CX Guidelines

Read first CX Checklist attributes ◦ Area refers to the stage in the consumer journey, such as Pre-consent, Consent, Authenticate, Authorise, or Consent Management. ◦ Focus area refers to a specific theme in each stage (e.g. 01. User Identifier). ◦ Checklist ref contains a unique reference number for the item. ▪ The first values refer to the Area (e.g. 0DL.xx.xx for data language; 2AU.xx.xx for authentication). ▪ The second set values refer to the Focus area (e.g. xxx.01.xx). ▪ The last values refer to the annotation number used on the wireframe, where available (e.g. xxx.xx.02; wireframes are linked to in the Example column). ◦ Type refers to the source of the statement: Rules, Standards and Guidelines. ◦ Participant refers to the relevant CDR Participant for the item. ◦ Requirement level refers to the level of obligation. For the data standards, the key words MUST, MUST NOT, SHOULD, SHOULD NOT, and MAY are to be interpreted as described in RFC2119. CX Guidelines provide optional examples and recommendations; as such, a MAY is used to denote a CX Guideline for the purposes of this checklist regardless of the language used in the guideline statement. ◦ Statement refers to the relevant requirement or recommendation as articulated in the rules, standards, or guidelines. ◦ References points to the requirement itself, or its location; typically a rule, standard, or research. ◦ Example links to the relevant artefact, such as the CX Guideline page, which includes wireframes of example implementations, or a table in the case of data language standards. ◦ Version introduced refers to the version of the data standards that was current when the item was introduced to the CX Guidelines, starting from version 1.4.0. Items noted as introduced in 1.4.0 or earlier are requirements that exist in v1.4.0 of the CX Guidelines (PDF). ◦ Date introduced refers to the specific date the item was introduced to the CX Checklist, using August 2020 as a starting point (when v1.4.0 was introduced). The date will typically be the date of the version release, but some new items may not constitute a standards change (e.g. a revised wireframe or rules change) and as such may not align with standards versioning. ◦ Date modified refers to when an existing CX Checklist entry was updated, which is not necessarily the date the corresponding requirement (Rule, Standard or Guideline) was changed. ◦ Status refers to whether the item is active or has been retired from the CX Guidelines. An 'active' item is applicable and current. A 'retired' item may be labelled as such because it no longer applies, has been merged with another item, or has been removed from the CX Guidelines. A 'retired' item may still be a requirement. These statuses are used in the live CX Checklist and CSV to highlight changes between versions of the CX Guidelines.

Wireframe ref	Type	Requirement level	Statement	Reference	Checklist ref	Focus area
01	CDR Rule	MUST	An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent; or (b) amends a collection consent, use consent or disclosure consent given to an accredited person in accordance with this Division; or (c) withdraws a collection consent, use consent or disclosure consent given to an accredited person in accordance with rule 4.13.	CDR Rule 4.18	4CM3.00.01	00. CDR Receipts
02	CDR Rule	MUST	Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18.	CDR Rule 503	4CM3.00.02	00. CDR Receipts
03	CX Standard	MUST	Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST set out: • The name of the person the CDR consumer gave consent to; and • The purpose of the consent(s); and • In the case of a collection consent, the name of each CDR participant the CDR consumer consented to the collection of CDR data from; and • In the case of a disclosure consent, the name of each person the CDR consumer consented to the disclosure of CDR data to; and • A description of the data for which the consent was given; and • In the case of an insight disclosure consent, a description of the CDR insight(s); and • The duration or expiry date(s) of the relevant consent; and • Instructions for how the consent can be reviewed and, for an active consent, withdrawn, including by using a simple alternative method of communication to be made available by the accredited person for the purposes of withdrawal.	Notification Standards, CDR Receipts: Content	4CM3.00.03	00. CDR Receipts
04	CX Standard	MUST	Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.	Notification Standards, CDR Receipts: Delivery	4CM3.00.04	00. CDR Receipts
05	CX Standard	MUST	Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details. Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation. Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards.	Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Notification record	4CM3.00.05	00. CDR Receipts
06	CX Guideline	MAY	The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.	CDR Rules 4.18 and 503; 4.20O and 506 \| Notification Standards, CDR Receipts	4CM3.00.06	00. CDR Receipts
07	CX Guideline	MAY	CDR Representatives should refer to CDR Rule 4.20O for information on their obligations when providing CDR receipts.	CDR Rule 4.20O	4CM3.00.07	00. CDR Receipts
08	CX Guideline	MAY	Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.		4CM3.00.08	00. CDR Receipts
09	CX Guideline	MAY	Data recipients should include their CDR policy in their CDR receipts.		4CM3.00.09	00. CDR Receipts
10	CX Guideline	MAY	As per CDR Rule 4.18, data recipients are required to provide CDR receipts. Where separate consents are granted in a single flow, data recipients may provide a single CDR receipt that contains the details of each consent, or separate CDR receipts per consent. The CX Guidelines demonstrate two examples of intuitive groupings for CDR receipts: 1. collection and use consent details in one CDR receipt, and disclosure consent details in a separate CDR receipt; 2. consolidated receipt for collection, use and disclosure. Data recipients should use their discretion when grouping CDR receipts. Data recipients may consider aligning to how the consents were granted to match the consumers' mental model.	CDR Rule 4.18	4CM3.00.10	00. CDR Receipts

Wireframe ref

Type

Requirement level

Statement

Reference

Checklist ref

Focus area

CDR Rule

MUST

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent; or (b) amends a collection consent, use consent or disclosure consent given to an accredited person in accordance with this Division; or (c) withdraws a collection consent, use consent or disclosure consent given to an accredited person in accordance with rule 4.13.

CDR Rule 4.18

4CM3.00.01

00. CDR Receipts

CDR Rule

MUST

Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18.

CDR Rule 503

4CM3.00.02

00. CDR Receipts

CX Standard

MUST

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST set out: • The name of the person the CDR consumer gave consent to; and • The purpose of the consent(s); and • In the case of a collection consent, the name of each CDR participant the CDR consumer consented to the collection of CDR data from; and • In the case of a disclosure consent, the name of each person the CDR consumer consented to the disclosure of CDR data to; and • A description of the data for which the consent was given; and • In the case of an insight disclosure consent, a description of the CDR insight(s); and • The duration or expiry date(s) of the relevant consent; and • Instructions for how the consent can be reviewed and, for an active consent, withdrawn, including by using a simple alternative method of communication to be made available by the accredited person for the purposes of withdrawal.

Notification Standards, CDR Receipts: Content

4CM3.00.03

00. CDR Receipts

CX Standard

MUST

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

4CM3.00.04

00. CDR Receipts

CX Standard

MUST

Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details. Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation. Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Notification record

4CM3.00.05

00. CDR Receipts

CX Guideline

MAY

The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.

CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts

4CM3.00.06

00. CDR Receipts

CX Guideline

MAY

CDR Representatives should refer to CDR Rule 4.20O for information on their obligations when providing CDR receipts.

CDR Rule 4.20O

4CM3.00.07

00. CDR Receipts

CX Guideline

MAY

Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

4CM3.00.08

00. CDR Receipts

CX Guideline

MAY

Data recipients should include their CDR policy in their CDR receipts.

4CM3.00.09

00. CDR Receipts

CX Guideline

MAY

As per CDR Rule 4.18, data recipients are required to provide CDR receipts. Where separate consents are granted in a single flow, data recipients may provide a single CDR receipt that contains the details of each consent, or separate CDR receipts per consent. The CX Guidelines demonstrate two examples of intuitive groupings for CDR receipts: 1. collection and use consent details in one CDR receipt, and disclosure consent details in a separate CDR receipt; 2. consolidated receipt for collection, use and disclosure. Data recipients should use their discretion when grouping CDR receipts. Data recipients may consider aligning to how the consents were granted to match the consumers' mental model.

CDR Rule 4.18

4CM3.00.10

00. CDR Receipts