On 1 May 2026, Information Privacy Principle 3A came into effect under New Zealand's Privacy Amendment Act 2023. It introduces a transparency obligation that most NZ small businesses are entirely unprepared for — not because the law is particularly complex, but because it targets a category of data collection that has gone from rare to routine in the last two years.
IPP 3A applies when a business collects personal information about someone from a source other than that individual. Thirty years ago, that described credit bureaus and direct marketers. Today, it describes almost any business that has installed an AI tool in the last eighteen months.
Most NZ small businesses haven't noticed. That is the problem.
What IPP 3A actually requires
The core obligation is straightforward. When you collect personal information about an individual from a source other than that individual — a third-party database, a connected tool, a recording of a call they had with your AI — you must take reasonable steps to ensure the individual is aware of:
- that the collection occurred
- the purpose for which the information is held
- who you are and how to contact you
- who you may share the information with
- their right to access and correct the information
There are statutory exceptions. Section 11 of the Privacy Act 2020 provides a service provider carve-out. Notice may be withheld where giving it would prejudice the purpose of collection. Previous notification can be relied upon where it was adequate and the individual has already been informed.
Most NZ SMBs cannot safely rely on any of these exceptions without first getting qualified legal advice. The exceptions are narrower than they look on paper, and the Privacy Commissioner has signalled that SMB ignorance of the principle is not a mitigating factor.
What indirect collection looks like in practice
Here are five scenarios that any NZ small business operating in 2026 might recognise:
A voice AI receptionist answers a call and captures the caller's name, number, and reason for calling. The platform generates a transcript and a call summary, and may store a recording. The caller spoke to an AI — not a person — and may not have known the conversation was being transcribed and analysed.
A CRM that auto-enriches contact records takes a name and phone number and looks up their LinkedIn profile, Companies Office listing, or a third-party data provider. The contact record is now richer than what the person originally gave you.
A lead-gen tool that scrapes business directories builds a prospect list from public sources — LinkedIn, Google Maps, trade directories. The individuals on that list never contacted you, and in many cases do not know you have their details.
Call recording with AI analysis produces transcripts, sentiment summaries, topic tags, and action items. The recording was made by you, but the downstream analysis creates a structured dataset that goes well beyond simple audio retention.
Booking platforms that pull from connected tools can assemble a composite record: calendar history, past jobs from an accounting system, notes from a previous visit. The customer called to book an appointment. They did not know you were building a multi-source profile.
In every case, the individual did not hand the information directly to you. In every case, IPP 3A applies. And in most cases, the business collecting that information thought of it as a feature, not a data collection event.
Why AI is the pressure point
Indirect data collection is not new. Before AI, it was the domain of credit bureaus, data brokers, and large enterprises with dedicated privacy teams. The friction involved — building custom integrations, maintaining data pipelines, hiring analysts — acted as informal compliance. Most small businesses never went near it.
That friction is gone.
A sole trader can now install a voice AI, a CRM enrichment plugin, and a lead prospecting tool in an afternoon. Each one quietly collects personal information from sources other than the individual concerned. None of them prompt the business owner to think about IPP 3A.
Regulators have noticed. The Privacy Commissioner's guidance on AI and data collection is explicit that the principles apply regardless of whether the collection is automated or manual, direct or indirect. The scale at which AI tools operate makes the regulatory risk meaningful even for businesses that process relatively few records — because the same misconfiguration applies to every caller, every enriched contact, every scraped lead.
Practical steps for NZ small businesses
There is no single compliance checklist that covers every situation. But these five steps are a useful starting point for any NZ SMB that uses AI tools:
Audit which tools collect personal information about people who are not your direct contacts. This includes AI call handling, CRM enrichment, lead-gen, and any tool that pulls data from public or third-party sources. If a tool creates a record about a person who did not give you their information directly, it is almost certainly subject to IPP 3A.
Update your website privacy notice. Your privacy notice needs to describe indirect collection in plain language — what you collect, from where, and why. If it does not mention AI tools, CRM enrichment, or call recording, it probably needs updating.
For voice AI, add a disclosure to your call greeting. One conversational sentence is enough: "This call may be recorded and analysed by AI." Front-load it — callers cannot consent to something they were not told about, and the obligation to notify applies from the point of collection, not later.
For CRM enrichment, document your data sources. Know what you are pulling and from where, and make sure you disclose it to people when you first make contact with them. A one-line note in an introductory email is sufficient in most straightforward cases.
If you handle health, financial, or biometric information, talk to a NZ privacy lawyer. The threshold is materially higher for these categories, the exceptions are narrower, and the consequences of getting it wrong are significantly more serious.
How one platform approaches this by design
dareena.ai surfaces this as a configuration decision rather than an afterthought. Under a Caller Disclosure section in the agent settings, there are two independent toggles — both off by default:
- Inform callers this call is recorded. Adds a recording notice to the start of the greeting. Recommended for compliance with NZ privacy law.
- Identify as an AI assistant. Tells callers they are speaking with an AI at the start of the greeting.
When either toggle is enabled, the relevant disclosure is prepended to the call greeting automatically — callers hear it before the conversation starts. No custom scripting required. The design reflects what a platform layer makes possible: compliance behaviour delivered to every tenant from a single point of control.
Worth noting: these two disclosures cover the most common IPP 3A obligations for a voice AI scenario, but depending on what the agent does — CRM enrichment, booking with a connected calendar, logging to a third-party system — additional disclosures may be warranted. The platform handles the call-level notice; the business owner is responsible for ensuring their broader privacy notice reflects everything the system collects.
It is one model, not the only one. But it illustrates a broader point: tools that treat privacy compliance as a platform responsibility — rather than a user responsibility — make the right behaviour the easy behaviour.
The compliance problem is actually a noticing problem
IPP 3A is not a hard law to comply with. The obligation is to take reasonable steps to notify. For most NZ small businesses, a clear privacy notice and a one-sentence call disclosure is a reasonable start — neither requires a lawyer to draft.
What makes it hard is noticing it in the first place. Indirect collection is invisible by design. It happens automatically, at the platform layer, as a feature. The CRM enriches contacts in the background. The AI logs the transcript without asking. The lead-gen tool delivers a spreadsheet.
Businesses that start treating this as a configuration decision now — something to review, enable deliberately, and disclose clearly — will save themselves a significant amount of grief later. The Privacy Commissioner has enforcement tools, and "we didn't realise the tool was collecting that" is not a defence that tends to hold up.
This article is general commentary, not legal advice. For decisions about your specific business, talk to a qualified NZ privacy lawyer.