CX Guidelines

Read first CX Checklist attributes ◦ Area refers to the stage in the consumer journey, such as Pre-consent, Consent, Authenticate, Authorise, or Consent Management. ◦ Focus area refers to a specific theme in each stage (e.g. 01. User Identifier). ◦ Checklist ref contains a unique reference number for the item. ▪ The first values refer to the Area (e.g. 0DL.xx.xx for data language; ***2AU.*xx.xx for authentication). ▪ The second set values refer to the Focus area (e.g. xxx.01.xx). ▪ The last values refer to the annotation number used on the wireframe, where available (e.g. xxx.xx.02; wireframes are linked to in the Example column). ◦ Type refers to the source of the statement: Rules, Standards and Guidelines. ◦ Participant refers to the relevant CDR Participant for the item. ◦ Requirement level refers to the level of obligation. For the data standards, the key words MUST, MUST NOT, SHOULD, SHOULD NOT, and MAY are to be interpreted as described in RFC2119. CX Guidelines provide optional examples and recommendations; as such, a MAY is used to denote a CX Guideline for the purposes of this checklist regardless of the language used in the guideline statement. ◦ Statement refers to the relevant requirement or recommendation as articulated in the rules, standards, or guidelines. ◦ References points to the requirement itself, or its location; typically a rule, standard, or research. ◦ Example links to the relevant artefact, such as the CX Guideline page, which includes wireframes of example implementations, or a table in the case of data language standards. ◦ Version introduced refers to the version of the data standards that was current when the item was introduced to the CX Guidelines, starting from version 1.4.0. Items noted as introduced in 1.4.0 or earlier are requirements that exist in v1.4.0 of the CX Guidelines (PDF). ◦ Date introduced refers to the specific date the item was introduced to the CX Checklist, using August 2020 as a starting point (when v1.4.0 was introduced). The date will typically be the date of the version release, but some new items may not constitute a standards change (e.g. a revised wireframe or rules change) and as such may not align with standards versioning. ◦ Date modified refers to when an existing CX Checklist entry was updated, which is not necessarily the date the corresponding requirement (Rule, Standard or Guideline) was changed. ◦ Status refers to whether the item is active or has been retired from the CX Guidelines. An 'active' item is applicable and current. A 'retired' item may be labelled as such because it no longer applies, has been merged with another item, or has been removed from the CX Guidelines. A 'retired' item may still be a requirement. These statuses are used in the live CX Checklist and CSV to highlight changes between versions of the CX Guidelines.

Wireframe ref	Type	Requirement level	Statement	Reference	Checklist ref	Focus area
01	CDR Rule	MUST	(1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time: (a) by using the accredited person’s consumer dashboard;	CDR Rule 4.13(1)(a)	4CM2.00.01	00. Withdrawal - general
02	CDR Rule	MUST	(3) Withdrawal of a consent does not affect an election under rule 4.16 that the CDR consumer’s collected CDR data be deleted once it becomes redundant.	CDR Rule 4.13(3)	4CM2.00.02	00. Withdrawal - general
04	CDR Rule	MUST	An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (c) withdraws such a consent in accordance with rule 4.13	CDR Rule 4.18(c) \| CX Research 20	4CM2.00.04	00. Withdrawal - general
08	CDR Rule	MUST	(1) A consent given under this Division expires at the earliest of the following: (a) if the consent is withdrawn in accordance with paragraph 4.13(1)(b)―the earlier of the following: (i) when the accredited person gave effect to the withdrawal; (ii) 2 business days after the accredited person received the communication; (b) if the consent is withdrawn in accordance with paragraph 4.13(1)(a)―when the consent was withdrawn;	CDR Rule 4.14(1)(a)–(b)	4CM2.00.08	00. Withdrawal - general
09	CDR Rule	MUST	(1) An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. (2) Where a CDR representative provides the consumer dashboard on behalf of a CDR representative principal (see subrule 1.14(5)), the CDR representative principal may arrange for the CDR representative to update the consumer dashboard on the CDR representative principal’s behalf.	CDR Rule 4.19	4CM2.00.09	00. Withdrawal - general
