02

(3) An accredited person must not ask for a consent: (a) that is not in a category of consents; or (b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of: (i) identifying; or (ii) compiling insights in relation to; or (iii) building a profile in relation to; any identifiable person who is not the CDR consumer who made the consumer data request. (4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the accredited person is seeking consent to: (a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and (b) use that derived CDR data in order to provide the requested goods or services.

CDR Rule 4.12(3), (4)

1CO.00.02

03

A request by an accredited person for a CDR consumer to give or amend a consent: (a) must comply with any relevant data standards; and (b) having regard to any consumer experience guidelines made by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids;

CDR Rule 4.10(a), (b)

1CO.00.03

04

A request by an accredited person for a CDR consumer to give or amend a consent: (c) must not include or refer to the accredited person’s CDR policy or other documents in a way that reduces understandability; and (d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent).

CDR Rule 4.10(c), (d)

1CO.00.04

05

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (a) its name; (b) its accreditation number;

CDR Rule 4.11(3)(a), (b)

1CO.00.05

06

(1) When asking a CDR consumer to give a consent, an accredited person must: (aa) in the case of a use consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(aa) | CX Research 2, 6

1CO.02.06

07

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c)(i) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO.02.07

08

(2) An accredited person must not ask for a collection consent, use consent or disclosure consent unless the collection, use or disclosure of CDR data in accordance with the consent would comply with the data minimisation principle.

CDR Rule 4.12(2) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO.02.08

09

(1) When asking a CDR consumer to give a consent, an accredited person must: (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO.02.09

10

(2) The accredited person must not request direct marketing consents or de‑identification consents by means of pre-selected options for the purposes of subrule (1).

CDR Rule 4.11(2)

1CO.02.10

11

(1) The Data Standards Chair must make one or more data standards about each of the following: (d) the types of CDR data and descriptions of those types, to be used by CDR participants in making and responding to requests;

CDR Rule 8.11(1)(d)

1CO.02.11

12

(1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.

CDR Rule 4.11(1)(b), (Note 2) | CX Research 4, 5

1CO.02.12

13

(1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.12(1) | CX Research 4, 5

1CO.02.13

15

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) a statement that, at any time, the consent can be withdrawn;

CDR Rule 4.11(3)(g) | CX Research 7, 32

1CO.02.15

18

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (h) the following information about redundant data: (i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data;

CDR Rule 4.11(3)(h)(i)

1CO.02.18

19

(1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of: (a) deleting the redundant data; or (b) de-identifying the redundant data; or (c) deciding, when the CDR data becomes redundant data, whether to delete it or de-identify it.

CDR Rule 4.17(1) | CX Research 18

1CO.02.19

22

(1) When asking a CDR consumer to give a consent, an accredited person must: (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents;

CDR Rule 4.11(1)(c)

1CO.02.22

23

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent;

CDR Rule 4.18(a)

1CO.02.23

26

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO.02.26

27

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Data Language Standards: Common, Data Language Standards: Detailed scope requests

1CO.02.27

28

Data recipients MUST notify consumers of redirection prior to authentication.

Consent Standards, Consent: Redirection

1CO.02.28

29

Data recipients may choose to present data holder selection screens before or after the terms of consent.

1CO.01.29

30

Data recipients should present data holder brands in a way that is intuitive and allows consumers to search, sort and filter.

CX Research: Other 2025 (unpublished) | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen)

1CO.01.30

31

Data recipients should list data holder brands in an easily scannable way. This can be done alphabetically or contextually (for example, starting with popular data holders).

10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen)

1CO.01.31

33

Data recipients should also include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes.

CX Research: 2019 Phase 2, Stream 1 report; 2020 Phase 3, Round 3 report

1CO.02.33

34

Data recipients will need to explain how the time period complies with the data minimisation principle (DMP). This is required for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for collection on a 'single occasion'). Example DMP statement for data that is yet to be generated: We need to collect and use your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management]. Example DMP statement for historical data: We need to collect the last 12 months of your data so [we can assess seasonal changes] to [provide an accurate energy comparison].

CDR Rule 4.11(3)(c), 1.8 | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO.02.34

35

Data recipients should identify whether the user is sharing individual or non-individual accounts in order to surface the correct data language.

CX Workshop: Error handling

1CO.02.35

36

Data recipients should present the purpose of the consent request in relation to each data cluster unless this statement applies equally to all datasets. If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets.

CDR Rule 4.11(3)(c), 1.8

1CO.02.36

37

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO.00.37

40

To build consumer trust and confidence, data recipients should surface information about data deletion. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(k), and a link to read the policy.

CDR Rule 7.2(4)(k) | CX Research: 2019 Phase 1 report; 2019 Phase 2, Stream 3 report; 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report

1CO.02.40

47

Data recipients are encouraged to provide information in relation to complaint handling at appropriate points throughout the Consent Model, such as: • during Pre-consent; • within the Consent Flow; and/or • within the CDR Receipt and/or Consumer Dashboards.

CX Research: 2020 Phase 3, Round 8 summary; 2021 Disclosure Consent report

1CO.02.47

48

CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptic, Assurance Seeker and Sensemaker behavioural archetypes. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling.

CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | CX Research: 2021 Disclosure Consent report

1CO.02.48

49

(1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less.

CDR Rule 4.12(1A)

1CO.02.49

50

Data recipients should educate consumers about data sharing with the CDR, which may include references to the CDR protections. CX research has found that including this information increases familiarity, trustworthiness, propensity to consent, and increase the chances of adoption and successful completion.

1CO.02.50

51

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c)(ii) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO.02.51

52

Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18.

CDR Rule 503

1CO.00.52

53

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO.00.53

54

Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO.00.54

55

The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.

CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts

1CO.00.55

56

Data holders and data recipients MUST state in consumer-facing interactions and communications that third parties do not need consumer passwords to access CDR data. The exact phrasing of this is at the discretion of the data holder and data recipient. Note: In this context, 'third parties' refers to entities on the ADR-side and does not include any third parties that the data holder may engage.

Authentication Standards, Common Authentication Standards, Authentication: Passwords

1CO.00.56

57

Data recipients MUST implement Redirect to App in accordance with the relevant consumer experience authentication and security profile standards. Data recipients MAY implement Redirect to App ahead of the date specified in the Future Dated Obligations schedule. Note: As per the future dated obligation schedule, data recipients subject to this standard are required to implement Redirect to App on and from 10 May 2027.

Authentication Schedule, Redirect to App, Data Recipients

1CO.00.57

58

Where Redirect to App is unable to be used for the purposes of CDR authentication: • Data recipients MAY provide decoupled consent experiences that facilitate separation of the Consumption Device from the authorisation flow. • Data holders MAY provide decoupled authorisation experiences that facilitate separation of the Consumption Device from the Authentication Device. If implemented, data holders and data recipients MUST support decoupled authentication in accordance with any relevant consumer experience authentication and security profile standards.

Authentication Schedule, Decoupled Authentication

1CO.00.58

59

Data recipients should populate the data holder/provider selection list using the data holder brandName field provided in the CDR Register APIs. For additional guidance on surfacing brand names and brand groups, see the CX Guidelines on Consent: Collection and use consents - Provider selection for white labeled brands.

CDR Support Portal: Brands in the CDR ecosystem

1CO.01.59

01

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (f) if the CDR data may be disclosed to, or collected by, a direct or indirect OSP (including one that is based overseas) of the accredited person: (i) a statement of that fact;

CDR Rule 4.11(3)(f)(i)

1CO.03a.01

02

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (f) if the CDR data may be disclosed to, or collected by, a direct or indirect OSP (including one that is based overseas) of the accredited person: (i) a statement of that fact; and (ii) the name of the OSP; and (iii) the OSP’s accreditation number (if any); and (iv) if the OSP is based overseas—the country in which it is based; and (v) a link to a webpage where the accredited person’s CDR policy and the OSP’s CDR policy (if any) can be directly viewed; and (vi) a statement detailing why the OSP needs to access the consumer’s CDR data; and (vii) a statement that the consumer can obtain further information about why the OSP needs to access the consumer’s CDR data from the policy if desired;

CDR Rule 4.11(3)(f)

1CO.03a.02

03

Consumer research suggested that where direct or indirect OSPs are used, consumers expected transparency in this process, and that surfacing details about participants and their roles would facilitate trustworthiness and informed consent.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO.03a.03

06

These artefacts demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including: • where an accredited data recipient uses direct or indirect OSPs; • for an affiliate using a sponsor to collect data; and • for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements.

1CO.03a.06

07

The amendments of paragraph 4.11(3)(f) of the principal rules made by the amending rules apply on and after the day that is 12 months after the commencement of the amending rules.

CDR Rule 502

1CO.03a.07

08

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO.03a.08

09

The previous requirements under CDR Rule 4.11(3)(f) of the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 will continue to apply until 11 November 2025. The new requirements apply on and after 12 November 2025.

CDR Rule 502

1CO.03a.09

01

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (a) its name; (b) its accreditation number;

CDR Rule 4.11(3)(a), (b)

1CO.03b.01

02

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (i) if the accredited person is an affiliate and the CDR data will be collected by a sponsor at its request: (i) a statement of that fact; and (ii) the sponsor’s name; and (iii) the sponsor’s accreditation number; and (iv) if the sponsor is based overseas—the country in which it is based; and (v) a link to a webpage where the sponsor’s CDR policy can be directly viewed; and (vi) a statement detailing why the sponsor needs to access the consumer’s CDR data; and (vii) a statement that the CDR consumer can obtain further information about collections or disclosures of CDR data from the sponsor’s CDR policy if desired.

CDR Rule 4.11(3)(i)

1CO.03b.02

03

(2B) If the accredited person is an affiliate and the CDR data will be collected by a sponsor at its request: (a) the request for a collection consent must specify that fact; and (b) a consent for the affiliate to collect the CDR data is taken to be consent for the sponsor to so collect it.

CDR Rule 4.3(2B)

1CO.03b.03

04

4.20A Application of Subdivision to sponsor and affiliate Where this Subdivision would, if not for this rule, require both an affiliate and the affiliate’s sponsor to give a notice to a CDR consumer, the sponsor and the affiliate may choose which will give the notice.

CDR Rule 4.20A

1CO.03b.04

05

For sponsorship arrangements, affiliates may display the sponsor's name and accreditation, as per CDR Rule 4.11(3)(i), where outsourced service provider involvement is surfaced to the consumer, as per CDR Rule 4.11(3)(f). As demonstrated in these artefacts, this information should be readily accessible to the consumer.

CDR Rule 4.11(3)(f), (i)

1CO.03b.05

06

As per CDR Rule 4.20A, affiliates may provide the notifications specified in subdivision 4.3.5.

CDR Rule 4.20A

1CO.03b.06

07

Inline with CDR Rule 4.11(3)(a) and (b), the name and accreditation number of the affiliate should be displayed.

CDR Rule 4.11(3)(a), (b) | CX Research: 2019 Phase 2, Stream 1 report; 2020 Phase 3, Round 3 report

1CO.03b.07

08

Data recipients should provide a high level of transparency, control, and certainty around all parties who may collect or access the data in any way. Data recipients can do this by surfacing relevant information and obligations regarding such parties and providers that would otherwise be found in CDR policies.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO.03b.08

09

These artefacts demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including: • where an accredited data recipient uses an outsourced service provider; • for an affiliate using a sponsor to collect data; and • for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements.

1CO.03b.09

10

Various CDR Rules require specific entities to provide certain items, such as dashboards and notifications, and may also require the sponsor to be referenced. These artefacts demonstrate how this information may generally be displayed so that, where appropriate, the consumer is primarily engaging with the known entity that they have a relationship with, and the sponsor is only noted as a background detail.

1CO.03b.10

01

(1) In these rules, a CDR representative arrangement is a written contract between a person with unrestricted accreditation (the CDR representative principal) and a person without accreditation (the CDR representative): (a) under which the CDR representative will offer goods and services to CDR consumers, but not in their capacity as CDR business consumers, for which it will need to use or disclose CDR data of the CDR consumer; and (b) under which, where the CDR representative has obtained the consent of a CDR consumer to the collection, use and disclosure of CDR data in accordance with rule 4.3A: (i) the CDR representative principal will: (A) make any appropriate consumer data request; and (B) disclose the relevant CDR data to the CDR representative; and (ii) the CDR representative will use or disclose the CDR data to provide the relevant goods or services to the CDR consumer; and (d) under which the CDR representative is required to comply with: (i) any rules that are expressed as applying to a CDR representative; and (ii) any consumer experience data standards that are expressed as applying to an accredited data recipient, as if the CDR representative were an accredited data recipient.

CDR Rule 1.10AA(1)(a), (b), (d)

1CO.03c.01

02

Note: From the point of view of a CDR consumer who is the customer of a CDR representative, the consumer deals with the CDR representative, as if it were an accredited person, and might not deal with the CDR representative principal at all. The consumer requests the goods or services from the CDR representative; the CDR representative identifies the CDR data that it needs in order to provide the goods and services; the consumer gives their consent to the CDR representative for the collection and use of the CDR data. The consumer is informed that the CDR representative principal will do the actual collecting, but as a background detail. A CDR representative cannot deal with a person in their capacity as a CDR business consumer.

CDR Rule 1.10AA (Note)

1CO.03c.02

03

(4) A CDR representative arrangement must require the CDR representative to comply with the following requirements in relation to any service data: (c) the CDR representative must not use or disclose the service data other than in accordance with a contract with the CDR representative principal;

CDR Rule 1.10AA(4)(c)

1CO.03c.03

04

(2) The CDR representative may, in accordance with Division 4.3A, ask the CDR consumer to give: (a) a collection consent for the CDR representative principal to collect the CDR consumer’s CDR data from the CDR participant and disclose it to the CDR representative; and (b) a use consent for the CDR representative to use it in order to provide those goods or services. Note 1: For a collection consent mentioned in paragraph (a), see subrule 1.10A(8). For consents mentioned in paragraph (b), see rule 1.10A as applied to a CDR representative under subrule 1.10A(5). Note 2: In order to provide goods or services in accordance with the CDR consumer’s request, it might be necessary for the CDR representative principal to request CDR data from more than 1 CDR participant. Note 3: The CDR data may be collected and used only in accordance with the data minimisation principle: see rule 1.8.

CDR Rule 4.3A(2)

1CO.03c.04

06

(8) For an accredited person with a CDR representative, a consent given by a CDR consumer under these rules to the CDR representative for the accredited person to collect particular CDR data from a CDR participant for that CDR data and disclose it to the CDR representative is also a collection consent.

CDR Rule 1.10A(8)

1CO.03c.06

12

For CDR representative arrangements, CDR representatives are required to display their own name as per rule 4.20E(3)(a), but as an unaccredited participant they are not required to display their accreditation number (as they do not have one). CDR representatives are required by rules 4.20E(3)(d) and (e) to display the CDR principal's name and accreditation number. The CDR representative may choose to display the principal's accreditation number in relation to the representative's name, and may also surface the principal's name, accreditation number, and other details, such as those specified in rules 4.20E(3)(b), (j) and (l) where outsourced service provider involvement is surfaced to the consumer, as per rule 4.20E(3)(k). As demonstrated in these artefacts, this information should be readily accessible to the consumer.

CDR Rule 4.20E(3)

1CO.03c.12

13

CDR representatives can refer to the Principal as a background detail in the relevant artefacts, e.g. dashboard, withdrawal, notifications etc.

CDR Rule 1.10AA

1CO.03c.13

15

Data recipients should provide a high level of transparency, control, and certainty around all parties who may collect or access the data in any way. Data recipients can do this by surfacing relevant information and obligations regarding such parties and providers that would otherwise be found in CDR policies.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO.03c.15

16

These artefacts demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including: • where an accredited data recipient uses an outsourced service provider; • for an affiliate using a sponsor to collect data; and • for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements.

1CO.03c.16

21

Note: Under rule 4.3A, if a CDR representative asks a CDR consumer for their consent to collect and use their CDR data, it must do so in accordance with this Division, and in particular, rules 4.20D, 4.20E and 4.20F. A failure to do so could result in the CDR representative principal being liable for one or more civil penalty provisions: see section 56EF of the Act and rule 1.16A.

CDR Rules, Subdivision 4.3A.2 (Note)

1CO.03c.21

22

(3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information: (d) the CDR representative principal’s name; (e) the CDR representative principal’s accreditation number;

CDR Rule 4.20E(3)(d), (e)

1CO.03c.22

23

(3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information: (b) the fact that the person is a CDR representative and that the CDR data will be collected by its CDR representative principal at its request; (j) a link to the CDR representative principal’s CDR policy; (l) a statement that the CDR consumer can obtain further information about the collections or disclosures for which consent is requested from the CDR representative principal’s CDR policy if desired;

CDR Rule 4.20E(3)(b), (j), (l)

1CO.03c.23

24

(3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information: (a) its name;

CDR Rule 4.20E(3)(a)

1CO.03c.24

25

(3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information: (m) a statement that, at any time, the consent can be withdrawn;

CDR Rule 4.20E(3)(m)

1CO.03c.25

26

(3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information: (n) the following information about redundant data: (i) a statement, in accordance with rule 4.20N, regarding the CDR representative’s intended treatment of redundant data;

CDR Rule 4.20E(3)(n)(i)

1CO.03c.26

27

(1) A CDR representative must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.20F(1)

1CO.03c.27

29

A CDR representative must give the CDR consumer a notice that complies with the data standards as soon as practicable after: (a) the CDR consumer gives the CDR representative a collection consent, a use consent or a disclosure consent;

CDR Rule 4.20O(a)

1CO.03c.29

30

A request by a CDR representative for a CDR consumer to give or amend a consent: (a) must comply with any relevant data standards; and (b) having regard to any consumer experience guidelines developed by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids; and (c) must not include or refer to the CDR representative principal’s CDR policy or other documents in a way that reduces understandability; and (d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent).

CDR Rule 4.20D

1CO.03c.30

31

(1) When asking a CDR consumer to give a consent, a CDR representative must: (a) in the case of a collection consent or a disclosure consent—either:  (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or  (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.20E(1)(a)

1CO.03c.31

32

(1) When asking a CDR consumer to give a consent, a CDR representative must: (aa) in the case of a use consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.20E(1)(aa)

1CO.03c.32

33

(1) When asking a CDR consumer to give a consent, a CDR representative must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time;

CDR Rule 4.20E(1)(b)

1CO.03c.33

34

(1) When asking a CDR consumer to give a consent, a CDR representative must: (d) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (c) for each relevant category of consents;

CDR Rule 4.20E(1)(d)

1CO.03c.34

35

(2) The CDR representative must not present direct marketing consents or de‑identification consents as pre-selected options to the CDR consumer for the purposes of subrule (1).

