The Customer and Product Data Act (the Act) is now in force. The Act was introduced into Parliament as a Bill in May 2024 and received Royal Assent on 31 March 2025.
Background
The Act creates a “consumer data right” in New Zealand, allowing customers to consent for their data to be shared across businesses and to trusted third parties. The Act provides the baseline framework for how this regime works, with the detailed approach being subject to sector-specific regulations which are now being drafted. You can read our previous article on the overall framework of the Act here.
What’s new?
The Act as passed into law has incorporated several changes from the second reading, with main changes including:
- ‘Customers’ under the Act now includes people who have previously acquired goods or services from a data holder, to protect historical data.
- ‘Designated customer data’ and ‘designated product data’ now includes all data specified in the regulations regardless of whether the data existed before or after the regulations come into force.
- Data holders are now required to verify the identity of a customer before providing that customer with their data, or taking an action on their behalf. This is to make the obligations consistent with those required when an accredited requester takes those same actions on behalf of the customer.
- The Chief Executive has expanded powers to provide technical infrastructure for secure, standardised and efficient data services. This includes designing systems for accredited requestors to test their processes before connecting to data holders.
- It is now possible for organisations to opt-in to being designated as a data holder, provided the organisation complies with the regulations.
- Data can now be designated as customer data under the regulations even if it includes the personal information of another person. The example provided for in the Act includes transaction data of a customer that may be designated under the Act, despite the customer’s payee information potentially containing personal information.
You can read the Act in full here.
Banking to be the first industry
The Hon. Scott Simpson announced this morning that banking will be the first industry to be designated under the Act. You can read the announcement here. As we have discussed previously, the banking sector was long suggested to be the first industry designated, following the examples set by Australia and the United Kingdom.
The Ministry for Business Innovation and Employment (MBIE) is currently drafting regulations for the banking sector. New Zealand’s four major banks (ANZ, ASB, BNZ, and Westpac) will be required to comply with the regulations by 1 December 2025, with Kiwibank to follow in June 2026. Other banks and deposit takers may opt in by giving notice to MBIE.
Designated customer data for banks will include name, the type of customer (an individual, trustee or company), contact details, and account information such as balances and transactions. Only accredited requestors will be able to request customer data and payments initiation from banks, on behalf of customers.
The designation will only apply for customers who have digital access to designated account types, such as via bank websites or mobile banking applications.
The regulations are currently being drafted, but the Minister has indicated that these will include requirements:
- restricting the fees banks can impose on data requestors;
- for banks to publish their pricing for regulated data services;
- prohibiting banks charging customers for requests made by accredited requestors;
- limiting the charges for accredited requestors to 5 cents per payment request;
- limiting the charges for customer data requests to 1 cent per successful API call, or a maximum of $5 per month per customer for near-real-time access to transaction records;
- preventing banks from imposing restrictive payment limits on data requestors; and
- for banks to provide information to an accredited requestor within five working days.
Next steps
Now the Act is in force, the countdown to the 1 December 2025 deadline for the major banks is underway. Once the regulations have been enacted (sometime prior to 1 December), MBIE will begin accepting applications for accredited data requestors.
Based on comments from the Minister, we expect that the electricity sector will be the next sector to be designated under the Act. We recommend organisations potentially captured by any future regulation (particularly major electricity retailers) carefully follow the roll out of the banking designation to understand what this may mean for their businesses to assist future planning.
If your organisation would like assistance with understanding its obligations under the Act, please get in touch with one of our experts.
This article was co-authored by Thomas Anderson, a Solicitor in our Corporate team.
Key contacts
Speak with one of our experts.
