No Cookie Law, but the Privacy Act Still Applies
New Zealand does not have a dedicated cookie or e-privacy statute. Unlike the EU, where the ePrivacy Directive explicitly regulates cookies, New Zealand relies on a broader personal information framework: the Privacy Act 2020.
The Act came into force on 1 December 2020, replacing the Privacy Act 1993. It applies to every "agency" that collects, holds, uses, or discloses personal information. In practice, this includes any organisation operating a website that sets cookies capable of identifying a visitor, whether through a _ga analytics cookie, a _fbp marketing pixel, or a session identifier like PHPSESSID.
The Office of the Privacy Commissioner (OPC) is the independent regulator responsible for enforcing the Act and issuing guidance. The OPC has made clear that online tracking falls within scope whenever the data collected can be linked back to an identifiable individual.
The 13 Information Privacy Principles at a Glance
The Privacy Act 2020 is built around 13 Information Privacy Principles (IPPs) that govern the full lifecycle of personal information. Not every principle is directly relevant to cookies, but several have a material impact on how your website handles tracking.
| IPP | Subject | Relevance to Cookies |
|---|---|---|
| IPP 1 | Purpose of collection | You must only collect personal information for a lawful purpose connected to your function |
| IPP 2 | Source of collection | Personal information should be collected directly from the individual where possible |
| IPP 3 | Notification of collection | You must tell users what you are collecting, why, and who will receive it |
| IPP 3A (from May 2026) | Indirect collection notification | New duty to notify individuals when personal information is collected from third parties |
| IPP 4 | Manner of collection | Collection must be lawful, fair, and not unreasonably intrusive |
| IPP 5 | Storage and security | Cookie data must be protected against loss, misuse, and unauthorised access |
| IPP 10 | Limits on use | Information collected for one purpose must not be used for a materially different purpose |
| IPP 11 | Disclosure | Restricts sharing personal data with third parties without a proper basis |
| IPP 12 | Cross-border disclosure | Overseas transfers require comparable protections or individual authorisation |
How IPP 3 Affects Your Cookie Banner
IPP 3 requires that when you collect personal information directly from an individual, you take reasonable steps to ensure they know about the collection. For cookies, this means disclosing which cookies your site sets, the purpose behind each one, and whether any third parties receive the data.
A well-structured cookie banner combined with a clear cookie policy satisfies this transparency requirement. The banner should name the categories of cookies used and explain what each category does, rather than burying details in legal text that nobody reads.
The Act does not prescribe an opt-in or opt-out model. There is no equivalent of the GDPR's strict prior consent requirement under Article 7. The emphasis is on transparency and fairness rather than a specific consent mechanism.
IPP 3A: The 2025 Amendment Taking Effect in May 2026
The Privacy Amendment Act 2025, signed into law in September 2025, introduces IPP 3A. This new principle targets situations where personal information is collected indirectly, meaning from a source other than the individual concerned.
From 1 May 2026, agencies that obtain personal information from third-party sources must take reasonable steps to notify the affected individual. The notification must include the agency's name and contact details, the purposes of collection, and the individual's rights to access and correct their data.
For website operators, IPP 3A is most relevant when using third-party tracking scripts that share data across platforms. If your site receives audience segments, enriched user profiles, or cross-site identifiers from an advertising network, you may need to inform visitors that this indirect collection is occurring.
There are practical exceptions. IPP 3A does not apply where the individual is already aware of the collection, where the information will not be used in identifiable form, or where the data comes from a publicly available source.
Extraterritorial Reach: Does the Act Apply Outside New Zealand?
Yes. The Privacy Act 2020 has extraterritorial scope. It applies to any agency carrying on business in New Zealand, regardless of where the agency is based or where the information is held.
If your website targets New Zealand users, accepts payments in NZD, or has a .nz domain, the Act likely covers your data collection activities. This mirrors the approach taken by the GDPR and Brazil's LGPD, both of which can reach organisations outside their home jurisdictions.
IPP 12 adds another layer. Disclosing personal information to a foreign person or entity requires that the receiving country offers comparable privacy protections, or that the individual authorises the transfer. Many analytics and advertising cookies send data to servers in the United States, so verifying your data flows is worth the effort.
Cookies That Identify Individuals vs Those That Do Not
The Privacy Act applies only to "personal information" - information about an identifiable individual. Not every cookie meets this threshold.
