Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time: (a) by using the accredited person’s consumer dashboard; | CDR Rule 4.13(1)(a) | 4CM2.00.01 | |
02 | CDR Rule | MUST | (3) Withdrawal of a consent does not affect an election under rule 4.16 that the CDR consumer’s collected CDR data be deleted once it becomes redundant. | CDR Rule 4.13(3) | 4CM2.00.02 | |
04 | CDR Rule | MUST | An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (c) withdraws such a consent in accordance with rule 4.13 | CDR Rule 4.18(c) | CX Research 20 | 4CM2.00.04 | |
08 | CDR Rule | MUST | (1) A consent given under this Division expires at the earliest of the following: (a) if the consent is withdrawn in accordance with paragraph 4.13(1)(b)―the earlier of the following: (i) when the accredited person gave effect to the withdrawal; (ii) 2 business days after the accredited person received the communication; (b) if the consent is withdrawn in accordance with paragraph 4.13(1)(a)―when the consent was withdrawn; | CDR Rule 4.14(1)(a)–(b) | 4CM2.00.08 | |
09 | CDR Rule | MUST | (1) An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. (2) Where a CDR representative provides the consumer dashboard on behalf of a CDR representative principal (see subrule 1.14(5)), the CDR representative principal may arrange for the CDR representative to update the consumer dashboard on the CDR representative principal’s behalf. | CDR Rule 4.19 | 4CM2.00.09 | |
10 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (f) if the consent is current—when it is scheduled to expire; (g) if the consent is not current—when it expired; Note 1: For paragraph (f), consents expire at the latest 12 months (or 7 years for certain consents by a CDR business consumer) after they are given or, in some circumstances, amended: see paragraph 4.14(1)(c). | CDR Rule 1.14(3)(f)–(g), (Note 1) | 4CM2.00.10 | |
11 | CX Guideline | MAY | Consumers may be allowing a data recipient to collect, use, and disclose their data according to the varying types of consents. This means 'sharing' may not always be the most appropriate or flexible language to use. Data recipients should tailor language to the consent type, but may consider using generic terms such as 'access' to apply to the range of consent types. CX research suggested this language was comprehensible. If a generic term is used to apply to an array of consent types or actions, data recipients should provide additional explanations to clarify what the precise consent types or actions mean in the context of that term. | 4CM2.00.11 | ||
12 | CX Guideline | MAY | Data recipients should surface information on consequences of withdrawal. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(a). | CDR Rule 7.2(4)(a) | CX Research 32 | 4CM2.00.12 | |
13 | CX Guideline | MAY | Data recipients should introduce positive friction to the withdrawal flow to mitigate user error and unintended consequences. | CX Research 32 | 10 Usability Heuristics for User Interface Design: Error prevention (Nielsen) | 4CM2.00.13 | |
14 | CX Guideline | MAY | Data recipients should provide a message to consumers that withdrawal was successful. This message should be clearly visible on the dashboard and shown as soon as withdrawal has taken place. | 10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen) | 4CM2.00.14 | |
15 | CX Guideline | MAY | When a consent is withdrawn, data recipients should notify the consumer: • Of the status of their consent, including the updated duration and withdrawal date; • That the data recipient is no longer collecting, using, and/or disclosing their data (depending on the type of consent withdrawn); • Of how their redundant data will be handled, and when this will come into effect if it will not be immediate (such as when the data will need to be held for legal reasons). | 4CM2.00.15 | ||
16 | CX Guideline | MAY | Data recipients can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include any known information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 4CM2.00.16 | ||
17 | CDR Rule | MUST | (2) An accredited data recipient must keep and maintain records that record and explain the following: (b) amendments to or withdrawals of consents by CDR consumers | CDR Rule 9.3(2)(b) | 4CM2.00.17 | |
18 | CX Guideline | MAY | Data recipients are expected to record how the withdrawal was requested by the consumer in relation to CDR Rule 9.3(2)(b), but the rules do not require the method of withdrawal to be shown on the dashboard. However, data recipients may wish to do this on the dashboard and/or in any CDR Receipt they choose to provide. | CDR Rule 9.3(2)(b) | 4CM2.00.18 | |
19 | CDR Rule | MUST | (1) This rule applies if: (a) an accredited person has made a consumer data request to a CDR participant, based on a collection consent given under this Division relating to particular CDR data and that CDR participant; and (b) the request has not been completely resolved; and (c) the consent expires for any reason. (2) The accredited person must notify: (a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has expired; and (b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has expired. | CDR Rule 4.18AA | 4CM2.00.19 | |
20 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that: (d) as part of the process of withdrawing a consent, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a consent; | CDR Rule 1.14(1)(d) | 4CM2.00.20 | |
21 | CX Standard | MUST | Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard. | 4CM2.00.21 |