What does ‘consent’ really mean in CDR?


Consumer consent is now commonplace in every digital environment. For instance, every time you use Facebook or Google to create a new app login like Spotify or AirBnB, you must consent to the app having access to your data. Now government regulators like the ACCC are extending consent legislation to business operations, but it’s much more than just a simple yes/no.

With the inception of the Consumer Data Right (CDR) in 2017, there is now active legislation defining what ‘consent’ means when it refers to the sharing of consumer data, and it’s a fair bit more complex than a perfunctory tick box.


So how is consented data sharing defined?

CDR is underpinned by the four Cs: choice, control, confidence and competition. 

The core objective of CDR is to give consumers control of their data, and a central tenet of data sharing is expressed consent, letting consumers prescribe every aspect of the consent journey.

CDR consent is a highly regulated and prescriptive process that ensures consumers have precise control of who is accessing their data and what purpose they’re accessing it for.

Under CDR regulation, a consumer dictates:

  • the data they’re agreeing to share
  • which organisation(s) they will share it with
  • the timeframe they’re willing to share it in
  • the purpose they’re agreeing to share it for
  • what they want done with their data once the original purpose is resolved.

But following these consent parameters isn’t enough for an organisation to receive CDR data; they must first become an accredited data recipient (ADR)or participate via one of the other CDR access models. Once the consumer defines the parameters of their consent, their Data Holder (e.g. the consumers bank) provides the data to the ADR. 

Under the CDR, an Accredited Data Recipient (ADR): 

  • is highly-regulated and audited
  • only accesses consumer data in relation to a specific purpose, in a prescriptively secure format
  • is not allowed to share a consumer’s data with any other organisation unless requested by and agreed to with the consumer
  • cannot seek consent that doesn’t comply with CDR legislation
  • must ensure that the consumer’s consent is voluntary, informed, specific, time-limited and easily withdrawn.

How is CDR consent different from previous data sharing methods? 

Before CDR, businesses could ask consumers to share access to their banking data by prompting them to log into their online banking through an undisclosed third-party data collection company. That agency would use an unregulated process commonly known as screen-scraping to sift through your banking data. The consumer was never aware that this third-party screen scraper would continue accessing the consumer’s banking data indefinitely, or until the consumer changes their banking password. In many cases the third-party would harvest, keep and/or sell the consumer’s data.

To almost any consumer this sounds like misleading and unethical business behaviour. But despite how little awareness there’s been of this questionable practice, it’s been commonplace for years. 

But now under the Consumer Data Right Act, a company can no longer sell your data or keep it indefinitely without your consent. Consumers have full visibility and control over who has access to their data, with the option to withdraw consent at any time. 

Both ADRs and consumers benefit from the safe sharing of CDR data. On one hand the consumer gains more control of their data, and on the other hand companies benefit from real-time, secure and accurate customer data they can use to develop improved products and services. 


What’s the process for granting and managing

consent in the new CDR framework?

Whether a consumer consents to share their data with a mortgage broker, budgeting app, insurance company or any other ADR, the process and experience is the same. Companies collecting the data must have an ACCC-approved purpose and a compliant consent dashboard. 

A CDR-compliant consent dashboard must include functionality that allows a consumer to: 

  • grant consent
  • view consents given (current and historical)
  • manage the type of data they’re consenting to
  • expire or extend the term of their consent
  • withdraw their consent.


What does the technical application of consent look like in the CDR ecosystem?

{% video_player “embed_player” overrideable=False, type=’scriptV4′, hide_playlist=True, viral_sharing=False, embed_button=False, autoplay=False, hidden_controls=False, loop=False, muted=False, full_width=False, width=’550′, height=’235′, player_id=’72122130780′, style=’max-width: 550px; margin: 20px 0px; width: 100%; display: inline-block;’ %}


Step 1: The consent journey starts when the Data Recipient requests for the customer’s permission to collect their data. The value exchange or service is explained here.

Step 2: The consumer can select which data they are happy to share, for how long they are comfortable sharing the data, and their deletion preferences. The consumer can withdraw their consent at any time by logging back into the consent dashboard. The receiving company cannot legally ask for more data than what they need to fulfill the service. The consumer also sees what third parties receive their data and the purpose, any government accreditation numbers and the relevant CDR Policy.

Step 3: The consumer goes through a secure authentication process, where they select which bank they would like to share their data from. A consumer will never be asked to share their bank login details via a proxy as that is unregulated and not legal under CDR.

Step 4: Finally the consumer will receive confirmation when data sharing is complete. They can then revisit the consent dashboard and withdraw consent, extend your consent, set a timeline to expire consent, or agree to ongoing consent for the benefit of improved products or services.

Ongoing: Consumers receive notifications with the status of their as soon as they grant it, then every 90 days, when it is changed, when it expires or when it’s withdrawn.


In short, granting consent is a multi-step, prescriptive process. But the reality is that there are hundreds of pages of government-mandated customer experience standards to understand before trying to meet the stringent compliance standards.

Luckily, as the leading CDR intermediary platform, Adatree can take the pain out of the process by turning the ongoing complexities of consent into a single API. We’ve helped many organisations achieve accreditation. We support our clients with a white-labelled consent dashboard, manage every compliant and scalable aspect of consent, provide all technical integrations to all CDR data sources across industries and take care of the rigorous conformance testing. With Adatree, consent compliance is super simple.

We remove the burden of legislative upkeep by ensuring our proprietary Data Recipient Platform remains current and compliant through the ever-changing CDR regulations.

Get in touch with our team and let’s make it happen.