10	CDR Rule	MUST	(3) For paragraph (1)(b), the information is the following for each consent: (f) if the consent is current—when it is scheduled to expire; (g) if the consent is not current—when it expired; Note 1: For paragraph (f), consents expire at the latest 12 months (or 7 years for certain consents by a CDR business consumer) after they are given or, in some circumstances, amended: see paragraph 4.14(1)(c).	CDR Rule 1.14(3)(f)–(g), (Note 1)	4CM2.00.10	00. Withdrawal - general
11	CX Guideline	MAY	Consumers may be allowing a data recipient to collect, use, and disclose their data according to the varying types of consents. This means 'sharing' may not always be the most appropriate or flexible language to use. Data recipients should tailor language to the consent type, but may consider using generic terms such as 'access' to apply to the range of consent types. CX research suggested this language was comprehensible. If a generic term is used to apply to an array of consent types or actions, data recipients should provide additional explanations to clarify what the precise consent types or actions mean in the context of that term.	CX Research 29	4CM2.00.11	00. Withdrawal - general
12	CX Guideline	MAY	Data recipients should surface information on consequences of withdrawal. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(a).	CDR Rule 7.2(4)(a) \| CX Research 32	4CM2.00.12	00. Withdrawal - general
13	CX Guideline	MAY	Data recipients should introduce positive friction to the withdrawal flow to mitigate user error and unintended consequences.	CX Research 32 \| 10 Usability Heuristics for User Interface Design: Error prevention (Nielsen)	4CM2.00.13	00. Withdrawal - general
14	CX Guideline	MAY	Data recipients should provide a message to consumers that withdrawal was successful. This message should be clearly visible on the dashboard and shown as soon as withdrawal has taken place.	10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen)	4CM2.00.14	00. Withdrawal - general
15	CX Guideline	MAY	When a consent is withdrawn, data recipients should notify the consumer: • Of the status of their consent, including the updated duration and withdrawal date; • That the data recipient is no longer collecting, using, and/or disclosing their data (depending on the type of consent withdrawn); • Of how their redundant data will be handled, and when this will come into effect if it will not be immediate (such as when the data will need to be held for legal reasons).		4CM2.00.15	00. Withdrawal - general
16	CX Guideline	MAY	Data recipients can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include any known information on other elements the account may refer to such as any related plans, services, properties, numbers, and products.		4CM2.00.16	00. Withdrawal - general
17	CDR Rule	MUST	(2) An accredited data recipient must keep and maintain records that record and explain the following: (b) amendments to or withdrawals of consents by CDR consumers	CDR Rule 9.3(2)(b)	4CM2.00.17	00. Withdrawal - general
18	CX Guideline	MAY	Data recipients are expected to record how the withdrawal was requested by the consumer in relation to CDR Rule 9.3(2)(b), but the rules do not require the method of withdrawal to be shown on the dashboard. However, data recipients may wish to do this on the dashboard and/or in any CDR Receipt they choose to provide.	CDR Rule 9.3(2)(b)	4CM2.00.18	00. Withdrawal - general
19	CDR Rule	MUST	(1) This rule applies if: (a) an accredited person has made a consumer data request to a CDR participant, based on a collection consent given under this Division relating to particular CDR data and that CDR participant; and (b) the request has not been completely resolved; and (c) the consent expires for any reason. (2) The accredited person must notify: (a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has expired; and (b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has expired.	CDR Rule 4.18AA	4CM2.00.19	00. Withdrawal - general
20	CDR Rule	MUST	(1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that: (d) as part of the process of withdrawing a consent, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a consent;	CDR Rule 1.14(1)(d)	4CM2.00.20	00. Withdrawal - general
21	CX Standard	MUST	Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.	Notification Standards, CDR Receipt: Delivery	4CM2.00.21	00. Withdrawal - general