What is the Consumer Data Right?

The Consumer Data and Digital Services Protection Act has quietly passed into law in Aotearoa — and with it, the Consumer Data Right (CDR) becomes reality. While this might sound like one for the lawyers, it’s worth all of us in digital tech sitting up and paying attention. Whether you work in app development, systems integration, product, cloud infrastructure, data analysis, or IT strategy, this legislation will shape the way we design, build, and deliver services in the coming years.

At its core, the Consumer Data Right gives people more control over their own data. It’s a mechanism that allows consumers to request access to the data businesses hold about them — and authorise that data to be shared with trusted third parties. It’s about portability, transparency, and trust. Think open banking, but extended to other sectors like energy, insurance, and telecommunications.

The legislation doesn’t just enable this to happen — it sets out a legal and regulatory framework to make sure it happens safely and fairly. It introduces oversight, standards, and consumer protections that go beyond what we currently have under the Privacy Act. It’s a pretty big shift. And while the government is taking a phased approach, starting with the banking sector, this change is going to ripple across the digital economy.

What does it mean for digital tech folks?

The new legislation gives consumers greater control over their own data. It means that individuals and businesses will have the right to securely share data held about them with third parties of their choosing. While it's starting in the banking sector (with a strong nudge from open banking developments overseas), the intent is that it will be rolled out across other industries too - energy next by the sounds.

It also puts the onus on organisations to enable data portability safely and with consent. That means new standards, new protocols, and a whole lot more attention paid to API development, data infrastructure, and the way we manage identity and privacy. If you're working in or adjacent to software, infrastructure, security, compliance, or product development, this will land on your desk eventually.

For developers, this could mean building or adjusting APIs that allow secure, standardised data sharing. For those working with data infrastructure, there may be new requirements around data formats, storage, and interoperability. If you're in governance, risk, or compliance, the responsibilities around consent and privacy will need to be translated into processes and practice.

More broadly, CDR introduces a fundamental shift in how we think about ownership and access to data. Instead of organisations holding and monetising data as a default, the consumer is now in the driving seat. That’s a big philosophical shift, and it’s going to take a while for our systems, processes, and thinking to catch up.

Have a read of this article from Interest.co.nz for more info. And from MBIE.

How should we prepare?

This legislation is now real—so we need to stop treating it like something theoretical. Whether you're a developer building APIs, an architect wrangling legacy data flows, or someone in a product, policy or leadership role—there’s work ahead.

The best thing we can do right now is stay informed and start building capability across our teams. Understanding how consent, data exchange, and customer rights are going to work in practice. For many of us, that’s going to be new territory. It’s also an opportunity: the kind of data portability this legislation encourages has the potential to spark real innovation—if we’re ready for it. A couple of more specific thoughts:

  • Anticipate increased collaboration. Tech teams are going to need to work closely with legal, risk, and compliance. The best solutions will come from people who can sit across these domains and translate between them. That’s a skillset our industry already values, and CDR will only increase that demand.

  • Design for trust. This is about giving control and confidence back to consumers. That means consent flows that make sense. Interfaces that show people what’s happening with their data. Systems that do what they say they will. This is where tech can really shine — by building systems that are not just compliant, but trustworthy by design.

Final thoughts

This legislation is about shifting power back to consumers — and that’s a good thing. But it also puts the spotlight on us, as tech professionals, to build the systems and experiences that make it work. It’s not just the job of policymakers or privacy lawyers — it’s ours too. The Consumer Data Right will be rolled out gradually, but make no mistake: this is going to be one of the defining changes in how we manage and use data in Aotearoa.

So dig in. Understand where your organisation sits in the data ecosystem. Invest in training, share knowledge, and start building CDR thinking into your architecture conversations now—not once the regulator shows up. I will be following this up with more on Open Banking and the standards we can all embrace.

Vic MacLennan

CEO of IT Professionals, Te Pou Haungarau Ngaio, Vic believes everyone in Aotearoa New Zealand deserves an opportunity to reach their potential so as a technologist by trade she is dedicated to changing the face of the digital tech industry - to become more inclusive, where everyone has a place to belong. Vic is also on a quest to close the digital divide. Find out more about her mahi on LinkedIN.

Previous
Previous

Off-the-shelf AI the preference for Kiwi firms

Next
Next

Signal is not the place for top secret communications, but it might be the right choice for you