Breadcrumbs
Home ›-
Business
- Support for business
- Consumer Data Right
- Financial markets conduct regulation
- Competition regulation and policy
-
Regulating entities
- Du Val statutory management
- Companies Act reforms
- Incorporated Societies Act 2022
- Our work with the PCO
- Financial Reporting Act 2013
- Insolvency Review Working Group
- Supporting the integrity of the corporate governance system
- Changes to the Takeovers Code
- Historic reform of corporate law
- Mandatory climate-related disclosures
- The Business Payment Practices Act 2023 has been repealed
- Review of New Zealand Companies Office Fees and Levies (2025)
- Standards and conformance
- Trade and tariffs
-
Intellectual property
- Copyright
- Haka Ka Mate Attribution Act guidelines
- Designs
- Geographical indications
- Plant variety rights
- Integrated circuit design protection
- Intellectual property enforcement
- Mātauranga and Taonga Māori and the Intellectual Property System
- Disclosure of origin requirements in the patents regime
- Proposed Intellectual Property Laws Amendment Bill
- The Trans-Tasman patent attorney registration regime
- business.govt.nz
- Trans-Tasman Mutual Recognition Arrangement (TTMRA)
Your data and the Consumer Data Right
Discover how the Consumer Data Right ensures security, privacy, and authorisation so you stay in control of who accesses your information.
On this page
Your data stays safe
The Consumer Data Right (CDR) is built on strong security and privacy protections with regulatory oversight of the participants. Here is what that means for you:
- You are in control: your data can only be shared if you give clear, informed authorisation
- Only trusted participants: data moves between organisations approved to participate in the CDR framework (data holders and accredited requestors)
- Secure systems: all participants must meet strict technical and security standards set by law
MBIE and the Office of the Privacy Commissioner – working together
Whilst the CDR is enabled by the Customer and Product Data Act 2025, as with all activity, organisations must also fulfil their obligations under the Privacy Act 2020. The CDR specifies how organisations must meet their storage and security obligations under the Privacy Act, and how organisations should treat requests for customer data, which can include personal information.
The Ministry of Business, Innovation and Employment (MBIE) is responsible for sector designation, accreditation of data recipients and oversight of regulated data services. The Office of the Privacy Commissioner (OPC) regulates breaches of the CDR regime that involve personal information.
We work closely together to monitor compliance, support participants, and take action if any rules are broken.
Your consent matters
Sharing your data is optional, you choose what to share and with which approved provider. Nothing happens without your authorisation. You decide:
- Who gets your data
- What data they can access and how they can use it
- How long they can use it.
You can withdraw your authorisation at any time.
To ensure all New Zealanders benefit from global innovation, overseas companies may be accredited under the framework, but your data will only be shared with them if you authorise it and they meet all security and privacy requirements.
If you have concerns
If you are worried about how your data is being handled, or have questions about your data, start by contacting the organisations involved. Our who to contact page explains how to raise an issue.
Get started
Check the Register of Participants to see which data requestors are accredited by MBIE.
Join our mailing list
If you want to get updates about regulations and standards related to the CDR, email us to join our mailing list.