How to keep your personal information safe and secure when buying products and services.

Businesses, websites and apps should tell you what information they collect and how they will use it.

Shopping online safely(external link) — CERT NZ


Before you buy

Before giving a person, store or website personal information about you, make sure you know what they want the information for and how they will use it.

Do your research before you buy online. Read the terms and conditions. If you have any questions about how your data will be used or shared, contact the business before you buy.

Also check if the business has secure online payments. Look for https:// in the URL — ‘s’ stands for secure — and the padlock symbol. Or use a trusted payment system like PayPal.

What businesses need to tell customers(external link) — business.govt.nz


What information can be collected about you

Cookies

When you browse online (even if you don’t buy anything), retailers can use cookies to collect lots of personal information without you knowing. Your privacy settings on the internet can be set to choose which cookies are stored. Do an online search to find out how to do this on your specific browser. You may also be able to opt out on the website.

Google's cookie settings(external link) — Google

Privacy policies

Websites and online retailers must publish a privacy policy on their site. It is important to read these policies carefully. They will help you understand how your information will be used.

A privacy policy should include:

  • What information will be collected, eg your name and email address. If they store sensitive details like credit card numbers, consider shopping elsewhere.
  • How your information will be used, eg to manage your online account or to target ads to you on other websites.
  • If your information will be stored and for how long — some retailers will only store your details to complete your purchase, while others may keep it long after you have deleted your online account.
  • How they will protect your information.
  • If and how they will share your information — some retailers share or sell personal data to third-parties or businesses overseas.
  • How you can find and correct your information.
  • How you can contact them if you have a privacy question or complaint.

Your rights

Businesses and agencies that collect, use and store personal information should:

  • only collect information they need for business purposes, eg name and contact details
  • tell you how, when and why they are collecting your information
  • tell you what will happen if you don’t give your personal information
  • keep your personal information safe
  • only use your information if they are reasonably sure it is accurate and up-to-date
  • only use your information for the purpose for which they collected it
  • let you see your information and correct any mistakes.

Businesses and agencies should not:

  • ask for more information than they need
  • let personal information be leaked, hacked or found in any other way
  • keep information longer than they need it — or are legally required to keep it
  • pass your details on to another business or organisation without your permission
  • collect information by illegal, unfair or unreasonably intrusive means
  • collect information about you from someone else unless you've authorised them to
  • spam customers — sending unwanted emails, text messages or instant messages is illegal.

Your privacy rights(external link) — Privacy Commissioner


If things go wrong

Ask to see the information a business has about you. If it's wrong, it's your right to get it corrected. You can ask for your details to be deleted, but the business doesn't have to agree.

If you think your personal information has been used without your permission, talk to the business you think misused your information. Ask to speak to their privacy officer, or a manager if they don't have one.

If you can't resolve the problem with the original business, you can make a complaint to The Privacy Commissioner.

Making a complaint(external link) — Privacy Commissioner