CDR Rule 4.20E(2)

1CO.03c.35

36

(1) For subparagraph 4.20E(3)(n)(i), the CDR representative must state whether they have a general policy, when collected CDR data becomes redundant data, of:  (a) deleting the redundant data; or  (b) de‑identifying the redundant data; or  (c) deciding, when the CDR data becomes redundant data, whether to delete it or de‑identify it.

CDR Rule 4.20N(1) | CX Research 18

1CO.03c.36

37

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO.03c.37

38

Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO.03c.38

39

The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 506 and further detailed in the Explanatory Statement issued for the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024. Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.

CDR Rules 4.20O and 506 | Notification Standards, CDR Receipts

1CO.03c.39

01

(9) For these rules, a CDR consumer is taken to be a CDR business consumer in relation to a consumer data request to be made by an accredited person if the accredited person has taken reasonable steps to confirm that: (a) the CDR consumer is not an individual; or (b) the CDR consumer has an active ABN.

CDR Rule 1.10A(9)

1CO.04.01

02

(2) An accredited data recipient must keep and maintain records that record and explain the following: (eg) any steps taken for the purposes of subrule 1.10A(9) to confirm that a CDR consumer is a CDR business consumer;

CDR Rule 9.3(2)(eg)

1CO.04.02

03

(10) For these rules, a business consumer statement is a statement made by a CDR business consumer that: (a) is given in relation to a consent in one of the following categories: (i) use consents relating to the goods or services requested by the CDR business consumer; (ii) TA disclosure consents; (iii) insight disclosure consents; (iv) business consumer disclosure consents; and (b) certifies that the consent is given for the purpose of enabling the accredited person to provide goods or services to the CDR business consumer in its capacity as a business (and not as an individual). Note: Only an accredited person is able to deal with a CDR consumer in the CDR consumer’s capacity as a CDR business consumer, and is hence able to invite a CDR consumer to provide a business consumer statement.

CDR Rule 1.10A(10)

1CO.04.03

04

(1) When asking a CDR consumer to give a consent, an accredited person must: (bb) where the accredited person proposes, or is offering, to deal with a person in their capacity as a CDR business consumer in relation to a consent of a kind mentioned in paragraph 1.10A(10)(a)―invite the CDR business consumer to provide the business consumer statement;

CDR Rule 4.11(1)(bb)

1CO.04.04

05

(12) An accredited person must not make: (b) the giving of a business consumer statement; a condition for supply of the goods or services requested by the CDR business consumer.

CDR Rule 1.10A(12)(b)

1CO.04.05

06

(13) To avoid doubt, paragraphs (12)(a) and (b) do not apply where the only good or service that is requested by the CDR business consumer is for CDR data to be collected from a data holder and provided to a specified person.

CDR Rule 1.10A(13)

1CO.04.06

07

(1) When asking a CDR consumer to give a consent, an accredited person must: (a) in the case of a collection consent or a disclosure consent—either:  (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or  (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO.04.07

08

(1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; and Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.

CDR Rule 4.11(1)(b), (Note 2)

1CO.04.08

09

(1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.12(1)

1CO.04.09

10

(1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less.

CDR Rule 4.12(1A)

1CO.04.10

11

(10) For these rules, a business consumer statement is a statement made by a CDR business consumer that: (a) is given in relation to a consent in one of the following categories: (i) use consents relating to the goods or services requested by the CDR business consumer;

CDR Rule 1.10A(10)(a)(i)

1CO.04.11

12

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent;

CDR Rule 4.18(a)

1CO.04.12

15

Data recipients MUST use plain and concise language when inviting a consumer to give a business consumer statement.

Business consumer statement: Content

1CO.04.15

16

When seeking a business consumer statement, data recipients MUST invite the business consumer to give the business consumer statement in a manner that is explicit, express, and through an active selection or declaration. The giving of a business consumer statement MUST be clearly separated from any other interaction or information provided to the consumer and MUST NOT be implied or bundled with any other permission.

Business consumer statement: Method

1CO.04.16

17

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO.04.17

18

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Data Language Standards: Common, Data Language Standards: Detailed scope requests

1CO.04.18

19

Data recipients should only request a business consumer statement if they have verified the consumer is a business consumer — per CDR Rule 1.10A(9) — and reasonably expect them to be intending to use the service for business purposes. Appropriate pre-consent and onboarding experiences can assist with funnelling consumers towards the most appropriate consent flow for their needs. This can reduce cognitive load for non-business consumers, and prevent consumers from inadvertently providing a business consumer statement.

CDR Rule 1.10A(9)

1CO.04.19

20

Inline with CDR Rule 1.10A(9), when verifying the consumer is not an individual or has an active ABN, data recipients should be satisfied that the evidence given — such as the ABN — is current and relates to the consumer.

CDR Rule 1.10A(9)

1CO.04.20

21

In accordance with CDR Rule 4.11(1)(bb), data recipients must invite a business consumer to give a business consumer statement in the consent flow. This invitation should be presented upfront. Doing so can help data recipients determine the appropriate consent duration and customer data language standards to surface, and whether a business consumer disclosure consent can be requested.

CDR Rule 4.11(1)(bb)

1CO.04.21

22

In accordance with CDR Rule 1.10A(10), a business consumer statement cannot be made in relation to a collection consent. As such, CDR Rule 4.12(1) stipulates that the maximum duration for collection consent is 12 months.

CDR Rule 1.10A(10), 4.12(1)

1CO.04.22

23

Data recipients should only present business consumers with a pre-selected duration of more than 12 months where the service reasonably requires this and in compliance with the data minimisation principle, CDR Rule 1.8.

CDR Rule 1.8

1CO.04.23

24

Where a data recipient presents a duration over 12 months for a consent that includes a business consumer statement, they must give the consumer at least one option of 12 months or less, to meet CDR Rule 4.12(1A)(b). For example, if a data recipient presents a 3 year duration, they might offer a 12 month option, a 6 month option, or both, but at least one must be offered. Data recipients are not required to allow the consumer to choose an alternative duration where durations of 12 months or less are proposed. However, data recipients may voluntarily provide this choice. When presenting duration options, data recipients should present consumers with a limited selection of duration options to reduce cognitive load. The options presented should represent the most common and/or most appropriate durations for the service being offered and be in compliance with the data minimisation principle.

CDR Rule 4.12(1A)(b) | 10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen)

1CO.04.24

25

(1) When asking a CDR consumer to give a consent, an accredited person must: (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents;

CDR Rule 4.11(1)(c)

1CO.04.25

26

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO.04.26

27

The rules do not allow an individual without an active ABN to be treated as a CDR business consumer.

ACCC CDR business consumers - Fact sheet

1CO.04.27

01

A request by an accredited person for a CDR consumer to give or amend a consent: (a) must comply with any relevant data standards; and (b) having regard to any consumer experience guidelines made by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids;

CDR Rule 4.10(a), (b)

1CO.05a.01

02

A request by an accredited person for a CDR consumer to give or amend a consent: (c) must not include or refer to the accredited person’s CDR policy or other documents in a way that reduces understandability; and (d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent).

CDR Rule 4.10(c), (d)

1CO.05a.02

03

(2) An accredited person must not ask for a collection consent, use consent or disclosure consent unless the collection, use or disclosure of CDR data in accordance with the consent would comply with the data minimisation principle.

CDR Rule 4.12(2) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO.05a.03

04

(1) For the purposes of paragraph 56AJ(4)(c) of the Act, the following conditions are specified: (a) the person is an ADI or a relevant non-bank lender; and (aa) under Part 6 of this Schedule, these rules already apply to the person in their capacity as a data holder of other CDR data; and (b) the accredited person has collected CDR data, or any data directly or indirectly derived from CDR data (together, the relevant CDR data), in accordance with a collection consent; (c) the accredited person reasonably believes that the relevant CDR data is relevant to its supply of a product to the CDR consumer, for that data; (d) either: (i) the conditions specified in subclause (2); or (ii) the conditions specified in subclause (2A).

CDR Rule Clause 7.2(1) of Schedule 3

1CO.05a.04

05

(1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.

CDR Rule 4.11(1)(b), (Note 2) | CX Research 4, 5

1CO.05a.05

06

(1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.12(1) | CX Research 4, 5

1CO.05a.06

07

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c)(i) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO.05a.07

08

(1) When asking a CDR consumer to give a consent, an accredited person must: (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO.05a.08

09

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:  (a) its name;  (b) its accreditation number; 

CDR Rule 4.11(3)(a), (b)

1CO.05a.09

10

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) a statement that, at any time, the consent can be withdrawn;

CDR Rule 4.11(3)(g) | CX Research 7, 32

1CO.05a.10

11

Conditions involving notification prior to first collection (2) For subparagraph (1)(d)(i), the conditions are: (a) either: (i) the accredited person is supplying the product to the CDR consumer; or (ii) the accredited person has received an application from the CDR consumer for the supply of the product to the CDR consumer, or is aware that the CDR consumer proposes to apply for the supply of the product; and (b) prior to the first collection of the relevant CDR data in accordance with the collection consent, the accredited person notified the CDR consumer that the accredited person would hold that data in accordance with the accredited person’s usual data holding practices for consumer data. Note: If, prior to the first collection of the relevant CDR data, an accredited person has notified the CDR consumer in accordance with this subclause, the accredited person does not need to notify the CDR consumer again before collecting further data in accordance with the collection consent.

CDR Rule Clause 7.2(2) of Schedule 3

1CO.05a.11

12

(1) When asking a CDR consumer to give a consent, an accredited person must: (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents;

CDR Rule 4.11(1)(c)

1CO.05a.12

13

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent;

CDR Rule 4.18(a)

1CO.05a.13

14

Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18.

CDR Rule 503

1CO.05a.14

15

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO.05a.15

16

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Data Language Standards: Common, Data Language Standards: Detailed scope requests

1CO.05a.16

17

Data recipients MUST notify consumers of redirection prior to authentication.

Consent Standards, Consent: Redirection

1CO.05a.17

18

Data holders and data recipients MUST state in consumer-facing interactions and communications that third parties do not need consumer passwords to access CDR data. The exact phrasing of this is at the discretion of the data holder and data recipient. Note: In this context, 'third parties' refers to entities on the ADR-side and does not include any third parties that the data holder may engage.

Authentication Standards, Common Authentication Standards, Authentication: Passwords

1CO.05a.18

19

Data recipients MUST implement Redirect to App in accordance with the relevant consumer experience authentication and security profile standards. Data recipients MAY implement Redirect to App ahead of the date specified in the Future Dated Obligations schedule. Note: As per the future dated obligation schedule, data recipients subject to this standard are required to implement Redirect to App on and from 10 May 2027.

Authentication Schedule, Redirect to App, Data Recipients

1CO.05a.19

20

Where Redirect to App is unable to be used for the purposes of CDR authentication: • Data recipients MAY provide decoupled consent experiences that facilitate separation of the Consumption Device from the authorisation flow. • Data holders MAY provide decoupled authorisation experiences that facilitate separation of the Consumption Device from the Authentication Device. If implemented, data holders and data recipients MUST support decoupled authentication in accordance with any relevant consumer experience authentication and security profile standards.

Authentication Schedule, Decoupled Authentication

1CO.05a.20

21

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO.05a.21

22

Data recipients may choose to present data holder selection screens before or after the terms of consent.

1CO.05a.22

23

Data recipients should present data holder brands in a way that is intuitive and allows consumers to search, sort and filter.

CX Research: Other 2025 (unpublished) | 10 Usability Heuristics for User Interface Design (Nielsen): Match Between the System and the Real World; Flexibility and efficiency of use

1CO.05a.23

24

Data recipients should list data holders in an easily scannable way. This can be done alphabetically or contextually (for example, starting with popular data holders).

10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen)

1CO.05a.24

25

Data recipients implementing CDR Rule Clause 7.2(2) need only comply with rules and standards for collection consents. Authorised deposit-taking institutions (ADIs) or non-bank lenders (NBLs) who are accredited persons, do not need to comply with CDR requirements for other consent types (such as use, de-identification, or disclosure). These entities may use and disclose the collected data according to their usual data handling practices for the use case, even when these practices extend beyond the use and disclosure constraints in the CDR rules.

1CO.05a.25

26

Data recipients will need to explain how the time period complies with the data minimisation principle (DMP). This is required for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for collection on a 'single occasion'). Example DMP statement for data that is yet to be generated: We need to collect and use your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management]. Example DMP statement for historical data: We need to collect the last 12 months of your data so [we can assess seasonal changes] to [provide an accurate energy comparison].

CDR Rule 4.11(3)(c), 1.8 | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO.05a.26

27

Data recipients should identify whether the user is sharing individual or non-individual accounts in order to surface the correct data language.

CX Workshop: Error handling

1CO.05a.27

28

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO.05a.28

29

Data recipients should present the purpose of the consent request in relation to each data cluster unless this statement applies equally to all datasets. If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets.

CDR Rule 4.11(3)(c), 1.8

1CO.05a.29

30

Privacy Safeguard 12 and the requirements to inform the consumer of the data recipient's redundant data handling practices do not apply, as the accredited ADI/NBL would would be handling the collected data in their capacity as a data holder.

CDR Rule 4.11(1)(e), 4.11(3)(h), 4.16, 4.17, 7.12 | CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | Withdrawal Standards, Withdrawing consent; Withdrawal Standards, Withdrawing authorisation: Redundant data

1CO.05a.30

31

If the data recipient uses an outsourced service provider (OSP) to facilitate the collection of CDR data on their behalf, they must provide the details outlined in CDR Rule 4.11(3)(f). For more details, see Collection and use consents: Using outsource service providers. In instances where CDR data will only be disclosed to an OSP after collection, the data recipient does not need to provide these details.

CDR Rule 4.11(3)(f)

1CO.05a.31

32

Data recipients should also include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes.

