Skip to content

What is the Consumer Data Right?

The Consumer Data Right, also known as the CDR, is a new law which will give consumers control over their data. CDR is being rolled out progressively across different industry sectors, starting with the Big 4 banks from 1 July 2020, as part of Open Banking. The energy and telecommunications sectors will follow. Eventually, CDR will apply to numerous sectors in the Australian economy. 

The CDR will change the current processes for moving consumer data between businesses and for providing consumer data to consumers. It is vital that businesses are ready for these changes. In this article, we look at the basics of what the CDR means if your business is affected.

What Rights Does the CDR Create?

The CDR creates the right for consumers to:

  • direct a business to securely transfer their designated data to a trusted recipient; and
  • access their designated data held by a business in a usable form.

Consumers can be individuals and they can also be businesses. Whether you are an individual or business under the CDR depends on whether you are reasonably identifiable from the CDR data.

The CDR also includes 13 Privacy Safeguards which will apply if your business is subject to the CDR. The goal of the Privacy Safeguards is to protect the personal information of consumers handled under the CDR.

Which Data Do the CDR Apply to?

The CDR law has been added into existing competition and consumer law. Further CDR rules and standards will be implemented for each industry sector, and will set out how the CDR applies to that sector. This includes how the CDR will apply to specific data types for that sector. 

For example, in the banking sector, the CDR will apply to consumer usage data for credit and debit card, deposit and transaction accounts. This will later be extended to include mortgage and personal loan data.  

The CDR rules and standards will also designate which businesses the CDR will apply to and from which date it will apply.

For example, in the banking sector, there is a staged rollout. For the Big 4 banks, the requirement to share: 

  • product data started on 6 February 2020;
  • consumer data with accredited recipients will start on 1 July 2020; 
  • consumer data with consumers will start on 1 November 2020. 

Smaller banks will adhere to the CDR in later stages

Continue reading this article below the form
Loading form

Which Businesses Does the CDR Apply to?

As and when CDR rules and standards are implemented for each sector, they will specify which businesses are impacted. The CDR may apply to a business within the sector as a data holder, a data recipient or as a designated gateway.

Data Holders

The CDR will list specific categories of businesses considered to be data holders.

For example, with the rollout in the banking sector, the initial data holders are the Big 4 banks. Later, other authorised deposit-taking institutions will be included.

Data Recipient

Only accredited data recipients can receive data as part of the CDR. Your business must apply to become an accredited data recipient. Therefore, if your business is not a data holder, the CDR is opt-in.

To apply for accreditation, your business must meet the criteria for accreditation identified in the CDR rules.

Your business must use the accreditation portal to submit its application; accreditation is subject to approval by the regulator. 

Once accredited as a data recipient, you will have ongoing obligations to maintain accreditation, such as keeping records, reporting to the regulators and being audited.  

Designated Gateway

The government may select a designated gateway to facilitate data transfer under the CDR. The gateway will transfer data between the data holder and an accredited data recipient. 

It is not expected that businesses will be designated gateways. Instead, it is likely designated gateways will be government-controlled bodies or entities.

What Steps Should Your Business Take Now?

If your business is in the banking sector you should consider whether you are a data holder under the CDR.

You should also consider if you should apply to become an accredited data recipient. Even if your business is not a deposit-taking institution, becoming an accredited data recipient may be beneficial for you. For example, as a fintech business, it may be useful to be eligible to receive consumer data from the banks.

If you will participate in the CDR as a data holder or data recipient, you will need to:

  • produce a customer-facing CDR policy;
  • develop internal policies and procedure on the CDR for your staff;
  • provide training for your staff on the CDR; and
  • review your dispute handling process and IT security if you intend to become accredited and maintain your accreditation.

Who Regulates the CDR?

The CDR will be regulated by two core regulatory bodies. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator with a focus on consumer benefit from the CDR. The Office of the Australian Information Commissioner will work closely with the ACCC, with a focus on privacy by design and strong privacy protections for consumers.

The law includes penalties which may be imposed against businesses for non-compliance.

For corporations, this can be:

  • up to $10 million per breach;
  • three times the value of the benefit obtained as a result of the breach; or
  • if the benefit cannot be calculated, 10% of the corporation’s annual turnover.

Key Takeaways

The CDR introduces new rights for consumers and new considerations for businesses. It will initially only apply in the banking sector and will be rolled out over time. However, now is the time to understand how the CDR may apply to your business. For example, it is useful to consider now whether you should apply to become an accredited data recipient. If so, it is important to understand the criteria for applying, your ongoing obligations and to prepare the required internal and external documentation.

A LegalVision commercial lawyer can provide you with guidance on how the CDR applies to your business, the accreditation requirements and assist your business with important policies such as your external CDR policy. Just call 1300 544 755 or fill in the form on this page.

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Jacqueline Gibson

Jacqueline Gibson

Read all articles by Jacqueline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards