Guidance, compliance and enforcement

Guidance, compliance and enforcement for the Consumer Data Right

The Consumer Data Right (CDR) introduces a new regulatory framework for secure, consent based data sharing in Aotearoa New Zealand. As Regulator, the Ministry of Business, Innovation and Employment (MBIE) is responsible for supporting participants to understand and meet their obligations, while also monitoring compliance and taking enforcement action where required.

This information provides a high level overview of MBIE’s approach to guidance, compliance and enforcement under the Customer and Product Data Act 2025 (the Act). It is intended to help participants understand how MBIE will engage with them, what they can expect from us, and where to find more detailed information.

This overview should be read alongside the Act, associated regulations and standards. In the event of any inconsistency, the legislation and regulations take precedence.

The full Consumer Data Right: Guidance, compliance and enforcement policy is available to download.

Who this information is for

This information is relevant to:

• Data holders under the CDR
• Accredited requestors and accreditation applicants
• Third parties supporting CDR participation
• Others with an interest in how MBIE carries out its regulatory role for the CDR

Different obligations apply depending on a participant’s role. Role specific guidance is available.

Data holders

Accredited requestors

Our approach as regulator

MBIE’s guidance, compliance and enforcement approach is designed to be clear, proportionate and transparent, while recognising that the CDR is a new and evolving regime.

• Supporting understanding and capability: We prioritise clear, accessible guidance and early engagement to help participants understand what the law requires and how to comply in practice.
• Encouraging voluntary compliance: Our first focus is on education, clarification and resolution, particularly as sectors onboard and capability matures.
• Taking proportionate action when needed: Where non compliance occurs, we respond in a way that reflects the risk, impact on consumers, and participant behaviour.
• Protecting consumers and trust: Our regulatory decisions are grounded in protecting consumer data rights, system integrity and confidence in the CDR.
• Remaining neutral and impartial: MBIE does not advocate for individual participants or comment on commercial arrangements, business models, or matters outside CDR obligations.

This approach is consistent with broader Government expectations for good regulatory practice and MBIE’s role as an independent regulator.

How compliance and enforcement works

MBIE applies a graduated compliance and enforcement model that aligns regulatory responses to participant behaviour and risk, using the voluntary, assisted, directed, enforced (VADE) approach set out in the policy.

• Voluntary – Guidance, education and information to support participants to meet obligations without regulatory intervention.
• Assisted – Targeted engagement and support where participants intend to comply but need clarification or capability uplift.
• Directed – Formal compliance tools used where issues persist, obligations are not being met, or earlier engagement has not resolved the issue.
• Enforced – Use of statutory enforcement powers for serious, deliberate, recurring or systemic non compliance.

In the early stages of the regime, MBIE expects most engagement to focus on voluntary and assisted compliance, particularly where participants are acting in good faith and working to meet their obligations.

More detail on this graduated approach is set out in the policy and supporting compliance pathway guidance.

What participants can expect from MBIE

Within the scope of the Act and available regulatory tools, participants can expect MBIE to:

• Provide clear and up to date guidance about obligations under the Act, regulations and standards.
• Be accessible and responsive to questions, requests for clarification and emerging issues.
• Apply a fair and consistent approach when assessing compliance and responding to concerns.
• Be transparent about processes and outcomes, including how compliance decisions are made.
• Adapt our approach over time as the regime matures and additional sectors are designated.

What MBIE expects from participants

All CDR participants are responsible for understanding and complying with their legal, technical and operational obligations.

In practice, this means participants should:

• Review the Act, regulations and standards that apply to their role (for example, as a data holder or accredited requestor).
• Engage early with MBIE where obligations are unclear or issues arise.
• Have processes in place to respond to consumer complaints and MBIE enquiries.
• Cooperate with monitoring, investigations and enforcement activities where required.

Related guidance and information

You may also find the following pages helpful:

• Consumer Data Right in Aotearoa New Zealand – background on the regime and its purpose
• Participating as a data holder or accredited requestor – information for data holders and accredited requestors
• Register of participants – accredited requestors and designated data holders (public register)
• Who to contact - What to do if you have concerns about a participant – information on the process to take
• The legal framework – information about the Customer and Product Data Act 2025 and supporting legislation.

These pages provide more detailed, role specific information to support compliance.

Feedback or suggestions

We welcome feedback from anyone interested in Consumer Data Right.

If you have questions about guidance, compliance or enforcement under the CDR, or if you need clarification about your obligations, email our CDR team.

We encourage participants to get in contact early so issues can be resolved constructively and efficiently.