Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Protections - Authorisation

39: Authorisation must be confirmed

You could also call this:

“Companies must check if you've allowed them to share your information before they do it”

When someone asks for your information, the company that has your data needs to check if you’ve allowed them to share it. This is called confirmation. They can’t share your information until they’ve done this check.

Once they’ve checked, they can keep sharing your information as long as you’ve said it’s okay. They only need to check again if you change what you’ve allowed them to share or if you stop allowing them to share completely.

For example, if you let your electricity company share information about how much electricity you use, they need to check that you’ve agreed to this before they share it for the first time. After that, they can keep sharing this information without checking each time, unless you change what you’ve agreed to or stop letting them share.

The company that checks your permission might need to do it in a specific way. There might be rules about how they should check, like making sure it’s really you who gave permission.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS710308.

Topics:
Rights and equality > Privacy Money and consumer rights > Consumer protection Business > Fair trading
Previous

38: Ending authorisation, or

"How permission to use your information can stop"

Next

40: Customer or secondary user must be able to control authorisation, or

"You can check and change who sees your information"

Part 3 Protections
Authorisation

39Authorisation must be confirmed

  1. This section applies if a data holder receives a request from an accredited requestor to provide a regulated data service relating to a customer.

  2. The data holder must check that the service is within the scope of the authorisation given by the customer (or by a secondary user on their behalf) (confirmation).

  3. The data holder must not provide the regulated data service until confirmation has been completed.

  4. A confirmation is valid for any service within the scope of that authorisation until the time when the scope of the authorisation is modified or the authorisation ends (whichever is earlier).

  5. If the scope of the authorisation is modified or the authorisation ends, subsection (2) applies again.

    Example

    A customer authorises their electricity provider (a data holder) to provide details of their electricity usage to a company that makes recommendations about the best electricity deals in the market.

    Before sharing any of the customer’s data for the first time, the electricity provider must confirm the customer’s authorisation.

    However, it is not necessary to carry out confirmation for any subsequent actions performed within the scope of that authorisation. The electricity provider will only have to reconfirm the customer’s authorisation if the scope of the authorisation is modified or the authorisation ends.

  6. A person that carries out a confirmation must carry out the confirmation in the manner (if any) prescribed by the regulations and the standards (for example, the regulations or standards may require the person that carries out a confirmation to verify the identity of the customer or secondary user).