Noho Matatapu: Website Privacy in New Zealand

Learn about some of the steps you can take to respect user privacy and reach legal compliance.

Digital Privacy is a hot topic with rising public concerns, new international general data protection regulations and an update to the New Zealand Privacy Act on the cards this year. As a website owner you have a responsibility to respect and protect the data you request and collect from your audience.

noho matatapu – (noun) confidentiality, privacy.

Māori Dictionary

Respecting Website User's Privacy

The most important steps to respecting your users privacy are in creating a shared understanding of your data collection practises. Below we share a process for understanding how you are currently collecting and using data, optimising future collection, and then communicating your data practises clearly with your users.

The AD-MACE Process

The steps below came about through research into the GDPR and are known as the AD-MACE process, published on The Modern Entrepreneur, with each letter representing a stage of the full process:

  • Audit
  • Delete
  • Minimise
  • Anonymise
  • Collect Consent
  • Educate

Performing a Data Audit

There are many ways that personal data is collected through the average website; Contact & Comment Forms, Website Analytics, Social Media Plugins, eCommerce Pages, Server Logs and more. There are tools to scan your websites cookies and if you use WordPress they recently implemented improved privacy functionality for both core and plugins. 

When beginning this process you should create a list of any website processes that may be collecting data using the above tools if necessary. At the very least you can use this list to document how you currently collect data for us in your privacy policy later even if you make no changes. 

Delete Data You No longer Require

Whilst auditing your site you may find that you are collecting data that you don't really need. For example specific IP addresses on contact forms and general analytics tools. If you have control over this then you can simply delete your existing logs of unnecessary data.

Or you may be passing data to Facebook through “Like” buttons on your website when they more commonly slow down your site than generate genuine social sharing. In cases like this, simply deleting the plugin can minimise collection and sometimes improve your website performance at the same time.

Minimising Unnecessary Data Collection

Once you begin to create a deeper understanding of the types of data you collect on your website, you may notice that some tools collect a lot more information than you actually use. For a long time many tools have defaulted to collecting too much just in case.

Often if you dig into the settings you will find that you have several options for both collecting and sharing less data with third parties. Some common examples are IP addresses linked to form submissions, advertising and device IDs for users, and social media data.

As a general rule you should only collect data that you want are required to by law or use as part of your regular business processes. You should also implement processes for deleting this data when it is no longer required. 

Anonymise General Data Collection

There are times when data collection doesn't actually need to be linked to a specific person. For example if you use website analytics to track general trends on how people use your website you may never drill down to the individual user level and if you do you may not want or need to know specifically who that person is. In this use case the trends are often more important than the individual. If you don't need individual level data, anonymise it.

Google Analytics is probably the most popular analytics tool and they collect full IP addresses by default even though you never see them and they already set other pseudonymous identifiers. You now know the drill…

Collecting Consent for Data Collection

It is important to note that all of the above are important steps to reduce and minimise data that you don't need but there is still an awful lot of times that personal data isn't essential, but can still be very useful for marketing. Some examples of this are email addresses for email marketing, phone numbers for mobile campaigns, Facebook pixels for remarketing, and website tracking for marketing automation.

Often consumers will be more than happy to hand over their data as long as there are clear benefits for doing so. We've likely all provided our email to get access to a discount or free report… Or provided a phone number to get a text message confirmation for a booking… The key here is to be clear about exactly what you will do with the information and provide users with a method for consenting (or not) to the usage of their personal data. This could be as simple as a checkbox or alternate wording on your web forms or a popup cookie banner on your website.  

Educate Users with Your Privacy Policy

The final step is to educate your users your privacy practises. This is especially important for essential and legally required tracking that can't be avoided when using your website. The Office of the Privacy Commissioner in New Zealand offer “Priv-o-matic” an online privacy policy generator to help with this. Armed with the information you've collected throughout the rest of the AD-MACE process you should have more than enough information to fill in the blanks and clearly communicate how you manage personal data.

If your website is built on WordPress you can also make use of the new Settings > Privacy page which will automatically provide a lot of the information specific to your website.

Once your privacy policy page is published you can add a link in your footer and make sure that it is shown on the page whenever someone provides personal data whether they are; subscribing to your email newsletter, agreeing to cookies, or making a purchase through your store.

Better Privacy Practise 

Technology on the internet is constantly evolving and new challenges can seem to emerge at least as frequently as proposed solutions. Armed with the AD-MACE process as a framework for making decisions you should be able to regularly review and improve your data collection practises.

For those who want deeper information on Privacy Laws in New Zealand you can undertake free online training from the Office of the Privacy Commissioner.  

Also within New Zealand you can apply for a Privacy Mark on certain products to show increased consideration for privacy in your products design process. 

Ready to start your project?

Get in touch to start growing your business online today.

Scroll to Top