addresses;
  • physical addresses;
  • email addresses;
  • photos; and
  • financial information.

What Are My Privacy Obligations as an E-Commerce Business?

If you deal with personal information, you should tell your customers that you do so. You have to let them know:

  • how;
  • when; and 
  • why you are using it.

This also applies to sensitive information about your employees. You have specific obligations that apply to how you collect, store, and use this information. There are also more specific requirements about how you deal with personal data:

  • if a privacy breach occurs, then you have to notify the Privacy Commissioner;
  • all businesses need to have a privacy officer. This is just someone who tracks your business’s privacy concerns and makes sure you are fulfilling your privacy obligations;
  • you should have a privacy policy letting customers know what data of theirs you are using; and
  • on your website, you should have a privacy statement clearly setting out how you protect your customers’ private information. You can use this tool to create one.

Handling Personal Data as an E-commerce Business

There are three main ways that you deal with personal data as an e-commerce business. These are:

Collecting Data as an E-commerce Business

When you collect personal data from customers, you can only collect information that is necessary for your business purposes. You cannot collect what you do not need.

For example, you can collect data about a customer’s physical address for delivery purposes. You cannot do so just because you think it would be useful information to have.

You also need to be upfront about how you are collecting data. If your website collects location data from its users, you need to make this known in your privacy policy. The information you collect ideally needs to be taken directly from the customer it is about, and it needs to be accurate.

Storing Data as an E-commerce Business

You have to store the sensitive data you collect somehow, and with an e-commerce business, it is not as simple as keeping it in a locked drawer. For example, you are responsible for making sure your customers’ personal information is safe and protected against any cybersecurity threats. You can do this by:

  • making sure that all sensitive data is encrypted and password protected;
  • restricting access to sensitive files;
  • using a secure payment system;
  • keeping software up to date;
  • choosing the right cloud service;
  • having anti-malware software on all staff devices;
  • using a secure network;
  • having a response plan if things go wrong;
  • backing up data;
  • having two-factor authentication; and
  • setting up logs so that you can track all dealings with customers’ personal information.

Using Data as an E-commerce Business

You have to be transparent with customers about how you intend to use their personal data. Generally, you cannot disclose this information to third parties unless:

  • you have permission;
  • sharing the information is why you collected it in the first place;
  • the data is going to be shared in a way that does not identify the person. For example, talking about a customer’s experience with your staff without identifying the customer; or
  • you need to share the information for a legal matter.

You must also make sure that customers have the chance to see and edit what personal information you have stored about them. If they request to see it, you have to action that request within 20 working days.

Key Takeaways

Customers will value businesses that make an effort to be transparent about how they deal with personal information and show that they care about consumer privacy. You need to make sure that you are upfront about what customer information you are collecting, and what you are using it for. You also need to make sure that you have appropriate security measures on your site to protect sensitive customer data. If you would like more information or help with your ecommerce business’s privacy concerns, contact LegalVision’s IT lawyers on 0800 005 570 or fill out the form on this page.


What is personal information?

Personal information is information that can be used to identify someone. This could be email addresses and phone numbers, as well as photos of people.

How can my e-commerce business protect my customers’ personal data?

You can protect your customers’ personal information by making sure you have appropriate encryption on sensitive data. It should be password-protected and be protected against cybersecurity threats.

What do I need in my privacy policy?

You need to tell customers how you are using their personal information, and why. You also need let them know what information you are collecting.

What do I need to do if there has been a privacy breach at my business?

If you have found a privacy breach, you should use the Notify Us tool on the privacy commissioner’s website. This will determine if the breach is serious, and you will be fulfilling your privacy obligations under NZ law.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards