What are consumer data rights?

Last week the government announced that it will introduce a “consumer data right” to New Zealand. These regulations have been in the works since 2019, and will likely be enacted in 2022 or 2023.

Here’s a quick update on what’s coming.

In a nutshell

No one wants to repeatedly read “consumer data right”, so let’s call it “CDR”.

CDR will make it simple to access your data that’s held by an organisation (like a bank). You’ll also be able to grant access to a 3rd party, if you think they can use your data to provide a valuable service to you.

CDR will be applied to different sectors over time. The government hasn’t “designated” a sector yet, but banking is likely to be first. Other sectors like energy, telco, and insurance are likely to be designated at some point.

When a sector is designated, the CDR rules will define the data that must be accessible upon consumer request, and will define the data holders that have to comply with those requests.

Give me an example - how would I use this?

You might want to connect your Kiwisaver, investment, and bank accounts into a single app so that you can see an aggregated view of your financial life.

You might want to connect your bank account to MSD before receiving a payment in order to prove that you are the account holder and verify your bank account number.

You might want to connect your bank account to your power provider to automatically pay by bank and avoid credit card fees.

You might want to connect your transaction data to Pocketsmith in order to automate your household budget.

Wait... doesn’t this stuff already happen in NZ?

You’re not wrong.

If you’ve applied for a home loan within the last 10 years, your broker probably invited you to connect your bank accounts to automate most of the application and assessment process.

If you’ve bought flights from Air New Zealand or renewed your car rego online at NZTA, you may have noticed the “Pay with POLi” option.

If you’ve used Xero, you’ve definitely noticed that your bank transactions magically show up every day without needing to manually import them.

So why do we need CDR?

The current methods can be improved.

Remember that example above where your broker invites you to connect your bank accounts to automate your home loan application? The broker will outsource that bank integration to a 3rd party service, who will need your login credentials in order to process the data request. Sharing your login credentials is suboptimal. No one likes this aspect of the current methods. Banks certainly don’t like this method either (but they like getting home loan applications from brokers, so you don’t hear them complaining about this particular use case). CDR will enable consumers to authenticate directly with their bank, so that login credentials don’t need to be shared with a 3rd party.

Then there’s a laundry list of reasons why CDR will provide better functionality for consumers:

  • Consistent data: CDR will define the data that must be accessible, so consumers will have consistent access across their accounts.
  • Reliability and speed: Data holders like banks will be required to meet standards for processing consumer data requests.
  • Commercial terms: CDR will dictate whether data holders are allowed to charge fees for consumers to access their data.
  • Accreditation: If you’re sharing data, you want to know that it’s being done securely, and that your data is only being used for approved purposes. CDR will impose an accreditation regime to set minimum standards for participants.
  • Informed consent: CDR will set minimum standards regarding consent to help consumers make informed decisions about whether to share access to their data.
  • Ongoing control: CDR will require that consumers have ongoing visibility and control over access that has been granted to 3rd parties.

Don't we have data access rights under the Privacy Act?

There are similarities, but some very important differences.

The Privacy Act only applies to individuals. CDR will apply to businesses and individuals.

The Privacy Act applies to “personal information”. CDR will apply to a broader range of consumer data.

The Privacy Act gives an individual the right to access personal information from a data holder. CDR will require that data holder to share information with a 3rd party if requested by a consumer.

The Privacy Act enables an individual to request access to personal information, but that request won’t be processed in real time. CDR will require real time processing of consumer data requests.

The Privacy Act deals with the collection and management of personal information. CDR will apply to that type of collected information too, but will also enable “action initiation” - the creation of new data like initiating a payment or opening a new account. (It may seem weird to call this “data”, but computers will be doing the heavy lifting and it’s all just data to them).

So CDR covers some of the same ground as the Privacy Act, but it goes much further. You could see CDR as a bundle of enhanced consumer rights that are fit for our modern data-rich world.

Timing for CDR

The CDR bill is expected to be introduced to parliament during 2022. We can estimate another year for subsequent consultation, refinement, and enactment. Then we can expect a phased rollout of functionality in the first designated sector - a phased rollout will give time for data holders to build out systems to comply with the CDR requirements.

I guesstimate that it will be 3+ years before the CDR regime delivers better functionality for consumers than the current methods of accessing and sharing data.


I’ve tried to write this post without mentioning APIs… But if you’ve got this far then let’s quickly cover the mechanism for exchanging data under CDR.

An API is an “application programming interface”. You can think of it as a defined system for enabling computers to communicate with each other. Each data holder (like a bank) will have an API that sits there patiently waiting for consumer data requests. When the API receives a valid request, it will respond to that request in real time. So CDR requests and responses will be processed by computers rather than humans.

If you want a deeper understanding of APIs, here’s a great intro article.

More info

MBIE is managing the policy-making process for CDR. Official updates are published on this page.

Here’s a 6-pager from the Cabinet Economic Development Committee which gives the best steer on CDR implementation details.

Well done to the MBIE team for identifying the difficult issues and addressing them upfront in the initial consultation and recommendations - it should help to avoid many of the delays and barriers when similar regulations have been implemented in the UK and Australia.

Final words

Here are some ideas of what can be built in NZ with connected data.

If you want to hear more as CDR develops, Akahu will send occasional updates to our email list.

We’re always interested to hear what people are building in this space. We also love listening to any questions or concerns that people have about sharing access to data. I’m at josh@akahu.nz if you’d like to share.

Talk with us

Our team is here to answer any questions that you may have.

Get in touch