CDR Rules on Consent
The CDR Rules propose a number of requirements in relation to consent, within which the practical guidance on consent design must sit.
For a complete list of obligations regarding the consent process, CDR Participants should refer to the latest CDR Rules.
The object statement in the CDR consent rules provides a strong foundation for giving and amending CDR consents. The elements of the object statement can be described as follows:
- Voluntary refers to consumers’ having genuine choice about whether they give their consent. The requirement for consent to be informed, time limited and easily withdrawn is critical to consent being voluntary.
- Express refers to consumers actively expressing their consent, which cannot be implied.
- Informed refers to information provided to consumers on the implications of providing consent. The currency of consent is maintained through ongoing engagement, such as appropriate notifications and re-consents.
- Specific as to purpose refers to consent being requested for targeted reasons rather than broad, generic, or ambiguous uses.
- Time limited refers to consent being requested in relation to a specific and finite period. The period can only be extended with a consumer's consent.
- Easily withdrawn refers to the ability to stop data being shared and used in a way that is accessible to the consumer.
Each of the elements described in the object statement have been reframed as consent principles that centre on consumer experience and desired consumer outcomes – including, for example, that CDR consents are intuitive and trustworthy for consumers.
The consent principles are as follows:
- Consent is inclusive, empowering and creates positive outcomes
- Consent is given freely and enthusiastically
- Consent is specific, current, and reversible
- The consent process is intuitive and comprehensible
- The CDR is trustworthy and meets expectations
Comprehension is also fundamental to consent. As stated in the CDR Rules Explanatory Statement, the ‘design of an accredited person’s product or service should include consumer experience testing to ensure consumers’ comprehension of the consent process.’
The Consent Model
The Consent Model represents the current scope of the CX Working Group.
The Consent Flow
The Consent Flow consists of 3 distinct stages:
- Consent: where the consumer is asked to consent to a data recipient collecting and using their CDR data
- Authentication: where the consumer is asked to authenticate themselves with the data holder
- Authorisation: where the consumer is asked to authorise the disclosure of their CDR data to the data recipient
Read more about The Consent Flow
Consent Management
Consent Management refers to the artefacts and controls provided to a consumer to manage an existing consent or authorisation. This includes:
- A consumer dashboard provided by the data recipient (ADR) to manage collection and use consents
- An consumer dashboard provided by the data holder (DH) to manage authorisations
- The withdrawal of consents and authorisations
- CDR Receipts- required for ADRs and optional for DHs to provide to consumers in relation to consents/authorisation information
- 90 day notification- required for ADRs to alert consumers to ongoing data sharing arrangements
- A joint account disclosure option management service- where joint account holders can elect and amend disclosure preferences relating to their joint accounts (via DH)
- The management of joint account alternative notification schedules and secondary user instruction (via DH)
The Consent Flow (1)
The Consent Flow is divided into three discrete stages: Consent; Authenticate; and Authorise.
About the Consent Flow

While the CX Guidelines are focused on The Consent Model (Consent, Authenticate and Authorise, and Consent Management), the CX research highlighted the importance of the pre-consent and post-consent stages.

Pre-Consent
Data recipient space
Consumer engages with an ADR's value proposition and learns about CDR. Pre-consent is the stage prior to the actual request for consent, which is critical for building consumer trust, confidence, and for articulating the benefits of data sharing.

Consent
Data recipient space
Consumer decides whether or not to consent to the collection and use of their data after reviewing the terms of the consent, such as:
- who is requesting their data;
- what data is being requested;
- when the data will be shared;
- where data is shared to and from;
- why their data is being requested; and
- how they can manage and control the sharing and use of their data.

Authenticate
Data holder space
Consumer verifies who they are to their data holder.

Authorise
Data holder space
Consumer:
- selects the accounts they would like to share data from;
- reviews a summary of the data that will be shared; and
- authorises the sharing of that data from the data holder to the data recipient.

Post-Consent
Data recipient space
Data holder space
Consumer is presented with the outcomes of data sharing. Post-consent is the stage immediately following a authorisation, where the ADR provides the outcome of data sharing and is able to close feedback loops.
See 'Consent Management' CX Guidelines and example wireframes
Example prototype
Simplicity
The CX Guidelines provide examples of how to put key CDR Rules into effect, and consider a range of scenarios. The level of detail required when a data recipient is seeking consent depends on a number of factors, including:
- how the data recipient intends to use that data;
- how the data recipient intends to handle redundant data;
- how much data the data recipient is requesting; and
- how the data recipient displays this information to the consumer
More detail and interaction is generally required if:
- a range of uses are requested;
- the data recipient does not have a general policy of deleting redundant data;
- the data recipient is requesting extensive data; and
- as a result of the above points, the data recipient requires additional elections and accompanying description
The CX Guidelines contain design options for how to put certain rules and use cases into effect, but data recipients and data holders may consider other design patterns where appropriate based on their use case, brand/tone, and design language. Other design patterns may also be warranted to further facilitate consumer comprehension and control, such as progressive or staged disclosure.
In the wireframes below,
- Example 1 demonstrates a consumer-facing consent request where more detail and interaction is required;
- Example 2 demonstrates the same step where less detail and interaction is required.
Last updated
This page was updated @December 10, 2020