How NZ's Privacy Act Changes (IPP 3A) Affect Your Marketing — May 2026 Guide

IPP 3A in Plain English: What Just Changed

On 1 May 2026, a new rule called Information Privacy Principle 3A (IPP 3A) kicks in under New Zealand's Privacy Act. It was introduced through the Privacy Amendment Act 2025, and it changes one specific thing: what you have to do when you collect someone's personal information from a source other than the person themselves.

That's called "indirect collection." And if you run any kind of marketing in New Zealand, you probably do it more than you think.

Here's the core of it. If you get someone's name, email address, phone number, or any other personal information from anywhere other than the person directly — a partner business, a data provider, a lead generation tool, a CRM enrichment service, a purchased list — you now have to take "reasonable steps" to let that person know:

That you collected their information (and where you got it from)
Why you collected it
Who will have access to it
Their rights to access and correct their information
Your name and contact details

And you have to do this "as soon as reasonably practicable" after collection.

That's it. No ban on indirect collection. No requirement to get consent before collecting. Just a mandatory notification requirement: you have to tell people you have their data.

Simple in theory. Significant in practice.

Why This Matters Right Now

Until IPP 3A, New Zealand's Privacy Act only required you to notify people when you collected their information directly (IPP 3 — the existing principle). If you got someone's email from a third-party list, a referral partner, or a data enrichment tool, you had no legal obligation to tell them.

That gap is now closed.

The Privacy Commissioner has been clear: the "it's too expensive" or "our systems don't support it" arguments won't fly. The official guidance states that inconvenience, expense, or incompatible systems are not valid reasons to skip notification.

And while the current maximum fine for non-compliance with a compliance notice is $10,000 through the Human Rights Review Tribunal, the real risk is reputational. The Privacy Commissioner has a "name and shame" policy — agencies found in breach can be publicly identified if the Commissioner believes it serves the public interest.

For most NZ businesses, the PR damage of being named as a privacy violator would far exceed any fine.

What IPP 3A Means for Google Ads

If you run Google Ads in New Zealand, here's what you need to know about the three areas most affected.

Remarketing (Showing Ads to Past Visitors)

Standard remarketing — where you show ads to people who've previously visited your website — is largely unaffected by IPP 3A. Why? Because you collected the browsing data directly through your own website. That's direct collection, covered by the existing IPP 3, not the new IPP 3A.

However, you still need a clear privacy policy on your site explaining that you use remarketing cookies. This isn't new, but it's worth double-checking.

Customer Match (Uploading Email Lists)

This is where IPP 3A bites. Customer Match lets you upload a list of email addresses to Google Ads so you can target those specific people (or find similar audiences). If those email addresses came from anywhere other than the individuals themselves — a purchased list, a data partner, a business you acquired — you now have a notification obligation.

Before you upload any list to Google Ads, ask: "Did every person on this list give their details directly to us?" If the answer is no, you need to notify them before or immediately after using their data.

In practice, this means:

First-party lists are fine. If someone filled out your website form, signed up for your newsletter, or gave you their email at a trade show, that's direct collection. No IPP 3A issue.
Third-party or purchased lists need work. You can still use them, but you must notify every individual on the list that you have their data, where you got it, and why. For most businesses, this makes purchased lists impractical.
Merged lists from acquisitions. If you acquired a business and inherited their customer database, those customers didn't give their data to you — they gave it to the previous business. You need to notify them.

Offline Conversions

If you upload offline conversion data to Google Ads (matching phone numbers or email addresses to ad clicks), the data typically comes from your own CRM where the customer provided it directly. This is usually direct collection and not affected by IPP 3A.

But if your CRM contains contact details sourced from third parties, and you're matching those against Google Ads clicks, that's indirect collection and triggers IPP 3A notification requirements.

What IPP 3A Means for Email Marketing

Email marketing is where IPP 3A will have the biggest practical impact for most NZ businesses.

Purchased Lists Are Effectively Dead

Technically, IPP 3A doesn't ban purchasing email lists. But it makes them almost unusable. Here's why:

You buy a list of 5,000 email addresses from a data broker
IPP 3A requires you to notify every one of those 5,000 people that you have their information, where you got it, and why
The only practical way to notify them is... to email them
Your first email to a list of strangers saying "We bought your data" will result in mass unsubscribes, spam complaints, and potential blacklisting of your sending domain

The maths simply doesn't work. Even before IPP 3A, purchased lists had terrible engagement rates. Now they come with a legal notification requirement that makes the ROI even worse.

The alternative: Build your own list. Lead magnets, content marketing, trade show signups, referral programmes. It takes longer, but the people on your list actually want to hear from you — and you have zero IPP 3A exposure.

Referral and "Forward to a Friend" Data

If a customer refers a friend and gives you their friend's email address, that's indirect collection. You got the friend's details from a third party (your customer), not from the friend directly.

Under IPP 3A, you need to notify the friend that you have their details. A simple introductory email — "Your friend [name] thought you might be interested in [your service]. They shared your email with us. Here's what we do and how we handle your data..." — handles both the notification requirement and the marketing opportunity.

Data Enrichment Services

If you use tools that append additional data to your existing contacts (adding phone numbers, job titles, company information from third-party databases), that enriched data is indirectly collected. You need to let people know you've supplemented their record with information from other sources.

What IPP 3A Means for Lead Generation Partnerships

Many NZ businesses generate leads through partnerships — a real estate agent refers clients to a mortgage broker, an accountant refers to a financial adviser, a wedding venue shares enquiries with preferred vendors.

Under IPP 3A, when a partner sends you a lead, you are indirectly collecting that person's information. You need to notify them.

The good news: this is straightforward to handle with a proper process.

Best practice for lead gen partnerships post-IPP 3A:

Update your partnership agreements. Include clauses about IPP 3A compliance and agree on who notifies the individual (ideally the referring partner tells the person their details will be shared, satisfying IPP 3 for the referrer and reducing your IPP 3A burden).
Create a standard notification message. When you receive a referral, send a brief message: who you are, that you received their details from [partner], why, and their rights.
Document everything. Keep records of when you notified people and how. The Privacy Commissioner's guidance makes clear that good record-keeping demonstrates "reasonable steps."

Before IPP 3A vs After IPP 3A: Common Marketing Activities

Marketing Activity	Before IPP 3A	After IPP 3A (from 1 May 2026)
Google Ads remarketing (your own website visitors)	Privacy policy on site needed	No change — still direct collection
Customer Match with your own email list	Privacy policy covers it	No change — still direct collection
Customer Match with purchased/third-party list	No notification required	Must notify every individual on the list
Purchased email lists for cold outreach	No notification required	Must notify recipients where you got their data
Referral leads from partner businesses	No notification required	Must notify the referred individual
Data enrichment (adding info from third-party tools)	No notification required	Must notify individuals about enriched data
Website form submissions	Already covered by IPP 3	No change — still direct collection
Trade show signups (person gives you their card)	Already covered by IPP 3	No change — still direct collection
Inheriting a customer database from business acquisition	No notification required	Must notify inherited contacts
Offline conversion uploads (from your own CRM)	No notification typically needed	No change if data was collected directly
Facebook/LinkedIn lead ads (person submits their info)	Already covered by IPP 3	No change — person submitted directly

The pattern is clear: if the person gave you their information themselves, nothing changes. If you got it from somewhere else, you now have a notification obligation.

The IPP 3A Compliance Checklist for NZ Businesses

Here's a practical checklist you can work through before 1 May 2026. Print it out, hand it to your marketing team, and tick the boxes.

1. Audit Your Data Sources

List every source of personal information your business uses
Mark each source as "direct" (person gave it to you) or "indirect" (you got it elsewhere)
For indirect sources, document what information you collect and from whom

2. Review Your Marketing Tools

Check if you use Customer Match in Google Ads — where do those lists come from?
Check your email marketing platform — are any contacts from purchased or third-party lists?
Check if you use data enrichment tools (Clearbit, ZoomInfo, or similar)
Check your CRM for contacts that came from partners, referrals, or acquisitions

3. Update Your Privacy Policy

Add a section explaining how you handle indirectly collected information
Specify what types of third-party sources you use
Include clear information about people's rights to access and correct their data

4. Build Notification Processes

Create a standard notification template for referral leads
Create a process for notifying individuals when data is received from partners
Set up a timeline — notifications should go out "as soon as reasonably practicable"
Document your notification processes (so you can demonstrate "reasonable steps")

5. Update Partner Agreements

Review all data-sharing agreements with partners and vendors
Add IPP 3A compliance clauses
Agree on who notifies individuals (the referring party, you, or both)
Ensure partners are aware of their own IPP 3A obligations

6. Clean Up Legacy Practices

Stop purchasing email lists (or build a notification process if you must continue)
Remove any contacts from your active marketing lists where you can't identify the source
Review any inherited databases from past acquisitions

Key Exceptions You Should Know About

IPP 3A has several exceptions where notification is not required. The main ones relevant to marketing:

Already aware. If the individual already knows you have their information (for example, the referring partner told them they'd be sharing their details with you), you don't need to notify them again. This is the most practical exception for referral-based businesses.

No prejudice or detriment. If you reasonably believe the individual won't be harmed by you not notifying them. The Privacy Commissioner applies a "no surprises" test here: if the person would be surprised to learn you have their data, this exception probably doesn't apply.

Not reasonably practicable. If notification would be genuinely impractical — not just inconvenient or expensive. The Privacy Commissioner has been explicit that cost alone is not enough; the cost would need to be disproportionate to the benefits of notification.

Collected before 1 May 2026. IPP 3A only applies to information collected on or after the commencement date. Your existing databases are not affected retrospectively.

Our strong advice: don't lean on exceptions as your primary strategy. Build compliant processes and use exceptions only where they genuinely apply.

What Growin Is Doing About IPP 3A

We publish real campaign performance data on this website because we believe transparency builds trust. IPP 3A reinforces that principle at a legal level.

Here's specifically what we're doing for our clients:

Auditing all data flows in every client's Google Ads setup to identify any indirect collection
Ensuring Customer Match lists are built exclusively from first-party, directly collected data
Updating conversion tracking to document data sources and collection methods
Reviewing partner and referral arrangements to ensure IPP 3A-compliant notification processes are in place
Providing plain-English guidance (like this article) so our clients understand what's changing and why

We don't use purchased lists. We don't do cold email outreach with third-party data. We build campaigns around first-party data and direct search intent — which means IPP 3A doesn't require major changes to how we operate. It validates it.

Frequently Asked Questions

No. IPP 3A is a notification requirement, not a consent requirement. You don't need permission to collect someone's data indirectly — you just need to tell them that you did. However, other laws (like the Unsolicited Electronic Messages Act 2007 for email marketing) may still require consent for certain activities.

When exactly does IPP 3A come into force?

1 May 2026. It was originally scheduled for 1 June 2025, but Parliament extended the date to give businesses more time to prepare. It applies only to personal information collected on or after that date.

Does IPP 3A apply to my existing customer database?

No. It only applies to information collected indirectly on or after 1 May 2026. Your existing data is not affected retrospectively. However, if you collect new information about existing contacts from a third-party source after 1 May 2026, that new collection triggers IPP 3A.

What counts as "reasonable steps" for notification?

The Privacy Commissioner says it depends on the sensitivity of the information, the risk to the individual, and the practicality (including cost). For most marketing contexts, sending an email or letter explaining who you are, where you got their data, and why is considered reasonable. The key is documenting what you did.

What happens if I don't comply with IPP 3A?

The Privacy Commissioner can investigate complaints, issue compliance notices, and refer matters to the Human Rights Review Tribunal which can impose fines of up to $10,000. More significantly, the Commissioner can publicly name non-compliant organisations. For most businesses, the reputational damage of being named is the bigger concern.

Can I still use Google Ads remarketing?

Yes. Standard remarketing uses data collected directly through your website (via cookies and tracking pixels). This is direct collection under IPP 3, not indirect collection under IPP 3A. Just make sure your privacy policy clearly explains your use of remarketing.

Can I still upload Customer Match lists to Google Ads?

Yes, as long as the email addresses were collected directly from the individuals. If your list came from website signups, purchases, or direct enquiries, you're fine. If any portion of the list came from third-party sources, you need to either notify those individuals or remove them from the upload.

Does IPP 3A affect Facebook and LinkedIn advertising?

The same principle applies. If you upload audience lists built from directly collected data, no IPP 3A issue. If you upload lists containing third-party data, you have notification obligations. The platform doesn't matter — it's the source of the data that determines your obligations.

My business receives referrals from partners. What do I need to do?

Notify the referred person as soon as practicable. A simple email or call explaining who you are, that [partner name] shared their details with you, why, and their rights. Even better: get your referral partner to tell the person their details will be shared before they send them to you — this can satisfy the "already aware" exception.

It's in the same direction but much lighter. GDPR (Europe's privacy regulation) requires explicit consent for most data processing and has fines up to 20 million euros. IPP 3A is a notification requirement with much smaller penalties. Think of it as New Zealand moving toward international privacy standards, but at a pace and scale appropriate for our market.

Get Ready Before May

IPP 3A isn't something to panic about. For businesses that already collect data ethically and use first-party information for their marketing, very little changes. It's a notification requirement, not a data collection ban.

But if your marketing relies on purchased lists, undisclosed data sharing, or third-party data you've never told anyone about — now is the time to fix that. You have until 1 May 2026.

The businesses that will come out ahead are the ones that use this as an opportunity to clean up their data practices, strengthen their first-party data collection, and build the kind of direct customer relationships that perform better anyway.

Not sure if your marketing is IPP 3A ready? Book a free compliance check with our team. We'll audit your data sources, flag any indirect collection in your campaigns, and give you a clear action plan before the deadline.