Two new(ish) privacy-first data frameworks are in the spotlight in Aotearoa New Zealand. The Digital Identity Services Trust Framework Act 2023 and the Customer and Product Data Act 2025 will influence how organisations access, share and use our personal information. This presents organisations with both compliance challenges and new opportunities to build trust.
Here are Simply Privacy’s top five takeaways to help you navigate the implications.
1. Digital identity is now regulated in NZ
A digital identity lets you prove “yes, it’s really me” in the online world, without having to show up in person with your passport or driver’s licence.
Example: You open a new bank account online and instead of having to visit a branch to prove your identity, you can upload your passport and take a selfie using the bank’s app.
Together, the Digital Identity Services Trust Framework Act 2023 and associated regulations and rules, (DISTF) set the requirements for verifying who people are online in Aotearoa.
2. DISTF accreditation codifies good privacy practices
Accreditation under the DISTF helps digital identity providers show their services meet certain standards. Part of the accreditation process involves having independent privacy and security evaluators assess an organisation’s privacy and security settings.
While voluntary, accreditation can quickly signal to consumers that businesses are handling their data responsibly.
Example: You’re signing up for a new digital health service and want to know if it’s legit. If the provider is DISTF-accredited, you can trust that independent evaluators have assessed the provider’s compliance with the Privacy Act 2020 and security requirements.
The DISTF requirements effectively operationalise aspects of the IPPs and Poupou Matatapu, including the pou for Governance, Transparency and Breach Management. This is likely to result in improved privacy maturity, particularly among fintechs, digital ID providers and other service providers seeking accreditation.
Simply Privacy has been appointed as an independent privacy evaluator under the DISTF framework. This means we assess privacy policies, practices and training against the Privacy Act 2020 and conduct the mandatory Privacy Impact Assessments. Where required, we can also identify and address areas for improvement to help organisations achieve accreditation.
3. Biometrics will often be relevant
Many digital identity solutions use biometrics for user authentication. For example, facial recognition might be used to compare a photo ID with a selfie or live video or to access a digital wallet.
The Office of the Privacy Commissioner is finalising the Biometric Processing Code of Practice, which will likely apply to these use cases. So the combination of DISTF requirements and the Biometric Processing Code of Practice will require careful assessment of biometric use cases in digital identity contexts.
4. The CPDA introduces a consumer data right and data portability
The Customer and Product Data Act 2025 (CPDA) is another privacy-first data framework for New Zealand. It came into force on 30 March 2025, establishing what is often known as a “consumer data right”. This supports data access and sharing between businesses and covers both customer data (e.g. contact info, transaction history) and product data (e.g. fees, terms).
This means you can ask one provider (like your bank) to securely share your data with an accredited requester (like a budgeting app), but only with your permission. Accredited requesters can also make decisions on your behalf, like initiating payments. However, they must follow strict rules around privacy and security, including getting your explicit consent before accessing and sharing your data.
Example: You want to use an app that helps you track spending across different bank accounts. Instead of downloading statements or logging in multiple times, you authorise the accredited requester providing the app to fetch your data directly from your banks, without having to share your password.
The CPDA effectively introduces a right of data portability to Aotearoa. This right goes further than the GDPR’s data portability right by including product data as well as personal information. It also puts data portability into practice through standards, accreditation processes and real-time data sharing infrastructure.
Example: You want to switch banks, so you authorise your new provider to securely access your transaction history from your old bank. The data is transferred instantly under the CPDA, enabling your new account to be set up with pre-filled details and payment history.
The Customer and Product Data Act will apply sector-by-sector, starting with banking. The next cab off the rank is likely to be the electricity sector, potentially followed by telecommunications and insurance.
5. Privacy underpins both frameworks
The Customer and Product Data Act shares a privacy-focused approach with the DISTF, including requiring accredited requestors to:
- obtain consumer consent before requesting or using data, which must be express, informed, current and freely given
- comply with data minimisation and purpose limitation principles
- have appropriate internal privacy policies in place
- implement security and access controls and
- maintain suitable records.
Digital identity verification under DISTF is likely to be a key enabler of the CPDA by providing a secure way to authenticate users and minimise fraud. In many cases, organisations like banks will want to use digital identity services to verify someone’s identity before they authorise data sharing under the CPDA.
Example: A consumer asks their bank to share transaction data with a budgeting app under the CPDA. Before doing so, the bank uses a DISTF-accredited service provider to securely verify the customer’s identity. Once verified, the provider shares the data via an API, but only with the customer’s consent.
While the CPDA includes fines of up to NZ$2.5m for businesses that fail to operate an electronic system where required, penalties for privacy breaches are still those under the Privacy Act. However, the risks of reputation damage and loss of customer trust will ensure smart businesses pay close attention to the various privacy requirements.
How should you prepare?
These privacy-first data frameworks highlight the importance of robust compliance and trust-building measures like the following.
Seek accreditation
While not mandatory, if you’re a digital identity service provider then accreditation is a no-brainer for driving consumer trust. And if your customers include banks and electricity retailers, then they will want to see evidence that you are a safe pair of hands as well. So don’t delay in getting your privacy and security governance, policies and practices in order. Doing so will enable you to apply for DISTF accreditation and get ahead of the competition. Those wanting to share customer data will also need to ensure they satisfy the CPDA’s strict privacy and security rules.
Conduct Privacy Impact Assessments
If you want to be accredited under the DISTF, you will need to conduct a PIA. You should also being doing them for new services under the CPDA. The incoming Biometrics Code of Practice will most likely require you to conduct a “necessary and proportionate” assessment – also best done via a PIA.
Develop good consent mechanisms
Consent is not a core part of the Privacy Act 2020 like it is under Australian and European privacy laws. New Zealand businesses will therefore need to ensure they understand what explicit consent entails before focusing on building proper consent capture into their customer journeys.
Protect data
Good security underpins privacy so make sure you have adequate security safeguards in place. This is especially important for higher-risk forms like biometric information.
Whether you’re preparing for accreditation or just want to get ahead of the curve, now is the time to make sure you have the right privacy settings. Organisations that act early are likely to find themselves better placed to offer services that both consumers and other businesses will trust.