March 25, 2026

The May 2026 Privacy Deadline

Blogs
/
News

What is IPP3A and who does it affect?

The Privacy Amendment Act 2025 added a new rule, IPP3A, to New Zealand’s Privacy Act. From 1 May 2026, any agency (that is, any organisation or business covered by the law) that obtains personal information about someone indirectly must take reasonable steps to notify that person. “Indirectly” means the data came from a source other than the individual themself; a purchased mailing list, a data broker, or tracking tags that profile visitors.

In simple terms: if your marketing team uses customer data from another party (or from networked cookies or social media platforms), you will likely fall under IPP3A. The agency (e.g. your company) collecting that data must tell the person. Note that if a third party is acting purely as a service provider (like a marketing agency running your ad campaigns), then IPP3A may treat the data as collected directly by you. However, in most everyday cases (buying leads, using analytics tools, retargeting, importing contact lists), you will be collecting indirectly.

Who’s affected: Almost any NZ business with a website, app or marketing department; retailers, banks, schools, healthcare providers. If you gather personal data from partners, the public web or purchased sources, IPP3A applies. Even non-profits and government agencies need to comply. Failing to update your processes by May 2026 could lead to complaints or penalties, and certainly reputational risk.

Key requirements: what must you do?

IPP3A doesn’t outlaw indirect data collection, but it does impose transparency. If you collect personal data about someone indirectly, IPP3A says you must take reasonable steps to make the individual aware of key facts. These include:

  • The fact of collection: Tell them you collected their personal information (and describe what).
  • Purpose of collection: Explain why you collected it (be specific, not just “for business purposes”).
  • Intended recipients: Say who else will see this data (other teams, partners or providers).
  • Who’s collecting/holding: Give your name and address, and the name of any agency holding the info.
  • Authorising law (if any): If a law requires the collection, cite it.
  • Access and correction rights: Remind them they can see or fix their info under the Privacy Act.

You must notify each person “as soon as reasonably practicable after” you get their data, unless someone else already did. Practically, this means you can’t sit on data for months without notice. Ideally, incorporate notification into your first contact with each person after you obtain the data (for example, include it in a welcome email).

There are exceptions where notification isn’t needed; if the individual already knew about the data source, if alerting them isn’t practicable (e.g. you have no contact info), or if notification would compromise an investigation or public health. But these are narrow and should be used cautiously. In a marketing context, the “already aware” exception might apply if your privacy policy clearly discloses every data source and the person explicitly consents. Even then, regulators expect proactive clarity, not hidden policies.

Practical compliance steps for marketers

Instead of panic, treat IPP3A as a call to improve data hygiene and customer trust. Here’s how to get ready:

  • Audit your data sources. Make a list of all the ways you get personal data about customers and prospects that isn’t directly from them. This includes purchased email lists, loyalty program signups, lead-generation firms, tracking pixels (Google Analytics, Meta Pixel, TikTok pixel, etc.), cookie and ad networks, public registries, and even referrals from partners. If you can’t identify the source of some data, flag it as a risk. (Bell Gully suggests this privacy audit as a first step.)
  • Map your data flows. For each source, note who collects the data, who holds it, and how it’s shared internally or with third parties (for ads, CRM, analytics). If you use cloud tools or third-party platforms, clarify if those platforms are “data processors” (acting on your behalf) or independent sources. This affects whether IPP3A applies or not.
  • Update privacy policies and notices. Your privacy policy (on your website, signup forms, etc.) must explicitly mention indirect collection. Explain, in plain language, if you get data from third parties and how you use it. Don’t rely on a generic clause; make it obvious and specific. For example, if you buy a mailing list or use Facebook’s lookalike data, state that and describe it. (The Privacy Commissioner has said generic statements aren’t enough; you must specifically notify individuals after collection.)
  • Build notification workflows. Decide how you will notify people. Often this is done through an email or letter when you first contact them. For example, if a new lead signs up and you have their email, mention in the first email: “We got your details from [Source] for the purpose of [X].” You might embed this in your welcome message or about section. If you send marketing mailings to a list, include a line: “(We compiled our list from [partner name], where we listed your email for [reason].)” Keep a log of who’s been notified when.
  • Review third-party contracts. Update agreements with partners who give you data. For example, if a data broker or marketing list vendor supplies personal info, have them contractually cover IPP3A obligations or confirm they’ve notified individuals. Also, ensure your own contracts with processors (like analytics or email platforms) support compliance.
  • Train your team. Make sure marketers, sales, IT and whoever handles data understand the new rules. This is especially important for staff who acquire leads or manage customer databases. They should know: “If we get data from X, we must notify Y.” Embed simple checklists or scripts into their workflow so notification happens routinely.
  • Go first-party where possible. Build up your own data gathering. Encourage customers to sign up directly (newsletters, gated content, surveys). Collect data through your own channels rather than buying it. First-party data (people who directly give you info) doesn’t trigger IPP3A notice (because you collected it from them). It may grow slower, but it’s fully compliant and builds trust.

