Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Data is now a key part of how Australian businesses compete, build trust and deliver personalised experiences. The Consumer Data Right (CDR) takes this a step further by giving consumers greater control over their information and enabling safe data sharing between accredited organisations.
If you operate in a designated sector (or plan to), CDR can open new opportunities - but it also adds strict rules you’ll need to follow. The good news is that with a clear plan and the right legal documents, you can prepare confidently.
In this guide, we’ll explain what CDR is, who it applies to, your core obligations, how it connects with privacy and consumer law, and the practical steps to get CDR-ready.
What Is The Consumer Data Right (CDR)?
The Consumer Data Right (CDR) is an Australian framework that allows consumers to safely share their data with accredited businesses they trust. It aims to increase competition, help people compare products, and support innovation while maintaining strong privacy and security standards.
CDR is being rolled out sector-by-sector through government “designation.” Banking (often called Open Banking) was first, followed by energy, with telecommunications and other sectors to follow in stages. Each sector has detailed rules about the scope of data and timing.
Under CDR, there are several roles your business might fall into:
- Data Holder: An organisation required to share certain data (for example, a bank sharing consumer banking data) when a customer consents.
- Accredited Data Recipient (ADR): A business that is accredited to receive CDR data and provide a service to the consumer using that data.
- CDR Representative / Outsourced Service Provider: Businesses that work with an ADR under strict arrangements to help deliver CDR services without holding their own accreditation.
Whichever role applies, the core principle is the same: consumers are in control, consent is central, and data must be handled securely and transparently.
Does CDR Apply To My Business?
Ask yourself a few questions:
- Do you operate in a designated CDR sector (banking, energy, or a sector that’s being phased in)?
- Do you want to receive consumer data from another provider to offer your product or service?
- Are you planning to share customer data with other providers at your customers’ request?
If you answered yes to any of these, CDR may already apply or soon will. Even if you’re not directly designated as a data holder, you might engage as an ADR, work under an ADR, or be a service provider in the CDR ecosystem.
There are three common pathways for businesses:
- Become an ADR: You’ll need to meet accreditation criteria (including stringent information security requirements) and maintain ongoing compliance.
- Partner as a CDR Representative: Operate under an ADR’s umbrella with a formal arrangement governing data handling and responsibilities.
- Outsourced Service Provider: Deliver functions for an ADR or data holder under a documented outsourcing arrangement that meets CDR rules.
Each model carries different obligations, costs, and timelines. Many early-stage businesses start as a representative or service provider to move faster, then pursue full accreditation as they scale.
Your Legal Obligations Under CDR
CDR is detailed, but its obligations boil down to a few core themes: consent, security, transparency, data minimisation, and governance. The exact duties depend on your role, but you should expect to cover the following.
1) Consent And Consumer Control
- Obtain valid, granular consent for specific data, purposes and timeframes.
- Provide an easy-to-use consent dashboard so customers can view, manage and withdraw consent.
- Honour withdrawals promptly and stop using data when consent ends (subject to limited retention requirements in the rules).
2) Data Handling And Minimisation
- Collect only the data you need for the service the consumer has chosen.
- Limit use and disclosure strictly to what’s covered by consent and the CDR rules.
- Delete or de-identify CDR data when it’s no longer required.
3) Security And Accreditation Controls
- Implement robust technical and organisational security controls aligned with CDR standards.
- Maintain policies, staff training, and vendor oversight proportionate to the sensitivity of CDR data.
- Prepare for independent audits, ongoing assurance, and incident reporting obligations.
It’s common to formalise these measures in an Information Security Policy and related procedures your team can follow day-to-day.
4) Transparency And Customer Disclosures
- Explain what you collect, why, and how you’ll use and share data in clear, accessible language.
- Keep your public documentation up to date, including your Privacy Policy and any CDR-specific consumer disclosures.
- Ensure your in-product notifications and consent flows match what your policies say.
5) Incident Response And Complaints
- Have a documented incident plan to contain and assess data incidents promptly.
- Follow CDR and privacy reporting rules if an eligible data breach occurs.
- Provide clear complaints handling and escalation paths for consumers.
A practical way to prepare is to maintain a living Data Breach Response Plan that maps roles, timelines and regulator notifications.
Getting CDR-Ready: A Practical Checklist
- Map your role (data holder, ADR, representative, or service provider) and the data you’ll handle.
- Run a risk and gap analysis against CDR rules and security standards.
- Design consent and consumer dashboards with legal and UX input.
- Document security, access control and vendor management practices.
- Review your customer-facing policies and product copy for accuracy and plain English.
- Train your team and test your incident response process.
- Set up ongoing compliance monitoring and internal audits.
Many organisations capture steps 1-3 through a structured Privacy Impact Assessment Plan, then implement the actions it identifies.
CDR, Privacy And Consumer Law: How They Fit Together
Even if you’re CDR-focused, the broader legal landscape still applies. You’ll want your approach to be consistent across CDR, privacy and consumer protection law.
Privacy Act (Australia)
The Privacy Act (and the Australian Privacy Principles) governs how most Australian businesses handle personal information. CDR is more specific, but it doesn’t replace your general privacy obligations. At a minimum, you’ll need a clear Privacy Policy, appropriate collection notices, secure storage and procedures for access and correction.
Australian Consumer Law (ACL)
Your marketing, disclosures and service representations must not be misleading or deceptive. This is especially important when explaining what data you collect and what customers will receive via CDR. Keeping your claims accurate and up to date helps you comply with section 18 of the ACL.
Data Retention And Related Rules
Separate to CDR, businesses may have obligations around record-keeping or retention periods (for example, under tax or sector rules). As you design data deletion and de-identification processes, make sure they align with your broader data retention obligations.
Website and Digital Interfaces
Consumers will interact with your CDR flows online, so your platform and website should be backed by clear terms. It’s common to publish Website Terms and Conditions that set user rules, liability limits and acceptable use to support your compliance posture.
Data Sourcing And Scraping
CDR is designed to reduce risky workarounds for accessing data. If your product strategy has relied on scraping or unconventional sourcing, review this carefully - there are legal risks around copyright, contract and privacy. As you pivot to CDR-compliant sources, keep in mind the issues flagged in discussions about web scraping in Australia.
Marketing And Communications
If you use CDR data to personalise marketing, you still need proper consent for marketing communications. This includes complying with spam rules and the principles outlined in resources on email marketing laws in Australia.
What Documents Should You Have In Place?
The right documents help you operationalise CDR requirements and manage legal risk. Your exact pack will depend on your role, but most CDR businesses should consider the following.
- Privacy Policy: Publicly explains what personal information you collect, why, how you store it, and consumers’ rights. Keep it consistent with your CDR consent flows and dashboards. Link: Privacy Policy
- Information Security Policy: Sets out technical and organisational controls, access rules and security governance to meet CDR expectations. Link: Information Security Policy
- Data Breach Response Plan: A step-by-step playbook for detecting, assessing and notifying breaches within required timeframes. Link: Data Breach Response Plan
- Data Processing Agreement (DPA): Contractual terms with service providers that handle CDR or personal data, covering security, sub-processing, breach duties and deletion. Link: Data Processing Agreement
- Privacy Impact Assessment Plan: A structured method to identify and address privacy and CDR risks during product design and changes. Link: Privacy Impact Assessment Plan
- Website Terms And Conditions: Sets clear platform rules, acceptable use and liability limits to support your customer experience and compliance. Link: Website Terms and Conditions
Depending on your role, you may also need tailored customer terms, representative or outsourcing agreements, and internal SOPs for consent management and customer support.
If you’re unsure where to start or which documents you need for your model, it can help to speak with a lawyer for tailored privacy advice before you build.
Key Takeaways
- CDR gives consumers control over their data and lets accredited businesses access it securely with consent in designated sectors like banking and energy.
- Your role determines your obligations: data holder, ADR, representative or outsourced service provider each comes with different duties and documentation.
- Core CDR requirements focus on consent, security, transparency, data minimisation and good governance - plan these into your product from day one.
- CDR doesn’t replace other laws: align your approach with the Privacy Act, the ACL, anti-spam rules and your broader data retention requirements.
- Practical documents such as a Privacy Policy, Information Security Policy, Data Breach Response Plan and Data Processing Agreement help you stay compliant.
- A structured privacy impact approach, solid website terms and clear customer communications will make your rollout smoother and build trust.
If you’d like a consultation on preparing your business for the Consumer Data Right, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
