DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

🇳🇿 Asia-Pacific

Cookie consent in New Zealand / Aotearoa

Consent and privacy law in New Zealand / Aotearoa

In short
New Zealand's Privacy Act 2020 modernised the earlier 1993 law and is enforced by the Office of the Privacy Commissioner. It is built on 13 information privacy principles and emphasises notice, purpose limitation, and reasonable handling rather than blanket opt-in consent. A notable feature is mandatory notification of privacy breaches that cause serious harm and a new cross border transfer principle. Direct fines are relatively low by global standards, capped at 10,000 New Zealand dollars per offence, but the Commissioner can issue compliance notices and individuals can seek compensation through the Human Rights Review Tribunal. New Zealand holds EU adequacy. Cookies that identify users are personal information.
Authority
Office of the Privacy Commissioner
Status

Privacy Act 2020 in force since December 2020, with 13 information privacy principles

Primary law
Privacy Act 2020
Languages

en

Who must comply

Agencies in New Zealand and overseas businesses that carry on business in New Zealand and handle personal information of people there.

Penalties

Fines up to 10,000 New Zealand dollars for offences, plus compensation orders

Key obligations

  • Collect personal information only for a lawful, clear purpose
  • Be transparent about collection and use
  • Give individuals access to and correction of their information
  • Apply reasonable security safeguards
  • Notify the Commissioner and affected people of notifiable breaches

Local guidance

  • Apply the 13 information privacy principles
  • Notify serious harm breaches to the Commissioner
  • Use the cross border transfer principle for overseas disclosures
  • Rely on EU adequacy for transfers

How ConsentX helps

  • Transparent purpose notice in the banner
  • Preference and access request intake
  • Consent and preference receipts
  • Breach-ready evidence logs
  • Region rule engine tuned for New Zealand
Get started free
yoursite.com
🇳🇿 New Zealand

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with New Zealand using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under New Zealand.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that New Zealand requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a New Zealand audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Does New Zealand require breach notification?+

Yes. The Privacy Act 2020 requires notification to the Commissioner and affected individuals when a privacy breach causes or is likely to cause serious harm.

Does New Zealand have EU adequacy?+

Yes. New Zealand holds an EU adequacy decision, allowing personal data to flow freely from the EU to New Zealand.

Governing law

🇳🇿 Privacy Act 2020

Other countries in Asia-Pacific

🇮🇳 भारत🇸🇬 Singapore🇹🇭 ประเทศไทย🇨🇳 中国🇯🇵 日本🇰🇷 대한민국🇦🇺 Australia🇮🇩 Indonesia🇻🇳 Việt Nam🇲🇾 Malaysia🇵🇭 Pilipinas