Updated @November 16, 2023
The CDR Rules propose a number of requirements in relation to consent, within which the practical guidance on consent design must sit.
CDR Participants should refer to the latest CDR Rules for a complete list of obligations regarding the consent process.
CDR consents must be:
1. voluntary 2. express 3. informed 4. specific as to purpose 5. time limited 6. easily withdrawn
The below items are called out for emphasis
An accredited data recipient must present each consumer with an active choice to give consent, and consent must not be the result of default settings, pre-selected options, inactivity or silence. CDR Rules 4.11(1) and (2)
A request for consent must be presented to a consumer using language and/or visual aids that are concise and easy to understand. CDR Rule 4.10(1)(a)(ii)
An accredited data recipient must provide consumers with a straightforward process to withdraw consent and provide information about that process to each consumer prior to receiving the consumer’s consent. CDR Rule 4.11(3)(g)
Consent must be voluntary. Consent is voluntary if an individual has a genuine opportunity to provide or withhold consent. Consent is not voluntary where duress, coercion or pressure is applied by any party involved in the transaction. CDR Rule 4.9
Consent must be specific as to purpose. The purpose of requesting the data should be directly associated with the specific data being requested. The broader purpose should also include information about the use case and the name of the product or service. CDR Rules 4.9, 4.11(1)
Comprehension is also fundamental to consent. As stated in the CDR Rules Explanatory Statement, the:
‘design of an accredited person’s product or service should include consumer experience testing to ensure consumers’ comprehension of the consent process.’
Quick links to CX Guidelines: