Privacy Act Compliance (New Zealand)

Configure your forms for the New Zealand Privacy Act 2020 and Information Privacy Principles.

What is the Privacy Act 2020?

The Privacy Act 2020 is New Zealand’s primary data protection law. It replaced the Privacy Act 1993 and came into force on 1 December 2020. The Act is enforced by the Office of the Privacy Commissioner (OPC), an independent Crown entity.

At its core, the Act contains 13 Information Privacy Principles (IPPs) that govern how agencies collect, store, use, and disclose personal information. These principles are not abstract guidelines — they are legally binding obligations.

The Act applies to any agency — defined broadly as any person, company, body of persons, or organization — that collects personal information in New Zealand. There is no size threshold, no annual turnover exemption, and no minimum number of data subjects. A sole trader with a single contact form is subject to the same principles as a multinational corporation.

If your web form collects personal information from people in New Zealand, the Privacy Act applies to you.

Purpose-based, not consent-based

The most important distinction between the New Zealand Privacy Act and laws like the GDPR or DPDPA is its legal basis for collection. The Privacy Act does not require consent for collecting personal information for a lawful purpose. Instead, it uses a purpose-based framework built on IPPs 1 through 4:

IPP 1 (Purpose) — only collect personal information for a lawful purpose connected with a function or activity of your agency, and only if the collection is necessary for that purpose.
IPP 2 (Source) — collect personal information directly from the individual concerned, wherever possible.
IPP 3 (Notification) — when collecting personal information directly from an individual, you must take reasonable steps to ensure they are aware of the fact of collection, the purpose, the intended recipients, their rights of access and correction, and whether providing the information is voluntary or mandatory.
IPP 4 (Manner of collection) — collection must not be unlawful, and must not be carried out by means that are unfair or unreasonably intrusive.

When a person voluntarily fills out a contact form on your website, the collection is lawful because it is directly from the individual (IPP 2) and for an obvious, connected purpose (IPP 1). No consent checkbox is legally required for standard contact forms, inquiry forms, or feedback forms.

However, you must tell people why you are collecting their data and what you will do with it (IPP 3). This is a notification requirement, not a consent requirement. A linked privacy policy that explains these matters satisfies this obligation.

Key difference from GDPR: The GDPR requires a legal basis such as consent or legitimate interest before processing personal data. The NZ Privacy Act requires no consent — only that the collection has a lawful purpose, is necessary, comes directly from the individual, and is accompanied by proper notification. This makes compliance simpler for standard web forms.

What the preset configures

Setting	Value	Why
Consent checkbox	Not required	The Privacy Act uses a purpose-based model, not a consent-based model. Consent is not a prerequisite for lawful collection of personal information.
IP anonymization	No	The Privacy Act does not require IP anonymization. IP addresses may be retained for security and fraud detection purposes, consistent with IPP 1 (lawful purpose).
User-agent storage	Enabled	Browser information is useful for troubleshooting and is not singled out for special treatment under the Act.
Data retention	730 days	IPP 9 requires that personal information not be kept longer than necessary. Two years is a reasonable default; adjust to match your actual need.
Privacy policy URL	Required	IPP 3 requires notification about why information is collected, who will receive it, and the individual’s rights. A linked privacy policy satisfies this obligation.

Set up the Privacy Act preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select Privacy Act (New Zealand) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to the Compliance tab.
Select Privacy Act (New Zealand) from the preset buttons or region dropdown.
Click Save.

Information Privacy Principles for forms

Of the 13 IPPs, six are directly relevant to operating a web form. Understanding these will help you go beyond the preset defaults and ensure full compliance.

IPP 1 — Purpose of collection

You may only collect personal information for a lawful purpose connected with a function or activity of your agency, and only if the collection is necessary for that purpose. For web forms, this means: do not add unnecessary fields. If you are building a contact form, you need a name, email, and message — not a date of birth, income bracket, or national ID number. Every field on your form should serve the stated purpose.

IPP 2 — Source of information

Collect personal information directly from the individual wherever possible. Web forms inherently satisfy this principle because the person is typing their own information into your form. Problems arise when you supplement form data with information from third-party sources (e.g., data enrichment services) without the individual’s knowledge.

IPP 3 — Collection from subject

When collecting directly from an individual, you must take reasonable steps to ensure they are aware of:

The fact that you are collecting personal information.
The purpose of the collection.
The intended recipients of the information.
Whether providing the information is voluntary or mandatory.
The consequences of not providing the information.
Their rights of access to, and correction of, their personal information.

A clearly linked privacy policy that covers these points satisfies IPP 3. The policy does not need to be on the form itself — a visible link is sufficient.

IPP 4 — Manner of collection

Collection must not be unlawful, and must not use means that are unfair or unreasonably intrusive. For web forms, this means: no hidden fields that collect data the user does not know about (apart from standard security measures like FormShield honeypot fields), no deceptive form designs, and no pre-checked boxes that sign users up for things they did not request.

IPP 5 — Storage and security

You must ensure that personal information is protected against loss, unauthorized access, use, modification, or disclosure, and against other misuse. FormBlade encrypts data in transit (TLS) and stores submissions in a secured database. On your end, use a strong password for your dashboard account, enable two-factor authentication if available, and limit team member access to only those who need it.

IPP 9 — Retention

You must not keep personal information for longer than is required for the purposes for which the information may lawfully be used. This is not a suggestion — it is a binding principle. If you only need form submissions for 90 days to follow up on inquiries, do not retain them for two years. Set your FormBlade retention period to match your genuine business need.

Automatic deletion: FormBlade’s retention purge system automatically deletes submissions after the configured retention period. This directly supports IPP 9’s requirement not to keep personal information longer than necessary.

Mandatory breach notification

One of the most significant additions in the 2020 Act (not present in the 1993 Act) is the mandatory privacy breach notification regime.

If a privacy breach occurs that has caused, or is likely to cause, serious harm to any affected individual, you must:

Notify the Privacy Commissioner as soon as practicable after becoming aware of the breach.
Notify the affected individuals as soon as practicable, unless an exception applies (e.g., notification would prejudice a criminal investigation).

The notification must include a description of the breach, the information involved, what you have done or intend to do in response, and what steps affected individuals can take to protect themselves.

“Serious harm” is assessed by considering factors such as the sensitivity of the information, whether the information is protected by security measures (e.g., encryption), the nature of the harm that could result, and who has obtained or could obtain the information.

Failing to notify a notifiable breach is an interference with privacy and can result in enforcement action by the Commissioner.

Cross-border disclosure

IPP 12 governs the disclosure of personal information to overseas recipients. You may disclose personal information to a person or agency in another country only if:

The recipient is subject to comparable privacy protections under the laws of that country, or is required to protect the information under a binding agreement.
The individual authorizes the disclosure after being told that the overseas recipient may not be subject to comparable protections.
The disclosure is necessary for one of the other information privacy principles (e.g., IPP 3 notification, IPP 6 access).

If you disclose personal information overseas and the overseas recipient breaches the information, you remain responsible as if the breach occurred in New Zealand.

Practical impact: FormBlade servers are located in the EU. The EU’s GDPR is generally recognized as providing comparable privacy protections to New Zealand’s Privacy Act. This means processing NZ users’ form data on EU servers is typically permitted under IPP 12 without requiring individual authorization.

Extraterritorial reach

The 2020 Act explicitly extended its reach beyond New Zealand’s borders. It applies to any overseas agency that is carrying on business in New Zealand, regardless of whether that agency has a physical presence in the country.

“Carrying on business” is interpreted broadly. If your website targets New Zealand users — for example, by advertising to NZ customers, accepting NZ dollars, or using a .nz domain — the Privacy Act applies to your collection of personal information from those users.

This extraterritorial application means that even if your business is based in Australia, the United States, or anywhere else, your forms must comply with the Privacy Act when they collect data from people in New Zealand.

Enforcement

The Privacy Act’s enforcement framework differs from the GDPR’s massive administrative fines. Instead, it relies on compliance notices and complaints-based enforcement:

Compliance notices: The Privacy Commissioner can issue binding compliance notices requiring an agency to do, or stop doing, something to comply with the Act. Non-compliance with a compliance notice is an offence punishable by a fine of up to NZ$10,000.
Complaints: Individuals can complain to the Privacy Commissioner, who investigates and attempts to settle the matter. If settlement fails, the Commissioner can refer the complaint to the Human Rights Review Tribunal.
Human Rights Review Tribunal: The Tribunal can award damages, including for humiliation, loss of dignity, and emotional harm — not just financial loss. Awards of NZ$5,000 to NZ$168,000 have been made in privacy cases. The Tribunal can also issue restraining orders and declarations.

While there are no GDPR-scale administrative fines, the combination of compliance notices, public findings by the Commissioner, and Tribunal damage awards (including for emotional harm) provides effective enforcement. The reputational impact of a published Privacy Commissioner finding should also not be underestimated.

Practical recommendations

The Privacy Act’s purpose-based approach makes compliance relatively straightforward for standard web forms. Here is what matters in practice:

No consent checkbox needed for standard forms. Contact forms, inquiry forms, feedback forms, and support forms do not require a consent checkbox. The collection is lawful because the individual is voluntarily providing their information for an obvious purpose.
Always link a privacy policy. IPP 3 requires that individuals know why their data is being collected, who will see it, and what their rights are. A linked privacy policy is the simplest way to satisfy this. Make sure the link is visible on or near the form.
Only collect what you need. IPP 1 requires necessity. Do not add fields to your form just because you can. Every field should serve the stated purpose of the form.
Set a reasonable retention period. IPP 9 requires that you do not keep data longer than necessary. The 730-day default is a safe starting point, but if you only need data for a shorter period, reduce it accordingly.
Prepare a breach response plan. Mandatory breach notification is a legal requirement under the 2020 Act. Know who in your organization will assess breaches, notify the Commissioner, and contact affected individuals.
Remember there is no size exemption. Unlike Australia’s Privacy Act (which exempts businesses with annual turnover under AUD 3 million), the NZ Privacy Act applies to every agency regardless of size. A one-person business with a contact form has the same obligations as a large enterprise.