New Zealand Privacy Act

Privacy Act 2020, as amended by the Privacy Amendment Act 2025

Flag of NZ
New ZealandOpt-outNational
Back to Regulations Guide

Key Facts

Effective Date
December 1, 2020
Enacted
June 30, 2020
Enforcing Authority
Office of the Privacy Commissioner (OPC)
Consent Model
Opt-out
Fulfillment Time
20 days
Applies To
Any agency that collects, holds, uses, or discloses personal information (public and private sectors)

Overview

New Zealand's Privacy Act takes a notably less prescriptive approach to cookies than EU-style laws — there is no mandatory opt-in cookie consent requirement. Instead, transparency and opt-out mechanisms are the primary requirements. New Zealand holds an EU adequacy decision, recognizing its data protection as adequate for EU transfers.

What This Means for Your Website

  • No mandatory opt-in cookie consent is required (unlike GDPR)
  • Organizations must be transparent about cookie use and provide opt-out mechanisms
  • Consent IS required for targeted advertising involving cookies
  • Mandatory breach notification applies for serious privacy breaches
  • The 2025 Amendment adds transparency obligations for data collected from third parties (IPP 3A)
  • Penalties are low: NZD 10,000-50,000

Key Requirements

The OPC enforces the Privacy Act built around 13 Information Privacy Principles. Penalties reach NZD 50,000 for organizations. The Human Rights Review Tribunal can award damages in breach cases. Consumer requests must be fulfilled within 20 working days.

How ConsentStack Handles This

ConsentStack applies New Zealand's transparency and opt-out model for NZ visitors, with targeted advertising consent where required.

Penalties

Individuals: up to NZD 10,000. Organizations: up to NZD 50,000. Human Rights Review Tribunal can award damages.

Maximum Fine
NZD50,000 per violation

Key Requirements

  • 13 Information Privacy Principles governing personal information
  • Transparency required about cookie use and data collection purposes
  • Opt-out mechanisms must be provided for tracking
  • Consent required for targeted advertising
  • Mandatory breach notification for serious privacy breaches
  • New IPP 3A (2025): transparency for data collected from third parties

Notable Provisions

  • No mandatory opt-in cookie consent — less prescriptive than GDPR
  • EU adequacy decision in force
  • Low penalties by international standards
  • 2025 Amendment adds third-party collection transparency (IPP 3A)

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does New Zealand require cookie consent?

Not opt-in consent like GDPR. New Zealand requires transparency about cookie use and opt-out mechanisms. Consent is required specifically for targeted advertising.

Does New Zealand have EU adequacy?

Yes. New Zealand holds an EU adequacy decision, meaning it is recognized as providing adequate data protection for EU personal data transfers.

What are New Zealand's privacy penalties?

Up to NZD 50,000 for organizations and NZD 10,000 for individuals — low by international standards. The Human Rights Review Tribunal can also award damages.

Stay compliant with New Zealand Privacy Act

ConsentStack helps you implement Opt-out consent for New Zealand automatically.

Get started free