This page covers collection and use consents as per the requirements in rule 4.11 and the associated consumer experience data standards.
Overview
The object statement in CDR rule 4.9 provides a strong foundation for giving and amending CDR consents.
In accordance with CDR rule 4.11(1)(Note 1), an accredited person cannot infer consent, or seek to rely on an implied consent.
When asking a CDR consumer to give consent, a data recipient must:
- accord with the data standards;
- have regard to any consumer experience guidelines developed by the Data Standards Body
- be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids;
Data recipients should make the consent process as easy to understand as possible by using appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control.
This section provides examples illustrating how the guidelines may be implemented.
These types of consents contain several steps, which may include:
- Provider selection At this step, the consumer selects who they want to share data from, such as their data holder.
- Terms of consent At this step, the consumer is asked for their consent and can do so by choosing the types of CDR data they will allow the ADR to access, the access period, and the specific uses of their data.
Wireframes and guidelines
Note: The wireframes shown are examples of how to implement key rules, standards, and guidelines. Use the on-screen functions to adjust zoom level or expand the wireframes to be viewed at full screen.
Collection and use consents - default example
The following wireframes show a basic example of a collection and use consent.
CDR outsourcing, sponsorship and CDR representative arrangements
Using outsourced service providers
An accredited person or CDR representative may engage outsourced service providers (OSPs) to do one or both of the following: (1) to collect CDR data on their behalf; (2) to use or disclose data to provide specified goods or services to them.
To do so, a written contract, called a CDR outsourcing arrangement, must be in place with the OSP which meets the requirements set out in the CDR Rules. A data recipient may have both direct and indirect OSPs. This can occur where a direct OSP of the data recipient engages further OSPs in their own CDR outsourcing arrangements.
For more information on CDR outsourcing arrangements, see OAIC’s guidance on privacy obligations for principals and outsourced service providers.
This section outlines requirements for OSPs that apply on and after 12 November 2025.
The previous requirements under CDR Rule 4.11(3)(f) of the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 will continue to apply until 11 November 2025, as per the transitional provision outlined in CDR Rule 502.
Sponsorship arrangement
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who collect CDR data from data holders on their behalf.
For more information on the sponsored accreditation model, see OAIC’s guidance on privacy obligations of sponsors and affiliates.
CDR representative arrangement
Under CDR Rules 1.10AA, the CDR representative model enables unaccredited persons (a ‘CDR representative’) to provide goods and services to consumers using CDR data, when they are in a CDR representative arrangement with an unrestricted accredited person (’a CDR representative principal’) who is liable for them.
In accordance with CDR Rule 1.10AA(1)(a), CDR representatives cannot deal with consumers in their capacity as a CDR business consumer, and as such can’t invite consumers to give a business consumer statement.
For more information on the CDR representative model, see OAIC’s guidance on privacy obligations for CDR principals and CDR representatives as well as ACCC’s CDR outsourcing arrangement fact sheet.
Business consumer statement
An accredited person can treat a consumer as a business consumer if they take reasonable steps to confirm that the consumer is a business, using the criteria specified in CDR Rule 1.10A(9).
CDR Rule 1.10A(10) outlines the circumstances in which a business consumer can be asked to provide a business consumer statement. Importantly, a business consumer statement can’t be given in relation to a Collection consent. Additionally, CDR Representatives cannot deal with consumers in their capacity as a CDR business consumer, as per CDR Rule 1.10AA(1)(a).
The following wireframes provide an example of how an accredited person can invite a business consumer to give a business consumer statement in relation to a Use consent.
Holding data as a data holder
Under the CDR Rules Clause 7.2 of Schedule 3 (Conditions for accredited person to be data holder), an authorised deposit‑taking institution (ADI) or non-bank lender who is an accredited data recipient can hold CDR data as a data holder, provided the conditions of the clause are met.
Notification prior to first collection
The following wireframes show examples to reflect requirements for collection consent and subclause 7.2(2) of Schedule 3, Conditions involving notification prior to first collection.
Permission to hold collected data as a data holder
The following wireframes demonstrate how data recipients can obtain consumer permission to become a data holder of collected CDR data per subclause 7.2(2A) of Schedule 3.
Provider selection for white labeled brands
Complex white label product arrangements can create many authentication pathways, making it difficult for consumers to search for and navigate the list of provider brands in the data holder selection step.
To address this, wireframes and guidelines demonstrating how data recipients can surface brand names and brand groups will be published soon.
For more information on brand name and brand groups see the following guides in the CDR Support Portal: Brands in the CDR ecosystem and White Labelled brands in the CDR.
Download open source asset
Open source design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the Collection and use consent, including:
- Collection and use consents - default example
- CDR outsourcing, sponsorship and CDR representative arrangements
- Using outsourced service providers
- Sponsorship arrangement
- CDR representative arrangement
- Business consumer statement
- Holding data as a data holder
- Conditions involving notification prior to first collection when holding data as a data holder
- Conditions involving request for permission to hold collected data as a data holder
Item | File | Date released | Version introduced |
|---|---|---|---|
Sep 17, 2025 | 1.35.0 |
For past versions, refer to Change log.
About this page
References
The artefacts on this page were informed by the following sources.
Title | Author | Date published | URL | Type |
|---|---|---|---|---|
Data Standards Body (DSB) | Jun 6, 2025 | Consultations | ||
Data Standards Body (DSB) | Jun 5, 2025 | Consultations | ||
Data Standards Body (DSB) | Apr 15, 2025 | Consultations | ||
Data Standards Body (DSB) | Mar 14, 2025 | Consultations | ||
Data Standards Body (DSB) | Feb 5, 2025 | Consultations | ||
Australian Competition and Consumer Commission (ACCC) | Dec 20, 2024 | Guidance | ||
Australian Competition and Consumer Commission (ACCC) | Dec 20, 2024 | Guidance | ||
Data Standards Body (DSB) | Oct 2, 2024 | Consultations | ||
The Treasury | Aug 9, 2024 | Consultations | ||
Australian Competition and Consumer Commission (ACCC) | Jul 9, 2024 | Guidance | ||
Office of the Australian Information Commissioner (OAIC) | Nov 20, 2023 | Guidance | ||
Office of the Australian Information Commissioner (OAIC) | Nov 10, 2023 | Guidance | ||
Data Standards Body (DSB) | Oct 21, 2023 | Consultations | ||
The Treasury | Aug 25, 2023 | Consultations | ||
Data Standards Body (DSB) | Jul 26, 2023 | Consultations | ||
Data Standards Body (DSB) | Nov 3, 2022 | Consultations | ||
Data Standards Body (DSB) | Oct 20, 2022 | Consultations | ||
Data Standards Body (DSB) | Apr 4, 2022 | Research | ||
Data Standards Body (DSB) | Aug 31, 2020 | Research | ||
Data Standards Body (DSB) | Aug 31, 2020 | Research | ||
Office of the Australian Information Commissioner (OAIC) | Aug 1, 2020 | Consultations | ||
Data Standards Body (DSB) | May 21, 2020 | Consultations | ||
GippsTech | Jul 31, 2019 | Research | ||
Greater than X | Jul 31, 2019 | Research | ||
Tobias | Jul 31, 2019 | Research | ||
Tobias | Feb 28, 2019 | Research | ||
Nielsen Norman Group (NNG) | Apr 24, 1994 | Other |
Last updated
This page was updated @Sep 17, 2025
Have your say
Community consultations and maintenance are part of our ongoing process. Here’s how you can get involved:
- Request new Guidelines or changes to existing Guidelines through the CX Guidelines Consultation process
- Request new Standards or changes to existing Standards through the Standards Maintenance process
- Log a ticket for any questions about the rules, standards, or guidelines through the CDR Support Portal
- Email your feedback to cx@dsb.gov.au
Quick links to CX Guidelines: