This page covers collection and use consents as per the requirements in rule 4.11 and the associated consumer experience data standards.
Overview
The object statement in CDR rule 4.9 provides a strong foundation for giving and amending CDR consents.
In accordance with CDR rule 4.11(1)(Note 1), an accredited person cannot infer consent, or seek to rely on an implied consent.
When asking a CDR consumer to give consent, a data recipient must:
- accord with the data standards;
- have regard to any consumer experience guidelines developed by the Data Standards Body
- be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids;
Data recipients should make the consent process as easy to understand as possible by using appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control.
This section provides examples illustrating how the guidelines may be implemented.
These types of consents contain several steps, which may include:
- Provider selection At this step, the consumer selects who they want to share data from, such as their data holder.
- Terms of consent At this step, the consumer is asked for their consent and can do so by choosing the types of CDR data they will allow the ADR to access, the access period, and the specific uses of their data.
Wireframes and guidelines
Note: The wireframes shown are examples of how to implement key rules, standards, and guidelines. Use the on-screen functions to adjust zoom level or expand the wireframes to be viewed at full screen.
Collection and use consents - default example
The following wireframes show a basic example of a collection and use consent.
CDR outsourcing, sponsorship and CDR representative arrangements
Using outsourced service providers
An accredited person or CDR representative may engage outsourced service providers (OSPs) to do one or both of the following: (1) to collect CDR data on their behalf; (2) to use or disclose data to provide specified goods or services to them.
To do so, a written contract, called a CDR outsourcing arrangement, must be in place with the OSP which meets the requirements set out in the CDR Rules. A data recipient may have both direct and indirect OSPs. This can occur where a direct OSP of the data recipient engages further OSPs in their own CDR outsourcing arrangements.
For more information on CDR outsourcing arrangements, see OAIC’s guidance on privacy obligations for principals and outsourced service providers.
This section outlines requirements for OSPs that apply on and after 12 November 2025.
The previous requirements under CDR Rule 4.11(3)(f) of the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 will continue to apply until 11 November 2025, as per the transitional provision outlined in CDR Rule 502.
Sponsorship arrangement
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who collect CDR data from data holders on their behalf.
For more information on the sponsored accreditation model, see OAIC’s guidance on privacy obligations of sponsors and affiliates.
CDR representative arrangement
Under CDR Rules 1.10AA, the CDR representative model enables unaccredited persons (a ‘CDR representative’) to provide goods and services to consumers using CDR data, when they are in a CDR representative arrangement with an unrestricted accredited person (’a CDR representative principal’) who is liable for them.
In accordance with CDR Rule 1.10AA(1)(a), CDR representatives cannot deal with consumers in their capacity as a CDR business consumer, and as such can’t invite consumers to give a business consumer statement.
For more information on the CDR representative model, see OAIC’s guidance on privacy obligations for CDR principals and CDR representatives as well as ACCC’s CDR outsourcing arrangement fact sheet.
Business consumer statement
An accredited person can treat a consumer as a business consumer if they take reasonable steps to confirm that the consumer is a business, using the criteria specified in CDR Rule 1.10A(9).
CDR Rule 1.10A(10) outlines the circumstances in which a business consumer can be asked to provide a business consumer statement. Importantly, a business consumer statement can’t be given in relation to a Collection consent. Additionally, CDR Representatives cannot deal with consumers in their capacity as a CDR business consumer, as per CDR Rule 1.10AA(1)(a).
The following wireframes provide an example of how an accredited person can invite a business consumer to give a business consumer statement in relation to a Use consent.
Holding data as a data holder
Under the CDR Rules Clause 7.2 of Schedule 3 (Conditions for accredited person to be data holder), an authorised deposit‑taking institution (ADI) or non-bank lender who is an accredited data recipient can hold CDR data as a data holder, provided the conditions of the clause are met.
Notification prior to first collection
The following wireframes show examples to reflect requirements for collection consent and subclause 7.2(2) of Schedule 3, Conditions involving notification prior to first collection.
Permission to hold collected data as a data holder
The following wireframes demonstrate how data recipients can obtain consumer permission to become a data holder of collected CDR data per subclause 7.2(2A) of Schedule 3.
Download open source asset
Open source design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the Collection and use consent, including:
- Collection and use consents - default example
- CDR outsourcing, sponsorship and CDR representative arrangements
- Using outsourced service providers
- Sponsorship arrangement
- CDR representative arrangement
- Business consumer statement
- Holding data as a data holder
- Conditions involving notification prior to first collection when holding data as a data holder
- Conditions involving request for permission to hold collected data as a data holder
Item | File | Date released | Version introduced |
|---|---|---|---|
1CO. Collection and use consents v1.35.0.2025.09.17 | 1CO. Collection and use consent v1.35.0.2025.09.17.fig | September 17, 2025 | 1.35.0 |
For past versions, refer to Change log.