1CO.05a.32

33

Data recipients may display the notification outlined in CDR Rule Clause 7.2(2)(b) of Schedule 3 as part of the terms for consent when seeking a collection consent.

1CO.05a.33

34

Regarding collection consent, CDR Rule 4.11(1)(c) requires data recipients to obtain the consumer's express consent to: • collect specific types of CDR data • collect that data for a specified time period

CDR Rule 4.11(1)(a), (b), (c)

1CO.05a.34

35

Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO.05a.35

36

The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.

CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts

1CO.05a.36

01

(1) For the purposes of paragraph 56AJ(4)(c) of the Act, the following conditions are specified: (a) the person is an ADI or a relevant non-bank lender; and (aa) under Part 6 of this Schedule, these rules already apply to the person in their capacity as a data holder of other CDR data; and (b) the accredited person has collected CDR data, or any data directly or indirectly derived from CDR data (together, the relevant CDR data), in accordance with a collection consent; (c) the accredited person reasonably believes that the relevant CDR data is relevant to its supply of a product to the CDR consumer, for that data; (d) either: (i) the conditions specified in subclause (2); or (ii) the conditions specified in subclause (2A).

CDR Rule Clause 7.2(1) of Schedule 3

1CO.05b.01

02

Conditions involving request for consent (2A) For subparagraph (1)(d)(ii), the conditions are that: (a) the accredited person is supplying the product to the CDR consumer; and (b) the accredited person has requested the CDR consumer to consent to the accredited person changing from an accredited data recipient of the relevant CDR data to a data holder of the relevant CDR data;

CDR Rule Clause 7.2(2A)(a), (b) of Schedule 3

1CO.05b.02

03

Conditions involving request for consent (2A) For subparagraph (1)(d)(ii), the conditions are that: (c) the accredited person has informed the CDR consumer: (iii) why the accredited person was entitled to request the consumer’s consent to the change;

CDR Rule Clause 7.2(2A)(c)(iii) of Schedule 3

1CO.05b.03

04

Conditions involving request for consent (2A) For subparagraph (1)(d)(ii), the conditions are that: (c) the accredited person has informed the CDR consumer: (i) that, if the consumer consents to that change, the privacy safeguards applicable to a data holder (rather than those applicable to an accredited data recipient) would apply to the accredited person in relation to the relevant CDR data;

CDR Rule Clause 7.2(2A)(c)(i) of Schedule 3

1CO.05b.04

05

Conditions involving request for consent (2A) For subparagraph (1)(d)(ii), the conditions are that:(c) the accredited person has informed the CDR consumer: (ii) of the manner in which the accredited person proposes to treat the relevant CDR data;

CDR Rule Clause 7.2(2A)(c)(ii) of Schedule 3

1CO.05b.05

06

Conditions involving request for consent (2A) For subparagraph (1)(d)(ii), the conditions are that: (d) the CDR consumer has consented.

CDR Rule Clause 7.2(2A)(d) of Schedule 3

1CO.05b.06

07

Conditions involving request for consent (2A) For subparagraph (1)(d)(ii), the conditions are that: (c) the accredited person has informed the CDR consumer: (iv) of the consequences of the consumer not giving their consent to the change;

CDR Rule Clause 7.2(2A)(c)(iv) of Schedule 3

1CO.05b.07

08

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO.05b.08

09

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Data Language Standards: Common, Data Language Standards: Detailed scope requests

1CO.05b.09

10

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO.05b.10

11

When requesting for consent to become a data holder of the collected data, the accredited person should clearly display information about the data that will be handled under different protection frameworks.

1CO.05b.11

12

It is at the data recipient’s discretion in how they phrase the consequences of not giving consent as per Clause 7.2(2A)(c)(iv) of Schedule 3. For example, they may offer alternative data collection methods if the consumer chooses to decline this permission, though they should consider emphasising the benefits of using CDR over these alternatives.

CDR Rule Clause 7.2(2A)(c)(iv) of Schedule 3

1CO.05b.12

01

Data recipients may choose to present data holder selection screens before or after the terms of consent.

1CO.06.01

02

Data recipients should present data holder brands in a way that is intuitive and allows consumers to search, sort and filter.

CX Research: Other 2025 (unpublished) | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen)

1CO.06.02

03

Data recipients should list data holder brands in an easily scannable way. This can be done alphabetically or contextually (for example, starting with popular data holders).

10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen)

1CO.06.03

04

Data recipients should populate the data holder/provider selection list using the data holder brandName field provided in the CDR Register APIs.

CDR Support Portal: Brands in the CDR ecosystem

1CO.06.04

05

In cases where the brandGroup field is specified by the data holder, data recipients can visually present the related data holder/white label brands under a single grouping.

CDR Support Portal: White Labelled brands in the CDR

1CO.06.05

06

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO.06.06