New Zealand's Consumer Data Right (CDR) comes into force 1 December 2025.
Our five-part video podcast series is designed to help you understand the CDR, its phased implementation and what it means for your sector. No matter your industry, understanding these roles is crucial as the CDR regime takes shape.
This content is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter, please contact a Russell McVeagh partner/solicitor.
Welcome to episode one of our Consumer Data Right quick-fire updates! A five-part daily podcast of short one-to-two-minute updates with everything you need to know about the CDR (and without all the filler). We've had some fun using AI to produce these videos, including our brand-new life-like avatars!
New Zealand’s CDR goes live on the 1st of December when the Customer and Product Data Act 2025 comes into force, as well as most of the provisions of the four sets of regulations which dropped last month. The CDR gives customers the power to securely share data about them held by organisations; and to require those organisations to take certain actions on their behalf. The banking sector is up first with electricity, insurance, and telecommunications, expected to follow after that.
The CDR regime is sector‐neutral by design. Certain sectors, and organisations within those sectors, will then be designated in-scope of the CDR from time to time. Once an organisation is in-scope, customers have the right to request that organisation to provide information and perform actions mandated under the CDR. That will look different for every sector. The CDR supports customers making these requests directly or asking accredited third parties to make the requests for them. Although, for the banking sector initially, only requests via accredited third parties are designated. We'll look at the accreditation requirements in more detail in tomorrow's podcast.
The CDR works alongside the Privacy Act and thought has been given to this in the CDR's design. A CDR request for information is not a personal information access request under the Privacy Act, but certain CDR failures (such as inadequate security) can constitute privacy breaches, triggering remedies under the Privacy Act.
The CDR is administered by MBIE and enforced by MBIE and the Office of the Privacy Commissioner. Penalties for breach scale with risk, with only some defences available: infringement notices and minor offences can incur fines up to $20,000; but serious breaches for companies can result in fines of up to $2.5 million; and for egregious conduct (like knowingly misleading to obtain CDR data), criminal penalties of up to five years’ imprisonment or $1 million for individuals, and up to $5 million for companies.
There's lots of opportunity for organisations to become accredited and develop value-added services for customers which leverage data not traditionally readily accessible.
Now is the time to review governance frameworks, assess readiness, understand the CDR requirements, and identify strategic opportunities as the CDR expands. We'll discuss this in more detail in the coming episodes.
Next time, we'll cover who must share data, who can request it, accreditation and how to get there with confidence. See you tomorrow.
Coming soon.
Coming soon.
Coming soon.
Coming soon.
This content is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter, please contact a Russell McVeagh partner/solicitor.
