Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo
  • Home /
  • Compliant, but not in New Zealand

Print | Email this page

Compliant, but not in New Zealand
15 August 2025 at 09:40

2025 policy people

A privacy policy that is “by the book” is no good if it’s by the wrong book. New Zealand agencies need to comply with New Zealand privacy law.

We are seeing more examples of businesses using privacy policies and privacy statements that are based on overseas rules and regulations, instead of New Zealand law.

Privacy Commissioner Michael Webster says “While it’s great to see businesses creating privacy policies and privacy statements, it seems that many are either using AI to develop these or using readily available internet templates and filling in the blanks without realising these are based on the rules from other countries and jurisdictions.

Some of the privacy statements we’re seeing are based on the GDPR (General Data Protection Regulation) – a European data privacy and security law that came into effect in 2018. One agency was even using Texas law from the United States as the base for their New Zealand based business.

As well intentioned as these companies might be, to make sure they meet their privacy obligations their policies need to reflect the Privacy Act 2020, which is the relevant New Zealand law. 

Privacy laws across the world might be similar but they are not the same and while those businesses are trying to do the right thing, they could mislead or misinform their customers and put themselves at risk by referencing laws from overseas. 

Using AI to develop a privacy policy or statement can also lead to mistakes. It might seem like a shortcut, but AI can leave out information, refer to the wrong country, or even make up laws that don’t exist. Agencies are better off developing their own policies and statements. 

A good starting point is using our privacy statement generator, Priv-o-matic. It only takes five minutes and includes the core elements needed in a privacy statement.

For example, when you collect personal information, you need to:

  • Tell the person what kind of information you are collecting
  • Tell them why you are collecting it
  • Tell them what will happen (if anything) if they don't give it to you.
  • Be clear about how you’ll use it
  • Have a plan for storage and disposal.

It’s important to make sure that you use a template that references New Zealand law as businesses operating here must comply with the New Zealand Privacy Act. Our guidance, Poupou Matatapu, can help you to create a privacy statement that can be trusted. 

Back
Previous Blog Post Next Blog Post

Latest Blog Entries

Back to top