NZ Privacy Act and AI: What Every Business Owner Must Know Before Using AI Tools

NZ business owner pausing at his laptop, weighing up whether customer data can go into an AI tool under the Privacy Act

Quick answer: Yes, the Privacy Act 2020 applies to AI tools. The moment you paste a customer’s name, email, health note or job details into ChatGPT, you are handling personal information and the 13 information privacy principles apply. You don’t need a lawyer to comply. You need to know what can and cannot go in the box.

You’ve got a quote to write, a complaint to answer, and forty minutes before school pickup. So you copy the customer’s email into ChatGPT and ask it to draft a reply. Name, address, phone number, the lot.

Nobody trained you on this. There’s no compliance officer down the hall. And somewhere in the back of your mind sits a small nagging question: was that actually allowed?

Short version: maybe. It depends on which tool you used, what settings it was on, and what you promised that customer when you collected their details. Here’s what the NZ Privacy Act actually says about AI, in plain English, and the five habits that keep you on the right side of it.

NZ business owner reviewing customer data on a laptop before pasting it into an AI tool

Does the NZ Privacy Act actually apply to ChatGPT?

Yes. The Office of the Privacy Commissioner has been blunt about this. Its starting point is that the Privacy Act applies to everyone using AI tools in New Zealand. There’s no small business exemption. There’s no “but it was just a draft” exemption.

The Act works through 13 information privacy principles, the IPPs. They cover how you collect personal information (IPPs 1 to 4), how you use and protect it (IPPs 5 to 10), and how you share it (IPPs 11 and 12). AI doesn’t sit outside that. It just gives you a very fast, very convenient new way to break the rules.

The three that bite hardest for small businesses:

  • IPP 5 (storage and security). You have to keep personal information secure. Your prompts count. If you type it into a chat box, you’ve moved it.
  • IPP 10 (limits on use). You can only use information for the purpose you collected it for. A customer gave you their phone number so you could quote a job, not so an AI model could train on it.
  • IPP 11 and 12 (disclosure, including overseas). Sending personal information to a third party, including one on a server in Virginia, is a disclosure. It needs a lawful basis.

What counts as personal information?

Wider than most people assume. It’s any information about an identifiable individual. Not just names and IDs.

A customer email with a signature block. A photo of a job site with a house number visible. A spreadsheet of “anonymous” leads where the free-text notes column says “Dave from the bakery on Ponsonby Road, sore back”. A voicemail transcript. A CV. A patient’s appointment note. All personal information.

Some of it is sensitive on top of that: health, finances, anything about children. The bar for care goes up accordingly. If you run a clinic or a wellness business, this is worth understanding properly before you automate anything, and we’ve covered what AI can safely do for health and wellness businesses in more detail.

What are the three mistakes NZ business owners actually make?

1. Using a free consumer account for client work

This is the big one. On most free consumer AI plans, your conversations can be used to improve the model unless you turn that off. The paid business and team tiers of the major tools generally don’t train on your inputs by default, and they say so in writing.

That distinction is the difference between a defensible decision and an awkward one. If you’re weighing up which tool to standardise on, our breakdown of ChatGPT vs Claude vs Gemini for NZ businesses covers the plans and what each one costs in NZD.

2. Letting staff use whatever they like

Adoption has moved fast. Xero’s research found around 61% of NZ small and medium businesses are already using AI tools. Meanwhile, in the group of businesses still hesitant about AI, 47% named data privacy and security as their reason.

Read those two numbers together and you get the real picture. Most Kiwi businesses are using AI. Almost none have written down who may use it, for what, and with what data. Your team is making that call individually, at 4:45pm, on a personal Gmail login.

3. Trusting the output without checking it

IPP 8 says you must take reasonable steps to make sure information is accurate before you use it. AI tools produce confident, fluent, wrong answers. If an AI-drafted letter states the wrong medication, the wrong balance owing or the wrong tenancy history, that’s your accuracy problem, not the vendor’s.

Small business team agreeing rules for using AI tools with customer information

What changed on 1 May 2026?

A new principle, IPP 3A, came into force under the Privacy Amendment Act 2025. It says that if you collect someone’s personal information indirectly, meaning from a source other than the person themselves, you generally have to tell them, as soon as reasonably practicable, unless an exception applies.

That matters more than it sounds for anyone running automations. Scraping business contacts for an outreach list. Buying a lead list. Pulling contact details from a third-party booking platform or a referral partner. Enriching a CRM record with data the customer never handed you. All of that is indirect collection, and all of it now carries a notification obligation.

If you built a clever AI lead-gen workflow in 2025, this is the year to go back and look at where the data comes from.

How do you use AI without breaching the Privacy Act?

Five steps. You can do most of this in an afternoon.

  1. Move off free consumer accounts for anything client-facing. Get everyone onto a paid business tier where the provider commits, in writing, not to train on your inputs. Then check the data controls in settings, because defaults change.
  2. Strip identifiers before you paste. Replace names with “the customer”, addresses with “the site”, account numbers with “XXXX”. You’ll get the same quality draft. AI does not need to know Dave’s surname to write Dave a polite follow-up.
  3. Write a one-page AI rule sheet for your team. Approved tools, what may never be pasted (health notes, bank details, anything about a child, full customer records), and who to ask if unsure. One page. Pin it up.
  4. Put a human in front of every output that touches a person. Nothing AI-drafted goes to a customer, a bank or a regulator without someone reading it first. That’s your IPP 8 defence and it takes thirty seconds.
  5. Update your privacy statement and check where data flows. If AI is now part of how you handle customer information, say so. The Privacy Commissioner has a free privacy statement generator, and the OPC recommends a privacy impact assessment before you deploy anything significant.

If you’re earlier than that and still working out where AI fits at all, start with the NZ business owner’s AI starter guide. And if budget is the blocker, there’s free government AI support for NZ small businesses that most people don’t know exists.

What happens if you get it wrong?

Nobody is going to raid your office because you used ChatGPT to write a quote. The realistic risk is a complaint from a customer who found out, followed by an investigation you have to answer.

The enforcement teeth are real, though. Failing to notify the Privacy Commissioner of a notifiable privacy breach is an offence carrying a fine of up to $10,000. The Commissioner can issue compliance notices. And where a complaint reaches the Human Rights Review Tribunal, the Tribunal can award damages of up to $350,000.

Honestly, the bigger cost for a small NZ business is usually reputational. In a market this small, “they put my details into an AI” travels.

Where we think most NZ businesses land on this

Here’s the opinion, and it’s not the cautious one you might expect.

Most privacy advice aimed at small business is written to make lawyers feel safe, not to make owners productive. It says “seek advice” and “consider the risks” and then stops, which is why so many owners read it, feel vaguely guilty, and carry on doing exactly what they were doing.

The truth is that the privacy risk in AI is not evenly spread. It’s concentrated in a handful of specific moves: pasting raw customer records into a free consumer chatbot, connecting an AI tool directly to your whole CRM with no filter, and scraping data you were never given. Avoid those three and you have removed most of your exposure. Everything else, drafting, summarising, rewriting with the names taken out, is low risk and high value.

It’s also worth naming what the OPC itself says when you’re unsure: if in doubt, don’t put personal information into AI tools. That’s a genuinely useful default, and it costs you almost nothing, because the AI rarely needed the personal details in the first place.

Only 44% of New Zealanders currently believe the benefits of AI outweigh the risks. The businesses that get ahead here won’t be the ones that use AI the hardest. They’ll be the ones customers trust with their data while using it.

Frequently asked questions

Is it illegal to put customer information into ChatGPT in New Zealand?
Not automatically. It becomes a problem when the use falls outside what you collected the information for, when the tool isn’t secure, or when the customer wasn’t told. Using a paid business tier that doesn’t train on your data, and removing identifiers where you can, keeps most everyday uses inside the rules.

Do I need a privacy impact assessment before using AI?
The Privacy Commissioner recommends one before you start using AI tools, and updating it as you go. For a sole trader drafting emails, a short written note of what you use and what you never paste is proportionate. For anything touching health, financial or children’s data, do the full assessment.

Does the Privacy Act apply if the AI company is based overseas?
Yes. The obligation sits with you, not the vendor. Sending personal information offshore is a disclosure under IPP 12, and you need to be satisfied the receiving party has comparable safeguards. That’s another reason the business tiers, with their written commitments, are worth the money.

What is IPP 3A and does it affect my business?
IPP 3A came into force on 1 May 2026. If you collect someone’s personal information from a source other than that person, you generally have to notify them. If you buy lead lists, scrape contacts, or pull customer data from partners and platforms, it affects you directly.

Do I need an AI policy for my staff?
You aren’t legally required to have one, but you’re accountable for what your staff do with customer information either way. A one-page rule sheet listing approved tools and forbidden data is the cheapest risk reduction available to a small business.

Can I still use AI for marketing and content?
Absolutely, and this is where most of the value sits. Writing captions, drafting blog posts, rewriting a quote email, summarising a meeting: none of that needs a real customer’s identifying details. Take the names out and the privacy question mostly disappears.

Want AI set up properly, without the privacy headache?

We build AI and automation systems for NZ businesses with the data handling designed in from the start, not bolted on after a scare. Right tools, right settings, clear rules your team can actually follow.

See how Overcomers AI can set up compliant AI systems for your NZ business.

Leave a Reply

Discover more from Overcomers AI Services

Subscribe now to keep reading and get access to the full archive.

Continue reading