About this page
References
The artefacts on this page were informed by the following sources.
Title | Author | Date published | URL | Type |
|---|---|---|---|---|
Change Request 701: CX Guidelines | Data Language Standards changes stemming from CD367 | Data Standards Body (DSB) | June 6, 2025 | github.com | Consultations |
Change Request 700: CX Guidelines | Redirect to App (R2A) CX Guidelines Changes | Data Standards Body (DSB) | June 5, 2025 | github.com | Consultations |
Change Request 691: CX Guidelines | Expanding Amending BCDC CX Guidelines | Data Standards Body (DSB) | April 15, 2025 | github.com | Consultations |
Consultation Draft 367: March 2025 Rules - Draft Standards | Data Standards Body (DSB) | March 14, 2025 | github.com | Consultations |
Change Request 684: CX Guidelines | ADI or NBL to hold CDR data as a DH | Data Standards Body (DSB) | February 5, 2025 | github.com | Consultations |
CDR outsourcing arrangements - Fact sheet | Australian Competition and Consumer Commission (ACCC) | December 20, 2024 | www.cdr.gov.au | Guidance |
CDR representatives - Fact sheet | Australian Competition and Consumer Commission (ACCC) | December 20, 2024 | www.cdr.gov.au | Guidance |
Change Request 674: CX Guidelines | Updates stemming from 2024 Consent Review changes | Data Standards Body (DSB) | October 2, 2024 | github.com | Consultations |
Consumer Data Right Rules: consent and operational enhancement amendments consultation | The Treasury | August 9, 2024 | treasury.gov.au | Consultations |
CDR business consumers - Fact sheet | Australian Competition and Consumer Commission (ACCC) | July 9, 2024 | www.cdr.gov.au | Guidance |
Privacy Safeguard 12 | Office of the Australian Information Commissioner (OAIC) | November 20, 2023 | oaic.gov.au | Guidance |
Consent (Data minimisation principle) | Office of the Australian Information Commissioner (OAIC) | November 10, 2023 | oaic.gov.au | Guidance |
Decision Proposal 333: Business Consumer Provisions | Data Standards Body (DSB) | October 21, 2023 | github.com | Consultations |
Consumer Data Right rules – Consent Review and operational enhancements design papers | The Treasury | August 25, 2023 | treasury.gov.au | Consultations |
Design Paper 321: Consumer Data Right Consent Review | Data Standards Body (DSB) | July 26, 2023 | github.com | Consultations |
Decision Proposal 276: July 2023 Rules | Standards Impacts | Data Standards Body (DSB) | November 3, 2022 | github.com | Consultations |
Noting Paper 273: Consent Review | Data Standards Body (DSB) | October 20, 2022 | github.com | Consultations |
Disclosure Consent Research Report | Data Standards Body (DSB) | April 4, 2022 | cx.dsb.gov.au | Research |
Phase 3, Round 3 Research Report | Data Standards Body (DSB) | August 31, 2020 | cx.dsb.gov.au | Research |
Phase 3, Round 4 and 5 Research Report | Data Standards Body (DSB) | August 31, 2020 | cx.dsb.gov.au | Research |
CX Workshop: Error handling | Office of the Australian Information Commissioner (OAIC) | August 1, 2020 | miro.com | Consultations |
Decision Proposal 127: CX Guidelines for Enhanced Error Handling | Data Standards Body (DSB) | May 21, 2020 | github.com | Consultations |
Phase 2, Stream 1 Research Report | GippsTech | July 31, 2019 | cx.dsb.gov.au | Research |
Phase 2, Stream 2 Research Report | Greater than X | July 31, 2019 | cx.dsb.gov.au | Research |
Phase 2, Stream 3 Research Report | Tobias | July 31, 2019 | cx.dsb.gov.au | Research |
Phase 1, Research Report | Tobias | February 28, 2019 | cx.dsb.gov.au | Research |
10 Usability Heuristics for User Interface Design (Flexibility and efficiency of use) | Nielsen Norman Group (NNG) | April 24, 1994 | nngroup.com | Other |
Last updated
This page was updated @September 17, 2025
Have your say
Community consultations and maintenance are part of our ongoing process. Here’s how you can get involved:
- Request new Guidelines or changes to existing Guidelines through the CX Guidelines Consultation process
- Request new Standards or changes to existing Standards through the Standards Maintenance process
- Log a ticket for any questions about the rules, standards, or guidelines through the CDR Support Portal
- Email your feedback to cx@dsb.gov.au
Quick links to CX Guidelines:
Overview
Consent
Authenticate
Authorise
Consent Management
Notifications
Accessibility statement
→ cx@dsb.gov.au → cx.dsb.gov.au | cds.gov.au