The Customer and Product Bill is here. Is Your Business Ready?

A major change to data rights in New Zealand has just become law, slipping through with barely a whisper.

The Customer and Product Data Bill has officially received Royal assent, which is the fancy way of saying it’s now on the books in New Zealand.

And yet, most people have no idea what just happened.

In this blog, we’ll break it down in plain English. No legal fluff. Just what you actually need to know:

• What is the Customer and Product Data Act?
• What’s the government’s plan?
• What we can learn from Australia’s rollout
• What this means for your business (and why getting ahead of it matters)

Let’s get into it!

What is the Customer and Product Data Act?

This Act is about putting you as a customer in control of your data. Whether it’s your bank transactions, energy usage, or insurance history, the goal is simple: make it easier to access and share your own information with providers you trust.

Why? Because it can help customers get better deals and make their lives easier.

Instead of digging through bills or navigating clunky portals, imagine being able to share what’s needed, instantly, with an accredited price comparison site or service provider. No hassle. No friction. Just a better deal for the customer. That’s the aim anyway.

The government’s betting that this will spark stronger competition, make switching providers seamless, and open the door to a wave of new, data-driven innovation.

Now, this isn’t coming out of nowhere. It follows in the footsteps of Australia’s Consumer Data Right legislation and builds on Open Banking, which kicked off in 2018 as a voluntary, industry-led initiative. The idea was solid — set up API standards for data sharing in banking. But the reality? Progress has been slow, patchy, and far from universal.

So now, the game is changing.

NZ's Customer and Product Data Act makes it mandatory.

This is the foundation of New Zealand’s Consumer Data Right, and it’s aiming to reshape how industries use data to serve people better.

What happens next?

The Act applies broadly to individuals, businesses, and trusts, allowing for implementation across various sectors.

MBIE (the Ministry for Business, Innovation and Employment) has prioritised the banking sector for initial implementation. This decision stems from the significant amount of customer data banks hold and the potential benefits of enabling customers to share this data securely with trusted third parties. The goal is to have the banking sector fully operational under the Act by December 2025.

Following banking, the energy sector is already in discussions to be next in line. If New Zealand follows Australia's trajectory, telecommunications and insurance sectors may also be designated in the near future.​

Want to dive deeper? MBIE has published a summary of why banking was chosen as the starting point here

What Can New Zealand Learn from Australia’s CDR Journey?

Let’s not sugar-coat it, Australia’s rollout of the Consumer Data Right legislation (CDR) since 2020 hasn’t been smooth sailing.

In fact, it’s currently paused. The Assistant Treasurer himself called it a “good idea, badly executed”, and said it’s time for a “reset.” That’s a big statement— and one worth paying attention to if we want to get it right here in Aotearoa.

So, what are the key takeaways from Australia? And what can we learn before we press go?

1. Low uptake, Big Price Tag:
   
   Since 2018, banks have poured around $1.5 billion into making Australia's CDR work, and yet, just 0.31% of customers have used it. Even more telling, over half of all data sharing arrangements with third parties have either lapsed or been cancelled. That’s a whole lot of investment with very little traction. The banks aren’t happy, and frankly, who can blame them?
   ‍
2. Clunky Data, Patchy Delivery:
   
   ‍Getting Australia's CDR live has been slow and fragmented. Why? A mix of legacy systems, inconsistent APIs, and patchy availability and quality of the data. It’s hard to innovate when your data infrastructure is stuck in the past and no one’s speaking the same language
   ‍
3. Barriers to Entry Are Too High:
   
   Want to become an Accredited Data Recipient? Bring your wallet and your patience. The process is costly, time-consuming, and tough to navigate, especially for smaller fintechs or innovative startups

The Bottom Line?‍

Australia’s experience shows us that good intentions aren’t enough. You need simplicity. Clear value. Low friction. And a laser focus on the people and businesses this is meant to empower.

If New Zealand gets this right, we could leap frog the learning curve.

What The Customer and Product Bill Means for Your Business

In theory, if you run a business that touches customer data, banking, energy, telco, insurance, lending, or any business, this isn’t just another compliance tick box. It’s a fork in the road.

You’ve got two choices:
‍

Option 1: Sit back, wait for the legislation to hit, and scramble to comply at the last minute or accept the fines.

Long term result = Spend more in the long run, stress more, and fall behind the competition.

‍
‍Option 2: Get ahead of it now.

That means:

• Building a Single Data Universe where your teams can easily access high-quality, trusted data
• Putting in place real Data Governance. This is not just buying another piece of tech, but actually owning the processes and responsibilities that drive data maturity

The bonus of doing this right?

You don’t just prepare for the Customer and Product Data Act. You future-proof your business.

We call this Regulatory Dynamism,  being ready for whatever regulation comes next, not just reacting to the one in front of you.

And the upside? It’s not just about regulation.

It’s about:

• Laying the data foundations for AI
• Enabling self-service across your business
• Staying technology-agnostic and agile when change comes
• Driving down the long-term costs of being data-driven by doing it right from the start

Thinking About Becoming an Accredited Data Recipient?

If you're considering becoming an accredited receiver of customer data, know this: it's not a quick win. It takes time, investment, and a clear strategy to get there. But done right, it can unlock powerful advantages.

Here’s what to focus on first:

• Why?
  What’s the real business value?
  How will this help your customers?
  And critically, how will you drive uptake?
• Security.
  This isn’t a nice-to-have, it’s make or break.
  Your controls, governance, and data protection processes will be under the microscope. And rightly so. If you're going to be trusted with customer data, your house needs to be in order.

Change Is Coming. Are You Ready?

Wrapping it up, the Customer and Product Data Act is now law. It hasn’t changed what needs to be done and whether your industry is on the immediate roadmap or not, the message is clear, change is coming.

You can wait until you’re forced to react, or you can use this moment to get your house in order, build better data and tech foundations.

Because this isn’t just about regulation.

It’s about being ready for AI.
It’s about giving your people better tools and better data.
It’s about becoming more agile, more secure, and more future-proof.
It’s about saving the business money in the long run.

Smart businesses are already moving.‍

The question is — will you be ready when it counts?