A strictly necessary cookie like a session token (PHPSESSID) or a language preference (pll_language) that does not track behaviour across pages may fall outside scope. A functional cookie storing a currency selection is unlikely to identify anyone on its own.
Analytics cookies such as _ga or _gid assign a unique client identifier and track browsing behaviour over time. When combined with other data points, these identifiers can relate to an identifiable person. The same logic applies to marketing cookies like _fbp or advertising pixels that build cross-site profiles.
The prudent approach: treat any cookie that assigns a unique identifier or tracks behaviour as processing personal information under the Act.
Enforcement and Complaints
The OPC investigates complaints from individuals who believe their privacy has been breached. It can issue compliance notices requiring an agency to take specific steps. Failure to comply with a compliance notice is an offence carrying fines of up to NZD 10,000.
The Act also introduced a mandatory breach notification regime. If a privacy breach causes serious harm or is likely to, you must notify both the OPC and the affected individuals. A data leak caused by insecure cookie handling or exposed tracking data could trigger this obligation.
Individuals can escalate unresolved complaints to the Human Rights Review Tribunal, which can award damages including compensation for humiliation and loss of dignity. While enforcement activity around cookies has been limited compared to EU regulators, the legal tools exist.
Practical Steps for Cookie Compliance in New Zealand
Although the Act does not mandate a cookie banner in the way the ePrivacy Directive does, implementing one is the most straightforward way to meet your IPP 3 transparency obligations. Here is a practical approach:
- Scan your site - identify every cookie and tracking technology in use, including those set by third-party scripts. Kukie.io's free scanner can automate this step.
- Categorise cookies - group them into recognised categories: strictly necessary, functional, analytics, and marketing.
- Display a clear notice - tell visitors what cookies you use, why, and who receives the data. This satisfies IPP 3.
- Provide a genuine opt-out - while the Act does not require prior consent, giving visitors the ability to decline non-essential cookies demonstrates fair collection under IPP 4.
- Review third-party transfers - if analytics or advertising data goes overseas, verify that IPP 12 requirements are met.
- Prepare for IPP 3A - audit any indirect data collection and plan your notification process before 1 May 2026.
How New Zealand Compares to Other Privacy Regimes
The Privacy Act 2020 sits between the strict opt-in models of the EU and the narrower sectoral approach of the United States. The table below shows how New Zealand's framework stacks up against other major privacy laws your website may need to consider.
| Feature | NZ Privacy Act 2020 | GDPR / ePrivacy | Australia Privacy Act |
|---|---|---|---|
| Cookie-specific law | No | Yes (ePrivacy Directive) | No |
| Consent model | Transparency-based | Opt-in for non-essential | Transparency-based |
| Extraterritorial scope | Yes | Yes | Yes |
| Breach notification | Mandatory | Mandatory (72 hours) | Mandatory |
| Maximum fine | NZD 10,000 (compliance notice breach) | EUR 20 million or 4% revenue | AUD 50 million |
| Regulator | OPC | National DPAs | OAIC |
New Zealand's fines are modest by international standards. The real risk is reputational harm and complaints to the Human Rights Review Tribunal, which can award uncapped damages.
Frequently Asked Questions
Does New Zealand have a cookie consent law?
No. New Zealand has no standalone cookie law. The Privacy Act 2020 applies to cookies and tracking technologies when they process personal information about identifiable individuals.
Do I need a cookie banner for a New Zealand website?
The Privacy Act does not explicitly require a cookie banner. A banner is the most practical way to meet your transparency obligations under IPP 3, which requires you to inform visitors about data collection.
What is IPP 3A and when does it take effect?
IPP 3A is a new Information Privacy Principle introduced by the Privacy Amendment Act 2025. It requires agencies to notify individuals when collecting personal information indirectly from third-party sources. It takes effect on 1 May 2026.
Does the NZ Privacy Act apply to websites outside New Zealand?
Yes. The Act applies to any agency carrying on business in New Zealand, regardless of where the agency is located or where the data is held.
Are analytics cookies like Google Analytics covered by the Privacy Act?
Analytics cookies that assign unique identifiers and track browsing behaviour are likely to process personal information under the Act. Treat cookies like _ga as in scope and disclose their use to visitors.
What are the penalties for breaching the NZ Privacy Act?
Failing to comply with a compliance notice carries fines of up to NZD 10,000. Individuals can also bring claims before the Human Rights Review Tribunal, which can award damages with no fixed cap.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
