Consumer Data Right (CDR) is a legal regime in Australia. It obliges businesses in specific industries that hold consumer data to share a customer’s data with accredited third parties when the relevant customer consents to the sharing. Open banking is the implementation of CDR in the banking sector. Other sectors in the market, like the energy and the telecommunication sectors, are to follow suit. This article describes how a business can take advantage of the CDR regime as an accredited data recipient.
Purpose of Consumer Data Right
The CDR regime aims to give consumers more control over their data and enhance their ability to compare and change services and products. This, in turn, is meant to facilitate more market competition and increase the availability of better, cheaper, and innovative products and services in the Australian market.
CDR recognises that the amount of consumer data is exponentially increasing. Likewise, the major players in different sectors, including banking, energy and telecommunications, exercise a monopoly over those data. CDR regime obliges businesses across different sectors (data holders) to share consumer data with accredited third parties (accredited data recipients) where a customer consents to sharing the data.
Taking Advantage of the Consumer Data Right
Your business can take advantage of the CDR regime by becoming an accredited data recipient. An accredited data recipient is a person that the Australian Competition and Consumer Commission (ACCC) accredits to accept data from data holders if a customer consents to sharing their data.
The accredited data recipient may only use the data for specific purposes to which the customer consented. For example, a service an accredited data recipient can provide is to analyse a customer’s data and recommend appropriate products and services that are available in the market and suit the customer’s needs. An accredited data recipient can also be a business that provides the services a customer wants to procure so that it can analyse the data and recommend the business’ services that suit the customer.
Continue reading this article below the formThe Application Process
Any business that wants to be an accredited data recipient must apply to the ACCC. ACCC will assess if the business can meet specific legal and IT requirements and pass the onboarding requirements. After assessing the application, the ACCC can either:
- accredit the applicant as an accredited data recipient;
- accredit the applicant with conditions; or
- refuse to accredit the applicant.
Legal Obligations of an Accredited Data Recipient
An accredited data recipient must comply with several legal obligations.
Complying With the Privacy Safeguards
An accredited data recipient must adhere to the privacy safeguards, which are a set of legal standards. The privacy safeguards are different to the general privacy law in Australia. Privacy safeguards require an accredited data recipient to, among others, ensure:
- there is open and transparent management of the CDR data;
- provide an option to the customers to engage with the accredited data recipient on an anonymous basis or use pseudonyms for the customer when storing the data (unless an exception applies); and
- CDR data is not disclosed to overseas persons unless specific requirements are met.

This fact sheet outlines the changes to data and privacy protection in 2023.
Complying With the Consent Requirements
There are clear guidelines on how an accredited data recipient can obtain consumer consent to collect and retain their data. For example, an accredited data recipient must allow the consumer to choose the types of shared data and the length of time the data is kept. The accredited data recipient must also tell the consumers that they can withdraw their consent anytime.
Preparing and Maintaining a CDR Policy
All accredited data recipients must prepare a policy document outlining the following:
- how the accredited data recipient manages the data; and
- how to raise a query or a complaint.
The CDR policy is separate from an accredited data recipient’s privacy policy and should be available to consumers.
Record-Keeping and Reporting
All accredited data recipients must maintain the following:
- record of the CDR data they collect;
- record of the consumer’s consent;
- any consent withdrawals;
- any complaints;
- the data that was collected; and
- the accredited data recipient’s use of that data.
Accredited data recipients must also provide reports of their activities to ACCC and the Office of the Australian Information Officer (OAIC) twice a year.
The ACCC and the OAIC jointly monitor and regulate accredited data recipients. Where there is a breach of an obligation, they can take enforcement actions against the relevant accredited data recipient, including issuing penalties.
Key Takeaways
The CDR regime in Australia allows consumers to manage and control their data how they see fit. The regime requires businesses in specific sectors to disclose the data they hold on a customer to an accredited third party called an accredited data recipient if the customer has consented. A business can take advantage of the CDR regime by becoming an accredited data recipient. To be one, a person must successfully apply to the ACCC and meet various regulatory, IT and legal requirements.
For general privacy advice or more information about becoming an accredited data recipient, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.