Strict regulations in place
Consumer Data Right is an opt-in service, which means you can choose whether to use it or not. Providers must get your explicit consent to use your data.
Consumer Data Right has been set up by the Australian Government to benefit Australians. It is co-regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
Rigorous consent requirements are in place. Consumer Data Right providers must make it clear on their website or app:
- exactly what information you’re sharing and how it will be used
- who will have access to your data
- how long they’ll have access to your data for
- how you can manage and withdraw consents.
The entire consent process takes place on a provider’s website or app.
To protect consumers, Consumer Data Right sets out what providers must do. Strict accreditation criteria for providers also help to protect your data. The ACCC manages the accreditation process. This process and the criteria can be found in Become an accredited data recipient.
Your privacy rights
The Consumer Data Right is designed to keep your data secure and protect your privacy.
The CDR privacy safeguards in the Competition and Consumer Act 2010 set out your privacy rights and the strict obligations on businesses collecting and handling your data.
There are 13 legally binding privacy safeguards. Among them:
- You have the right to make a request to correct your data if it is inaccurate.
- Your data cannot be sent overseas except in strictly limited circumstances.
- Your data can’t be used for direct marketing unless you consent and it’s allowed under the CDR Rules.
- Your data must be destroyed or de-identified when it’s no longer needed or at your request, unless an exception applies.
Making a complaint
The Consumer Data Right is designed to keep your data secure, with strict privacy protections built into the system.
If you are an individual or a small business with an annual turnover of $3 million or less, and you think a business has mishandled your CDR data, you have the right to complain. You should complain to the business first.
You need to give the business a reasonable amount of time to respond to your complaint (generally 30 days).
If the business doesn’t respond to your complaint or you are not happy with their response, you can lodge a complaint with the Office of the Australian Information Commissioner or the relevant external dispute resolution scheme.
- lodge your complaint to the OAIC
- contact the Australian Financial Complaints Authority (the external dispute resolution scheme for the banking sector with a dedicated complaint process)
If you have a question about your Consumer Data Right privacy rights or making a complaint, you can make an enquiry or call the OAIC on 1300 363 992. For more information on Consumer Data Right complaints, see the OAIC’s website.
Reporting business misconduct
You can report information about business practices and behaviours relating to Consumer Data Right that are of concern to you to the ACCC.
Acting on breaches of the Rules
The ACCC and OAIC jointly monitor compliance and enforcement of the Consumer Data Right regulations. They work together to respond to any issues, including taking enforcement action if needed.
For more details on how the ACCC and OAIC undertake compliance and enforcement, view the Compliance and Enforcement Policy below.
Authorised by the Australian Government, Canberra.