Preparing for IPP 3A: new requirements effective 1 May 2026

After a lengthy legislative process, the Privacy Amendment Act 2025 has now received royal assent, introducing the much-anticipated Information Privacy Principle 3A (IPP 3A). IPP 3A, which comes into force on 1 May 2026, marks a significant step in New Zealand’s privacy law, introducing new obligations in relation to the indirect collection of personal information.

This article outlines the key steps agencies should take before 1 May 2026 to review and update their practices, policies and agreements to comply with the new requirements under IPP 3A. For further detail see our previous article here:

OPC and cross-party support

The Privacy Amendment Bill attracted broad cross-party support at its third reading, with members emphasising the need for ongoing vigilance as privacy expectations and technology evolve.

Privacy Commissioner Michael Webster also welcomed the change as an important step that aligns New Zealand’s privacy laws with overseas jurisdictions, noting:

“The passing of the Privacy Amendment Act helps support that transparency for New Zealanders. This reform helps keep our privacy law in line with other countries like Australia, the UK and Europe.”

The final version of the Bill did not include substantive changes other than updating the effective date for IPP 3A to 1 May 2026.

OPC Guidance

The Office of the Privacy Commissioner (OPC) released ‘Draft Guidance on IPP 3A’ earlier this year, which closed for public consultation in June. While still in draft, the guidance offers useful insight into the OPC's expectations as agencies start to operationalise IPP 3A requirements. The OPC has indicated that it received substantial feedback on the Draft Guidance through the consultation process, which will be reflected in the final version to be published later this year.

Key Steps to prepare for IPP3A

For any New Zealand businesses handling personal data, particularly those which regularly rely on information gathered via third parties, it will be important to review current data collection practices and procedures for compliance with IPP 3A. For many businesses this can be a surprisingly complex exercise in practice and there is relatively limited time ahead of the intended commencement date.

Among other things, in anticipation of IPP 3A, we recommend considering:

Conducting a Privacy audit: Identify all sources from which you collect personal information indirectly and all third parties to whom you disclose personal information (e.g., marketing agencies, service providers, referral networks).
Updating Privacy Policies: Update privacy policies, privacy statements and any other relevant collection forms to reflect IPP 3A notification requirements, including express disclosure of indirect collection of personal information and specific notifications where appropriate.
Review relevant contracts: Determine how IPP 3A responsibilities will be allocated with third party data sources and recipients identified in the privacy audit. To assist with reliance on exceptions, update contracts to impose IPP 3A notification obligations on third party data sources where possible.
Exceptions: Identify the key exceptions under IPP3A relevant to your operations and adopt robust record-keeping practices when relying on them.
Internal training: Update and provide internal training on the new requirements.

How we can help

Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team has been monitoring the development of IPP3A closely. If you have any questions about IPP 3A or if you would like assistance preparing for the changes, please get in touch with the contacts listed or your usual Bell Gully adviser.

Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.