What are the consent requirements under the CDR regime?

The Consumer Data Right (CDR) gives consumers, including individuals and small businesses, a secure way to control which businesses have access to their data. Since the introduction of the CDR, consumers have been able to check how their current supplier stacks up against its competitors, compare rates on different financial products and soon switch between different providers.

One of the hallmarks of the CDR is the promise of unparalleled convenience and efficiency. However, the advantages of the CDR can only be embraced by those consumers who give their consent for their CDR data to be collected and used.

It's important to understand that the CDR is an 'opt-in service', which means that consumers can choose whether to use it or not. An accredited data recipient (ADR) must obtain consumers' express consent in order to use their CDR data. In this blog post, we will explore the consent requirements under the CDR and the process of obtaining consent for the purposes of the CDR.

What is consent?

The CDR Rules contain specific requirements for the ADR's processes for seeking consent in the CDR regime, as well as for information that must be presented to a consumer when they are being asked to consent.

Under the CDR Rules, any consent given must be done in a way that is:

Voluntary (i.e. done so without coercion)
Express (i.e. done in an open and obvious way)
Informed (i.e. given on the basis of good comprehension)
Specific to purpose (i.e. limited to the purpose of the request)
Time limited (i.e. given only for a certain period of time)
Easily withdrawn (i.e. easy to revoke)

When does my company need to obtain consent?

If your company:

Offers a good or service through the CDR regime; and
Needs to collect a consumer's CDR data from a data holder or an ADR in order to use it to provide such goods or services,
then your company must request the consumer's consent to the collection and use of their CDR data.

In giving the above consents, the consumer provides your company with a 'valid request' to seek to collect the relevant CDR data. You may only collect and use the CDR data if you have obtained these consents. The consumer's consent to the specific uses of their CDR data only remains valid for up to 12 months.

What does my company's CDR policy have to say about consent?

There are also certain things you will have to include in your company's CDR policy with respect to consent. There are certain events that an ADR must notify consumers about in relation to their CDR data.

These events include (but are not limited to):

When a consumer gives consent to the person collecting and using their CDR data;
When a consumer withdraws consent;
Collection of a consumer's CDR data; and
Ongoing notification requirements about a consumer's consent.

Your CDR policy must also set out the consequences for the consumer if they decide to withdraw their consent to collect and use CDR data. If your company imposes any early cancellation fees on consumers for withdrawing consent, this must be made clear in the CDR policy.

How to ask for consent?

The most practical and efficient way to ask for users’ consent is to enable a pop-up interface which allows the user to click a button that indicates their consent (or refusal) to the collection and use of their CDR data, before they can access the services that your company seeks to provide. The notice should be as easy to understand as practicable, and use concise language.

It's important to ensure that the notice allows the consumer to actively select what types of CDR data they consent to being collected, disclosed or used, and which they do not consent to. For example, a consumer may be happy for you to collect their bank transaction data, but may not consent to their contact details being collected or disclosed.

The stringent standards and consent requirements under the CDR regime can be tricky to navigate by yourself.

At Fiskil, we offer an out-of-the-box solution that can help you take care of the compliance side of things, so that you can focus on using CDR data to offer innovative services and products that will set you apart from your competitors.

To find out how Fiskil can help connect your business with Open Banking data, Get in touch.

What is consent?

Under the CDR Rules, any consent given must be done in a way that is:

Voluntary (i.e. done so without coercion)

Express (i.e. done in an open and obvious way)

Informed (i.e. given on the basis of good comprehension)

Specific to purpose (i.e. limited to the purpose of the request)

Time limited (i.e. given only for a certain period of time)

Easily withdrawn (i.e. easy to revoke)

When does my company need to obtain consent?

If your company:

Offers a good or service through the CDR regime; and

Needs to collect a consumer's CDR data from a data holder or an ADR in order to use it to provide such goods or services,

then your company must request the consumer's consent to the collection and use of their CDR data.

What does my company's CDR policy have to say about consent?

These events include (but are not limited to):

When a consumer gives consent to the person collecting and using their CDR data;

When a consumer withdraws consent;

Collection of a consumer's CDR data; and

Ongoing notification requirements about a consumer's consent.

How to ask for consent?

The stringent standards and consent requirements under the CDR regime can be tricky to navigate by yourself.

To find out how Fiskil can help connect your business with Open Banking data, Get in touch.

What are the consent requirements under the CDR regime?

What is consent?

When does my company need to obtain consent?

What does my company's CDR policy have to say about consent?

How to ask for consent?

Related articles

What are the consent requirements under the CDR regime?

What is consent?

When does my company need to obtain consent?

What does my company's CDR policy have to say about consent?

How to ask for consent?

Related articles