Pānui
4notify Aotearoa New Zealand · New Zealand Gazette
OFFICIAL · Privacy Commissioner · Department of Internal Affairs
Pānui No
PAN-NZ-005
Date
2026-05-27
Status
In force
Category
Privacy

Privacy Act 2020 and consent: a framework for transactional and commercial delivery to New Zealand consumers

The Office of the Privacy Commissioner (Te Mana Mātāpono Matatapu) administers the Privacy Act 2020 and its information privacy principles, while the Department of Internal Affairs enforces the Unsolicited Electronic Messages Act 2007 for commercial messaging. 4notify records the lawful basis and the consent state at the API edge for every delivery.

EmailSMSWebhook
Preamble

Section 1 — Pursuant to the Privacy Act 2020 and the Unsolicited Electronic Messages Act 2007, this Pānui is issued concerning consent management for electronic delivery.

Legislative basis
Privacy Act 2020

Thirteen information privacy principles; the notifiable-privacy-breach scheme administered by the Privacy Commissioner.

Unsolicited Electronic Messages Act 2007

Requires consent (express or inferred), accurate sender information and a functional unsubscribe for commercial electronic messages.

Privacy (Notifiable Breach) provisions

Notify the Privacy Commissioner and affected individuals as soon as practicable where a breach is likely to cause serious harm.

Implementation
01

Lawful basis recorded per delivery

Each envelope carries a lawful-basis tag (consent, contract, legal obligation, legitimate interest); the basis is fixed in the template record.

02

Consent state verified

Commercial messages have their consent state (express / inferred) checked at the envelope; deliveries without a valid basis are blocked at the API edge.

03

Correction and deletion within the principles

Privacy Act access, correction and deletion requests propagate through 4notify within 24 hours; the suppression list updates across all three networks and the email gateway.

04

Breach-notification webhook

Any envelope-level incident raises a webhook to the controller's privacy officer within one hour, supporting the notifiable-breach scheme.

Delivery envelope
json
{
  "event": "delivery.consent_envelope",
  "controller_id": "NZ-CTRL-12345",
  "lawful_basis": "express_consent",
  "uem_consent": {
    "consent_id": "UEM-2026-001234",
    "consent_date": "2025-09-14",
    "unsubscribe_present": true
  },
  "delivery": { "channel": "email", "template": "promo_v2" },
  "suppression_check": "passed"
}
Sample message
EmailSubject: Your marketing preference has been updated

Kia ora, Your marketing consent has been withdrawn as of today. You will no longer receive marketing emails, but transactional notices (order confirmations, delivery alerts) will continue. For your other rights under the Privacy Act 2020, contact: [email protected]

Compliance checklist
  • Privacy officer (or contact person) configured for the controller
  • Lawful basis recorded for every commercial delivery
  • Consent state stored and re-checked at the envelope
  • One-hour breach-notification webhook reachable
The 4notify difference

4notify is the only A2P provider that stores the Unsolicited Electronic Messages Act consent state and Privacy Act 2020 lawful basis in every envelope, propagates suppression across all three networks in under 24 hours and raises a one-hour breach-notification webhook on every incident.

Frequently asked questions
Does consent apply to SMS as well as email?

Yes — the Unsolicited Electronic Messages Act covers all commercial electronic messages: SMS, email and instant messaging. Each requires consent and a working unsubscribe.

What happens if a controller has no recorded consent?

4notify blocks commercial delivery at the API edge until a valid lawful basis is supplied; transactional delivery (on a contract basis) stays available.

Notified by
4notify Operations Office
2026-05-27 · PAN-NZ-005

Start for free

14 days, no card required. New Zealand-hours support.

Other pānui in this edition