Data analytics and privacy: What SME retailers need to know?

Retailers are harnessing data analytics to boost sales and customer experience, but with great power comes great responsibility. Vanessa Leite outlines how SME retailers can unlock the benefits of analytics tools while staying on the right side of New Zealand’s privacy laws.

Data analytics has become essential in today’s digital world. Nearly any business can now gain insights into their customers’ preferences by analysing the data generated through interactions across e-commerce websites, email campaigns, social media, and others.  

These insights help retailers understand which products resonate with different customer segments, what drives repeat purchases, and where customers may be dropping off in the buying journey. All this allows for smarter decisions around operations, including stock levels, merchandising, pricing, and targeted promotions. Ultimately leading to higher conversion rates, better customer retention, and increased sales. 

However, while leveraging technology to collect and analyse customer data can create significant value, it also brings important responsibilities and introduces important privacy and security considerations.  

Retailers operating in New Zealand must comply with the Privacy Act 2020, which sets out specific requirements for how personal information is collected, used, and protected. Similarly, businesses operating in Australia are subject to the Privacy Act 1988, which in some areas is even more restrictive than New Zealand’s law.  

Many other countries and regions have similar regulations – such as the GDPR in Europe – and analytical data is often subject to these laws. 

Ensuring compliance is therefore essential – not only to meet legal obligations but also to build and maintain customer trust. This article provides a summary of what SMEs should consider when leveraging analytics technology while remaining compliant with New Zealand’s privacy law. 

But first, let’s look at the common tools retailers, including SMEs retails, may use to make the most of their data and improve the customer experience. Then, we’ll talk about the privacy and security risks that can come with these tools. 

The tools retailers are using

Retailers use different analytics tools depending on the channel and the type of data they want to analyse. Below are some examples of key tool categories and their typical uses: 

• Website analytics – these are tools that track how visitors interact with an online store, helping identify popular products and customer drop-off points. Examples include Google Analytics and Hotjar. 
• Email marketing analytics – these are tools that measure the success of email campaigns by tracking open rates, clicks, and conversions. Popular tools are Klaviyo and Mailchimp. 
• Social media analytics – these are tools that analyse engagement and reach on platforms like Facebook and Instagram, helping retailers optimise their social presence. 
• Sales and customer analytics – these are tools that focus on purchase behaviour, customer segmentation, and lifetime value, often integrating with POS or CRM systems. Shopify Analytics and Salesforce are common examples. 
• Operational Analytics – these are tools that monitor internal processes such as inventory and order fulfilment to improve efficiency. Tools like Lightspeed and Power BI are frequently used here. 

Each category provides insights that, when combined, enable retailers to make smarter decisions, improve customer experience, and drive sales growth.  

The hidden risks of these tools 

Different analytics tools collect various types of sensitive data based on their purpose. It’s important for retailers to be aware of this. 

• Website analytics track details like IP addresses, device information, and user behaviour on the site. Some tools can even record user sessions. If not set up correctly, they might collect personal information entered in forms, such as names, email addresses, or payment details. 
• Email marketing tools collect email addresses and track how people interact with emails – like when they open them or click on links. 
• Social media analytics gather basic demographic data, such as age and location, as well as engagement information like likes, comments, and shares. 
• Sales and customer analytics access personal data stored in customer databases, including contact details, purchase history, and payment information. 
• Operational analytics help with business tasks like managing inventory and orders, but may also include employee information, such as work hours and performance. 

Some of this data is can be consider sensitive – especially when combined or aggregated – because it can identify individuals directly. That’s when New Zealand’s Privacy Act comes into play. 

What the NZ Privacy Act 2020 requires 

The Privacy Act 2020 includes 13 Privacy Principles that set rules around how personal information must be collected, used, stored, and shared. Retailers who collect identifiable customer information, need to understand these rules.  

While all Principles matter, the ones below are particularly important for retailers using analytics tools. Here’s a summary with practical insights:  

• Principle 1 – Purpose of collection of personal information  

Only collect personal information for a specific and lawful purpose directly related to your business. 

Considerations for SMEs: Be clear about why you’re collecting data – for example, to personalise product recommendations or improve email campaigns. Avoid collecting data “just in case” you might need it later. 

• Principle 3 – Collection of information from subject

Be transparent about what information you collect, how it’s used, and who it’s shared with. 

Considerations for SMEs: Publish a clear and simple privacy policy on your website. For example: “We collect your email address to send personalised promotions. Your data may be processed by Mailchimp (USA)” 

• Principle 4 – Manner of collection

Collect personal data fairly, lawfully, and without being misleading or too intrusive. 

Considerations for SMEs: Use cookie banners and opt-in forms that explain what data you track and why. For example: “We use Google Analytics to understand how our website is used – no personal data is collected without your consent.” 

