How to prepare your business with new consumer data rules

The New Zealand Government enacted the Customer and Product Data Act 2025, establishing a Consumer Data Right (CDR) framework in New Zealand.

CDR means consumers can now request that their personal data, as well as product data, is securely shared with trusted third parties. With greater control over their data, consumers can more easily make decisions about how and where they spend, save and invest.

The Customer and Product Data Act creates a common legal framework, and then the Government applies it sector by sector through separate designation regulations and sector standards. Banking is the first sector to be formally designated, and the relevant banking standards came into force on 1 December 2025. Electricity is the next sector, but not yet live. Regulations and standards are to be developed in 2026, with the regime expected to start about a year later, from mid-2027. Telecommunications and Insurance have been discussed as possible future sectors.

Given this, it’s timely to consider how businesses can prepare for ongoing implementation and scaling of CDR, and the implications for their operating models.

Organisations impacted by CDR will have to make a wide range of changes. With implementation now underway, businesses should be actively progressing or accelerating their CDR readiness and delivery programmes.

CDR implementation in New Zealand

New Zealand is implementing CDR on a sector-by-sector basis, with banking designated as the first sector. This marks the beginning of open banking in New Zealand, with the largest banks required to comply first, followed by a phased rollout to other institutions.

As at 2026, open banking implementation is in its early stages, with major banks progressing delivery of required APIs, customer consent frameworks and operational processes.

Obligations for large banks commenced from December 2025, with additional milestones continuing through 2026 as further capabilities (including payments initiation and expanded data sharing) are rolled out.

How can your business get prepared?

CDR will change the way businesses function and consumers behave.

For impacted businesses, there are likely to be significant compliance costs associated with meeting regulatory obligations, including API enablement, consent management, accreditation requirements and enhanced data security controls.

However, there are benefits for businesses too. The Government anticipates that CDR will encourage innovation and help facilitate competition, particularly within the financial services sector, with open banking expected to accelerate innovation across payments, lending and personal financial management.

Organisations should be considering how CDR impacts their strategy, operating model, and customer engagement approach — not just from a compliance perspective, but as an opportunity to create new value propositions.

CDR will make it easy to move providers. Is your customer experience and value proposition strong enough?

CDR will make it easier for customers to switch from one provider to another, particularly in banking as open banking capabilities are rolled out.

For example, in financial services, CDR will further facilitate open banking, enabling FinTech companies to develop innovative, cost-effective products and services, and enabling new use cases such as account aggregation and payment initiation.

As capabilities become available in-market, competitive pressure is expected to increase, particularly in customer acquisition, onboarding and pricing transparency.

This increased competition means organisations will need to focus on delivering seamless, high-quality customer experiences and clearly differentiated value propositions to retain customers.

Is your current technology customer-centred?

Systems will be required to package up and send data to third parties but also receive new client information, typically via standardised APIs aligned with industry and regulatory standards.

Consumer data should be exchanged in a standard format defined by regulatory and industry standards, so that it is accessible for any business that receives it.

This will require organisations to modernise their technology architecture and ensure interoperability across systems, while maintaining performance, reliability and security. 

For many organisations, this includes aligning with Payments NZ API Centre standards and integrating with evolving ecosystem requirements.

Legacy platforms will not be as mature as newer versions when it comes to managing risk and data protection, and may struggle to meet CDR technical and security requirements without significant uplift.

Businesses relying on legacy infrastructure may need to prioritise transformation initiatives to ensure compliance and remain competitive in a more open data ecosystem.

In practice, this is driving increased investment in API layers, middleware and data abstraction to enable participation without full core system replacement

With more data flowing between organisations, are your security and privacy measures fit for purpose?

Companies must ensure there are controls in place to protect any personal information and how that data is used, in line with CDR-specific privacy, consent and security requirements.

Customer consent is an important factor, with strict requirements for express, informed and revocable consent under the CDR framework.

Data will only be shared when the customer has provided express and informed consent, and organisations must be able to evidence and manage that consent throughout the data lifecycle.

As data sharing increases, organisations will need to ensure robust governance frameworks are in place to manage risk, maintain trust and meet regulatory expectations.

Regulators are expected to take an increasingly active role in monitoring compliance as implementation progresses.

CDR is now transitioning from implementation to early-stage operation in New Zealand.

With banking now live as the first designated sector, open banking is beginning to reshape New Zealand’s financial services landscape.

Businesses that act early — investing in technology, governance and customer-centric design — will be best positioned to capture the opportunities presented by CDR, while those that delay risk falling behind in an increasingly open and competitive market.

As the ecosystem matures through 2026 and beyond, organisations that move beyond compliance and focus on innovation will be best placed to realise the full value of CDR.

How PwC can help

We’re confident that with our experienced team and our global perspective from countries where CDR has already been implemented, we will be able to support you in your preparations for CDR. 

In particular, we can support you with a CDR ‘course setter’; a diagnostic tool to review your readiness for CDR, help you scope and prioritise CDR-required activities. Our ‘course setter’ brings together our specialists from legal, cyber, data, equity, customer experience, technology and compliance to ensure that you are well-positioned to respond to this transformational change.