Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Regulatory and enforcement matters - Civil liability - Pecuniary penalty order

72: Maximum penalty (Tier 2)

You could also call this:

“Big fines for companies and people who break data rules”

This law talks about the rules for handling customer and product data. If you break these rules, you can get into trouble. The rules cover many things, like giving customers their data when they ask for it, and not sharing data if someone is being threatened.

If you don’t follow these rules, you might have to pay a fine. The fine is different for individuals and companies. If you’re an individual who breaks the rules, you might have to pay up to $200,000. If you’re not an individual (like if you’re a company), you might have to pay up to $600,000.

These fines apply to many different situations. For example, if you don’t give customers their data when they ask for it, or if you don’t have a proper way for customers to complain, you could be fined. The law also says you can be fined if you try to break these rules or help someone else break them.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS911702.

Topics:
Money and consumer rights > Consumer protection Business > Industry rules Business > Fair trading Rights and equality > Privacy
Previous

71: Maximum penalty (Tier 1), or

"The biggest fine you might have to pay if you break important data sharing rules"

Next

73: Considerations for court in determining pecuniary penalty, or

"How the court decides your penalty amount for breaking the Customer and Product Data Act"

Part 4 Regulatory and enforcement matters
Civil liability: Pecuniary penalty order

72Maximum penalty (Tier 2)

  1. This section applies to a contravention, an attempted contravention, or an involvement in a contravention of any of the following:

  2. section 14 (data holder must provide customer data to customer):
    1. section 15 (data holder must provide customer data to accredited requestor if authorisation is confirmed):
      1. section 16(2) (data holder must refuse to provide any data if reasonable grounds to believe that a request is made under the threat of physical or mental harm):
        1. section 18 (data holder must perform certain actions on customer’s request):
          1. section 19 (data holder must perform certain actions on accredited requestor’s request if authorisation is confirmed):
            1. section 20(2) (data holder must refuse to perform any action if reasonable grounds to believe that a request is made under the threat of physical or mental harm):
              1. section 21 (how data holders and accredited requestors must deal with joint customers):
                1. section 22 (data holder must provide product data to any person):
                  1. section 24 (how data holders and accredited requestors must deal with secondary users):
                    1. section 28 (electronic system must comply with prescribed technical or performance requirements):
                      1. section 31 (data holders must comply with requirements for requests, providing services, and making information available):
                        1. section 33 (accredited requestors must comply with requirements for making information available):
                          1. section 36 (accredited requestor must not act if reasonable grounds to believe authorisation or instruction is given under threat of physical or mental harm):
                            1. section 39 (customer’s authorisation must be confirmed):
                              1. section 40 (customer or secondary user must be able to control authorisation):
                                1. section 41 (accredited requestor must comply with prescribed duties in respect of authorisation):
                                  1. section 42 (authorisation must not be required as condition of providing product):
                                    1. section 48 (data holders and accredited requestors must have customer complaints process):
                                      1. section 49 (data holder or accredited requestor must be member of dispute resolution scheme (if scheme has been prescribed)):
                                        1. section 58 (data holder or accredited requestor must take prescribed steps to avoid, mitigate, or remedy loss or damage caused by contravention):
                                          1. section 61 (prohibition against holding out):
                                            1. section 124 (persons that will become data holders when designation comes into force must provide information to chief executive):
                                              1. section 125 (other data holders must provide information to chief executive).

                                                1. The maximum amount of a pecuniary penalty is—

                                                2. $200,000 for a contravention, an attempted contravention, or an involvement in a contravention by an individual; or
                                                  1. $600,000 in any other case.