• Principle 5 – Storage and security of information

Protect personal information from loss, misuse, or unauthorised access. 

Considerations for SMEs: Choose vendors with good security practices, such as ISO 27001 certification and other proof that they follow security best practices, including local regulations. Use password protection and two-factor authentication for accessing the tools. 

• Principle 6 – Access to personal information

Customers have the right to access the personal data you hold about them, and you must respond within 20 working days. 

Considerations for SMEs: Set up a clear process for handling access requests. Know how to retrieve customer profiles from your tools and how to ask your vendors for data if needed. 

• Principle 9 – Accuracy of personal information

Make sure personal information is accurate, up to date, and complete before you use it. 

Considerations for SMEs: Regularly clean your customer lists to remove duplicates or outdated info. Encourage customers to update their details through accounts or loyalty programmes. 

• Principle 10 – Limits on use of personal information

Use personal data only for the purpose it was originally collected for. 

Considerations for SMEs: If a customer signed up for order updates, don’t add them to marketing lists unless they have explicitly agreed. Use segmented lists in tools like Mailchimp or Klaviyo to manage consent. 

• Principle 12 – Disclosure outside New Zealand

If you send data overseas (for example, through cloud analytics tools), make sure those providers meet New Zealand’s privacy standards. 

Considerations for SMEs: Choose reputable vendors who store data in countries with strong privacy laws and have standard contracts or terms and conditions. Make sure your vendor follows the NZ Privacy Act or GDPR and offers a Data Processing Agreement (DPA). 

Disclaimer: The summary above is intended as a simple overview of the requirements under the Privacy Act 2020 and is not a substitute for legal advice or the official policy text. For full legal wording, please refer to the Privacy Act 2020 and supporting guidance available on the New Zealand Privacy Commissioner’s website or the Official NZ Legislation website. 

How SME retailers can stay compliant – and build trust 

SME retailers don’t always have legal or IT teams, but they can – and must – still meet privacy obligations and earn customer trust by taking a few practical steps. Here’s how: 

• Do a simple data audit (with help from your tools): Use your existing platforms (like Shopify, Mailchimp, or Klaviyo) to check what customer data is being collected and stored. Most tools offer dashboards or reports that show this. 

 Tip: Ask your vendor for a “data processing summary” or check their support centre for documentation. 

• Use built-in privacy settings in your tools: Most analytics tools have privacy options you can enable – like anonymising IP addresses in Google Analytics or excluding form fields from Hotjar recordings. 

Tip: Search “[tool name] privacy settings” in their help guides or contact support for help configuring your setup. 

• Update your privacy policy and cookie banner: Make sure your website explains clearly what data you collect, why, and whether any third-party tools are involved. You can use free templates as a starting point. 

Tip: Platforms like Shopify, Wix, and Squarespace often include privacy policy templates or generators.  

• Choose vendors that support compliance: Pick analytics or marketing tools that have clear privacy policies, good data security practices, and offer data processing agreements. 

Tip: Look for tools that are GDPR-compliant or have ISO certifications – these usually align with NZ’s privacy standards. 

• Train your staff in the basics: You don’t need a full training programme. A short session or checklist can help staff understand key do’s and don’ts – like avoiding exporting customer data to personal devices and how to respond to customer data requests. 

Tip: The NZ Privacy Commissioner provides free resources you can adapt for quick staff onboarding. 

By taking these steps, SME retailers can more confidently navigate privacy requirements while making the most of these tools and capabilities. Prioritising data protection not only helps avoid legal issues but also builds stronger customer relationships by showing respect for personal information. In today’s digital world, earning trust through responsible data use is essential for long-term business success. Below is a checklist to help you get started and make sure everything is well in hand. 

Privacy and data analytics checklist

• Audit your data
  Review the types of customer data your systems collect and store.
  

Tip: Ask your vendors for a summary of their data processing practices or check their support resources. 

• Enable privacy settings
  Activate privacy features available in your systems, such as data anonymisation or excluding sensitive information.
  

Tip: Search for privacy settings guides or contact vendor support for assistance. 

• Update your privacy policy and cookie banner
  Clearly explain what data you collect, why you collect it, and who you share it with. Free templates can help if you need them.
  

Tip: Use privacy policy generators from platforms like Shopify, Wix, or Squarespace. 

• Choose compliant vendors
  Work with vendors that have clear privacy policies, strong security measures, and data processing agreements.
  

Tip: Look for vendors that comply with GDPR or hold certifications like ISO 27001. 

• Train your staff
  Give your team basic training or checklists on how to handle customer data safely and respond to data access requests.
  

Tip: Use free training materials from the New Zealand Privacy Commissioner.