Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Protections - Authorisation

41: Accredited requestor must comply with prescribed duties in respect of authorisation

You could also call this:

“Approved askers must follow special rules when getting permission”

If you want to get permission from a customer or someone acting for them, you need to follow some important rules. These rules are set out in official documents.

You must take the steps listed in these documents to make sure the customer or the person acting for them understands what they’re agreeing to. You can only ask for permission in the ways that are allowed. For example, you might need to use a special tool that makes the customer take a clear action to say “yes.”

There are times when you’re not allowed to ask for or accept permission. For instance, if you haven’t checked who the customer really is. You also have to follow any other rules about getting permission that are in the official documents.

When we talk about “prescribed” in this law, it means the rules that are written in the regulations or standards. These are official documents that explain how to follow the law properly.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS925513.

Topics:
Money and consumer rights > Consumer protection Business > Industry rules Rights and equality > Privacy
Previous

40: Customer or secondary user must be able to control authorisation, or

"You can check and change who sees your information"

Next

42: Authorisation must not be required as condition of providing product, or

"You don't have to agree to data sharing to get a product"

Part 3 Protections
Authorisation

41Accredited requestor must comply with prescribed duties in respect of authorisation

  1. If an accredited requestor (A) seeks to obtain, or may accept, an authorisation from a customer (or a secondary user on their behalf),—

  2. A must take the prescribed steps (if any) to enable the customer or secondary user (as the case may be) to be reasonably informed about the matter to which the authorisation relates; and
    1. A must use only prescribed methods (if any) to obtain the authorisation (for example, a tool that requires the customer to perform an affirmative action in order to give the authorisation); and
      1. A must not obtain, or accept, an authorisation from a customer (or secondary user) in the prescribed circumstances (for example, if A has not verified the identity of the customer or secondary user); and
        1. A must comply with any other prescribed requirements in connection with obtaining, or accepting, the authorisation.

          1. In this section, prescribed means prescribed by the regulations or the standards.