By acting now (mapping data, updating docs, getting processes ready), you’ll avoid a last-minute scramble when May arrives. As Russell McVeagh advises, update your privacy policy and train your staff on IPP3A. Bell Gully similarly recommends privacy audits, policy updates, and reviewing contracts as key prep steps.

Third-party data vs first-party data: the trade-offs

Many marketers rely on third-party data for quick reach (think purchased email lists, lead gen firms or social media targeting profiles). This approach can turbo-charge campaigns, but IPP3A adds a new cost. Indirect data forces you to explain yourself to every person on your list, which can be a logistical and reputational challenge. Customers might not like waking up to “Surprise – we got your info from X, and we’re emailing you.” It can feel intrusive. There’s also the general shift in privacy: browsers are phasing out third-party cookies, and consumers expect more control. Relying heavily on third-party data now risks getting ahead of the privacy law curve (and losing trust if a future breach occurs).

more slowly. First-party data, by contrast, comes straight from your customers (sign-ups, purchases, event registrations, support calls, etc). It grows slower, but it means people opted into the relationship. There’s no secret to explain, because they know they gave you the info. First-party also tends to be more accurate and engaged. Think about strategies like loyalty programs, gated content, interactive campaigns or subscriptions, all of which can build your own data assets. The trade-off is time and effort versus speed and scale. But post-IPP3A, many businesses will consider the long-term value of first-party over the headache of compliance with third-party data.

In summary, IPP3A doesn’t ban third-party marketing data, but it does push all of us to get ethical. It may be time to pivot away from shady list buys or unconsented scraping, and instead invest in inbound marketing and genuine opt-in methods. Not only is that safer under the new law, but it often yields better customer relationships.

30–60 Day Roadmap to May 2026

Next 30 Days

  • Audit & map: Inventory all sources of indirect personal data (ad platforms, affiliate lists, data partners, website trackers).
  • Policy update draft: Revise privacy policy and cookie notices to include indirect collection and intended use. Prepare clear wording for first contact communications.
  • Plan notifications: Design email/DM copy or website banners to notify individuals. Decide who sends them and when.

30-60 Days

  • Finalise & train: Finalise the updated policy and get it live on your website. Train staff on IPP3A basics (data teams, marketers, customer service).
  • Revise contracts: Amend agreements with any third-party data providers to share IPP3A responsibilities. Clarify roles with ad agencies or CRM vendors.
  • Roll out notices: Begin notifying contacts acquired indirectly. For example, add a privacy note to your next newsletter signup or welcome emails.
  • Monitor & record: Keep a simple log of when and how individuals were notified. Review early feedback or queries.

Compliance Checklist

  •  Data Source Audit: Identify every indirect data source in use.
  •  Privacy Notices: Update website policy, forms, cookie banner, email templates with IPP3A info.
  •  Notification Workflow: Ensure new contacts get a clear message about where you got their data and why.
  •  Contract Review: Insert IPP3A clauses in data-sharing contracts; know who will notify whom.
  •  Staff Training: Brief relevant teams on the new rules and your process for notifying.
  •  Documentation: Keep records of your assessments and notifications (we may need to justify “reasonable steps” if asked).
  •  Lead Gen Strategy: Shift focus to building first-party lists (e.g. sign-ups, referrals, content marketing) that bypass the extra notice step.

Trade-offs and Next Steps

The May 2026 deadline forces a decision: continue relying on third-party sources (with extra compliance steps), or pivot toward first-party data strategies. The right balance depends on your business. Some mixed approach may work: for example, using third-party audiences for awareness but driving sign-ups on your own site.

Whatever path you choose, document your decisions. If you do use indirect data, keep notes on why you believe notification is covered (for example, by an exception) and be ready to explain it. This is a legal requirement, and getting it wrong could mean complaints or even regulatory scrutiny. If any point is unclear in your situation, it’s wise to get professional advice, especially if you handle sensitive data.

What to do now: Start the audit and planning immediately. Make IPP3A a priority item in your next meeting. By taking these steps early, you’ll not only stay on the right side of the law, but you’ll also signal to customers that their privacy matters. That builds trust – which, in today's market, is as important as anything.

If you’d like to walk through what this means for your specific marketing setup, let’s talk. We’re happy to meet (coffee on us) and help you figure out the most practical next steps.

Get in touch

We help your business get more customers by using data-driven strategies that deliver proven results. No two businesses are the same.

Get in touch

Verum ©2026

WorkServicesAboutContact
WebsitesMarketingBranding & DesignBespoke Development
P. 0800 627 538E. hello@verum.nzUnit A, Level 9,
17 Albert Street, Auckland CBD, New Zealand