Australia & NZ (APA-NZPA)

Australia & New Zealand Privacy Laws (APA-NZPA)

What are the privacy laws in Australia and New Zealand?

Australia and New Zealand do not use the same consent framework as GDPR or the US state opt-out laws, but both countries have established privacy rules that affect how Shopify merchants collect, use, disclose, and secure personal information.

In Australia, the main law is the Privacy Act 1988, which is built around the Australian Privacy Principles (APPs). The OAIC explains that the APPs are the core privacy framework under the Act and apply to covered organisations and agencies.

In New Zealand, the main law is the Privacy Act 2020, which is built around 13 privacy principles governing how organisations collect, store, use, and share personal information. The Office of the Privacy Commissioner states that these principles apply broadly to organisations and businesses.

For Shopify merchants, these laws become relevant when a store:

• sells to customers in Australia or New Zealand
• collects customer details such as names, emails, addresses, or phone numbers
• uses cookies, analytics tools, pixels, or third-party apps
• transfers customer data to external service providers or overseas platforms

In practice, these laws focus less on a single “cookie law” model and more on transparent data handling, fair collection, responsible disclosure, security, and user rights. (OAIC)

Key privacy principles relevant to Shopify merchants

For ecommerce businesses, the most relevant requirements are the ones that deal with transparency, collection, use, disclosure, security, and access to personal information.

Australia: key APPs for Shopify merchants

The OAIC’s APP materials make these principles especially relevant for merchants:

• APP 1 – Open and transparent management of personal information
  Businesses must manage personal information in an open and transparent way, including having a clearly expressed and up-to-date privacy policy.
• APP 3 – Collection of solicited personal information
  Personal information should only be collected where permitted and where it is reasonably necessary for the business’s functions or activities.
• APP 5 – Notification of the collection of personal information
  When collecting personal information, businesses must notify individuals about key matters such as the purpose of collection and related disclosures.
• APP 6 – Use or disclosure of personal information
  Personal information must generally only be used or disclosed for the primary purpose for which it was collected, unless an exception applies.
• APP 8 – Cross-border disclosure of personal information
  If a merchant discloses personal information to an overseas recipient, reasonable steps may be required to ensure the recipient does not breach the APPs, and the merchant can remain accountable in certain cases.
• APP 11 – Security of personal information
  Businesses must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure.

New Zealand: key privacy principles for Shopify merchants

The New Zealand Privacy Commissioner’s guidance makes these principles especially important:

• Principle 1 – Purpose of collection
  Personal information should only be collected for a lawful purpose connected with the organisation’s function or activity, and only where necessary.
• Principle 3 – Collection from subject
  When collecting personal information, organisations must take reasonable steps to make sure the person knows why it is being collected, who will receive it, and other key details.
• Principle 5 – Storage and security
  Organisations must have reasonable safeguards in place to prevent loss, misuse, or unauthorized disclosure of personal information. The Privacy Commissioner also states that serious privacy breaches must be notified as soon as possible, within 72 hours.
• Principle 6 – Access to personal information
  Individuals have the right to request access to their own personal information.
• Principle 7 – Correction of personal information
  Individuals have the right to request correction of their personal information. This is part of the Privacy Act 2020 framework described by the Commissioner.

For Shopify merchants, the practical takeaway is simple: these laws expect you to explain your data practices clearly, limit unnecessary collection, secure customer data, and respond properly to access or correction requests.

Risk of non-compliance

Non-compliance creates both legal and commercial risk. Even where enforcement does not look identical to GDPR, merchants can still face complaints, investigations, reputational damage, and operational problems if privacy practices are weak.

Potential risks include:

• regulatory complaints or investigations
• penalties or enforcement action under applicable privacy laws
• customer distrust in markets where transparency matters
• issues caused by poor disclosure of third-party tools, ad platforms, or cross-border data transfers
• risk exposure when using international apps, analytics tools, or ad platforms without clearly documenting those disclosures

For Shopify stores, one of the most common gaps is using multiple apps, pixels, and marketing tools without fully explaining what data is being collected, who receives it, and how users can act on their rights. That is especially important under Australia’s transparency, disclosure, cross-border, and security principles, and New Zealand’s collection, notice, access, and safeguard requirements. (OAIC)

How Consentmo helps Shopify merchants

Consentmo helps merchants turn these privacy requirements into clear storefront controls and documentation. While Australia and New Zealand are not usually described with the same strict opt-in framing as GDPR, merchants still benefit from transparent consent experiences, clear disclosures, and better control over tracking technologies.

Consentmo supports compliance in several practical ways:

• Transparent cookie banner and preferences UI
  Helps merchants explain tracking categories and data use in a clearer, more structured way, supporting transparency and notice requirements.
• Consent-based control over tracking technologies
  Gives merchants better control over when analytics and marketing scripts load, helping reduce risk from unclear or overly broad tracking setups.
• Privacy policy and disclosure support
  Makes it easier to align storefront disclosures with actual tracking and app usage.
• Privacy request pages
  Supports workflows for customer privacy requests, including access and related rights handling.
• Consent logging and records
  Helps merchants maintain records of user choices and banner interactions.
• Geotargeting by region
  Allows merchants to apply different privacy experiences depending on where the visitor is located.

For Shopify merchants operating across multiple regions, this matters because Australia and New Zealand requirements often sit alongside GDPR, US state laws, and other country-specific expectations. A single privacy setup that is transparent, region-aware, and well documented is easier to maintain than handling each visitor flow manually.

Australia & New Zealand compliance for Shopify: what to keep in mind

The most important point is that merchants should not treat Australia and New Zealand as “no-banner” or “low-risk” regions just because their laws are structured differently from GDPR.

A safer operational approach is to make sure that:

• your privacy policy is current and reflects the real tools installed on the store
• you clearly disclose analytics, advertising, and third-party app usage
• customer data is only collected where it is actually needed
• access, correction, and related privacy requests can be handled properly
• data security and vendor oversight are part of your ongoing process
• overseas disclosures through apps, platforms, and integrations are considered carefully

As your store grows, privacy risk usually increases through added apps, added tracking, and more third-party data sharing, not just through your storefront text alone. Australia’s APP framework and New Zealand’s privacy principles both reinforce that privacy compliance is an ongoing operational responsibility, not just a policy page requirement. (OAIC)

Summary

Australia and New Zealand privacy laws require Shopify merchants to handle personal information transparently, securely, and responsibly.

In practical terms, merchants should:

• clearly explain what personal data they collect
• disclose why they collect it and who receives it
• avoid collecting unnecessary data
• protect customer information with reasonable safeguards
• support user rights such as access and correction
• review overseas disclosures through apps and service providers

Consentmo helps by giving Shopify merchants clearer consent flows, better tracking control, privacy request tools, and region-aware privacy experiences that support stronger compliance operations across Australia, New Zealand, and other regulated markets.