Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Preliminary provisions - Overview

4: Overview

You could also call this:

“This law explains how companies must handle your personal and product information when you or someone you trust asks for it”

This law is about controlling how companies share your information and product details. If a company is chosen by the government to follow these rules, they have to do certain things when you or someone you allow asks for your information.

When you ask for your own information, or you want the company to do something with it, they usually have to do what you ask. The same thing happens if someone you trust (called an accredited requestor) asks on your behalf.

But there are some protections in place. The company has to make sure it’s really you asking, or that you’ve said it’s okay for someone else to ask. They also need to check who’s making the request and have a way for you to complain if something goes wrong.

Sometimes, the company might say no to a request. This can happen in certain situations that the law allows.

For product information, anyone can ask for it if the company has been chosen to share this kind of data. The company usually has to share it, but they can say no in some cases.

The government will make more detailed rules about which companies have to follow this law and what exactly they need to do. There will also be technical rules about how to share the information safely.

Companies can sometimes get special permission not to follow all the rules if they have a good reason.

Remember, this is just a simple explanation of what the law does. There’s more to it than what’s written here.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS702296.

Topics:
Money and consumer rights > Consumer protection Business > Industry rules Business > Fair trading Rights and equality > Privacy
Previous

3: Purpose, or

"This law helps you and businesses use data safely to improve services and products"

Next

5: Interpretation, or

"This part explains important words used in the law"

Part 1 Preliminary provisions
Overview

4Overview

  1. This Act regulates data services provided by persons that are designated as data holders under subpart 3 of Part 5.

  2. Services relating to customer data are regulated as follows:

    The following table is small in size and has 2 columns.
    If ... A person (a data holder) is specified, or belongs to a class specified, in designation regulations; and
    it holds customer data of the kind specified in the regulations; and

    either—

    • a customer requests the data or requests that the data holder perform an action; or

    • an accredited requestor authorised by the customer requests the data or requests that the data holder perform an action.

    Then ... The data holder must comply with the request (sections 14, 15, 18, and 19).
    However ...

    Certain protections apply, including duties to—

    • confirm that the customer has authorised the request (section 39); and

    • check the identity of the person who makes the request (section 45); and

    • have a complaints process (section 48).

    In addition,—

    • the data holder may or must refuse the request in certain circumstances (sections 16 and 20); and

    • only a person granted accreditation under subpart 4 of Part 5 may act as an accredited requestor; and

    • an accredited requestor may only act within the class of its accreditation.

  3. Services relating to product data are regulated as follows:

    The following table is small in size and has 2 columns.
    If ... A person (a data holder) is specified, or belongs to a class specified, in designation regulations; and
    it holds product data of the kind specified in the regulations; and
    a person requests the data.
    Then ... The data holder must comply with the request (section 22).
    However ... The data holder may refuse the request in certain circumstances (section 23).

  4. Additional details are set out in secondary legislation, including as follows:

    The following table is small in size and has 2 columns.
    Designation regulations which designate the data holders and classes of data that are regulated under this Act (subpart 3 of Part 5).
    Other regulations which specify general requirements relating to regulated data services (section 131).
    Standards which specify technical requirements relating to regulated data services (section 138).

  5. Data holders and accredited requestors may be granted exemptions under section 141.

  6. This section is only a guide to the general scheme and effect of this Act.