Understanding IPP3A: What the New Privacy Law Means for Your Business
In today’s hyper connected world, protecting personal information is more than a legal obligation, it’s a business imperative. As customers grow increasingly aware of how their data is used, privacy compliance has become a core part of maintaining trust and reputation. That’s where IPP3A comes in. As part of New Zealand’s evolving privacy law, IPP3A introduces new transparency requirements around the indirect collection of personal data. If your business gathers information through third parties or public sources, you need to understand what’s changing and what to do next.
What Has Changed?
IPP3A is a proposed addition to New Zealand’s Privacy Act, aimed at closing a longstanding gap in our transparency requirements. Currently, businesses only need to notify individuals when they collect personal information directly from them. But what about data collected from other sources? Until now, there’s been no legal obligation to inform the individual.
That changes with IPP3A. Under the amendment, businesses that collect personal information about someone, from any source other than the person themselves, must take reasonable steps to inform them. The notice must explain what information has been collected, why it was collected, how it will be used, who it may be shared with, and how the individual can access or correct it.
Importantly, this duty applies to any form of indirect collection — including data obtained from marketing agencies, partner organisations, and even generative AI tools that infer or derive new information based on prompts you’ve provided.
Failing to meet these obligations could lead to enforcement action, reputational harm, or loss of trust. And while there are exceptions — for instance, if the information is publicly available or if the person has already been informed by another agency — these are nuanced and require careful interpretation. Misjudging the rules could be a costly mistake.
Why Should Businesses Care?
The risks of ignoring IPP3A are real. Beyond legal penalties, businesses that fall short of privacy obligations risk losing customer confidence. People want to know when their data is being used — and by whom. If your organisation collects personal information without transparency, you could face complaints to the Privacy Commissioner or negative media coverage.
The update brings New Zealand’s law more closely into line with international standards such as the UK GDPR. For businesses with global ambitions or international customers, this alignment is critical. But even if you operate solely within New Zealand, the message is clear — transparency is no longer optional, it’s expected.
How Can Businesses Prepare?
Start by reviewing how your business currently collects data. Map out all indirect sources — whether through service providers, public databases, or tools like AI engines. Then, check your privacy policies. Do they clearly explain how and when personal information might be collected from others?
If not, it’s time for an update. Make sure you include statements around indirect collection, your reasons for doing so, and how individuals can reach you with questions or concerns. You’ll also want to review contracts with third parties to ensure they’re supporting your compliance efforts, especially if you’re relying on them to inform individuals on your behalf.
It’s not always easy to know whether an exception applies or how best to phrase a notification. That’s why professional support can make all the difference. The consequences of getting this wrong go far beyond paperwork. It’s about protecting your brand, your customers, and your future.
Need help navigating IPP3A? Contact Proper Privacy Services today for expert guidance tailored to your business. We’ll help you understand your obligations, close compliance gaps, and ensure your privacy practices are built to last.
