Consumer Data Right (CDR)— Consent and it’s characteristics!!
This article is part of the series of articles on Consumer Data Right.
Note: Refer to the CDR Series section (at the bottom of this page) for links to other articles that are part of this series.
Jim and Mr CDR haven’t caught up with each other for a few months even though they promised each other to meet up once every 2–3 weeks. Jim had done his homework following their previous conversation last year and is back with some more questions for Mr.CDR.
Jim: Good day Mr. CDR. I looked at the CDR website and other public resources. I am slowly getting a feel for CDR. I would like to better understand the concept of “Consent” and the role it plays in CDR.
Mr. CDR: Welcome back Jim. Excellent question. Interestingly “Consent” has been the headline news for the last few weeks both in the online/digital and physical media. As a society it appears that this term (Consent) is neither well-defined nor well understood. Even though that discussion on Consent is relevant, pertinent, and interesting, let’s restrict our conversation today to “Consent” in the context of CDR.
Jim: Sure. Happy to stay focussed within the boundaries of CDR for the current conversation.
Mr. CDR: Consent is at the heart of the CDR regime. Before we dwell into the CDR specifics, I heard that you are a big fan of “First Principle”.
Jim: Absolutely. I have been trying to embrace the First Principle method and have been trying to adopt this approach. Where are you heading here with the First Principles?
Mr. CDR: Embracing the First principles approach, let’s try a few English words. Do you have a preference on the dictionary Macquarie or Oxford?
Jim: Let’s go with the Queen’s English for now!
Mr. CDR: So, you are happy to work with the Oxford Dictionary for this conversation! Here is the first word: “Voluntary”
done willingly, not because you are forced
Jim: That’s easy. I am happy with this definition. It is consistent with my understanding of the word.
Mr. CDR: Great. We have made a good start. Let’s try the next one: “Informed”
(of a decision or judgement) based on an understanding of the facts of a situation
Jim: Another standard stock word. I have heaps of experience making “informed” decisions!!
Mr. CDR: We are chugging along well. Let’s try a third one: “Express”
Jim: I am lost now! Can you cut to the chase please? Let’s get to ‘Consent” at the earliest?
Mr. CDR: Ok. I will change the third word to be “Consent”. Please be patient for a few more mins and we will see how all of these come together and make sense.
to agree to something or give your permission for something
By providing consent, you give/grant permission for something/some activity.
Jim: I have seen so many forms where I have granted consent. In fact, a lot of websites have been asking for the so-called “Cookie Consent” when I visit them!
Mr. CDR: Wonderful. Let’s connect the three words so far in the Context of CDR. If you (as a consumer) want to allow an Accredited Data Recipient (ADR) to collect your data from a bank (in general, a Data Holder) then you need to provide a “Voluntary” and “Informed” Consent.
Jim: Ok. If I provide a voluntary and informed consent to an ADR (Software product) then they can collect my data from my Bank.
Mr. CDR: Not completely true. A Consent in the CDR world needs a few more characteristics besides Voluntary and Informed. I wanted to go through them, but you were keen on cutting to the chase!!
Jim: Let’s quickly get on with the other characteristics. Is there a lot of ground to cover with respect to these characteristics?
Mr. CDR: Not a great deal. I will give you the complete list before we look at them in detail
(iv) specific as to purpose
(v) time limited
(vi) easily withdrawn
Jim: Ok. We looked at two of them, let’s quickly cover the others as well.
Mr. CDR: For some of these, we can look at other resources too (besides the Oxford Dictionary) to get their definitions clear in our heads.
Jim: What’s express?
Mr. CDR: Let’s see what OAIC (a co-regulator of CDR) has to say about an express consent
You give express consent if you give it openly and obviously, either verbally or in writing. For example, when you sign your name (by hand, or by an electronic or voice signature). An organisation or agency must get your express consent before handling your sensitive information.
Jim: Ok. It sounds like that I should give the CDR consent in an obvious fashion. I guess in this case it is some digital form!
Mr. CDR: Yes. We will use an example flow (at a later stage) how a consumer provides an express consent. Let’s get on with the remaining three!
Jim: What does the “specific as to purpose” mean?
Mr. CDR: The specific purpose or reason why this consent is being sought? For e.g. I need your transaction data so that I can analyze this data and tell you where you are spending your money?
Jim: Agree. I don’t want to give a blanket consent. I want to put boundaries over which data I want to share with a third-Party.
Mr. CDR: Now that brings us to the other ring-fence that is applicable to a consent — “time-limited”. The Consent that you provide is for a specific period (e.g., 3 months, 6 months, 12 months etc.)
Jim: Now that makes sense. I would be keen to time-box my consent and not keep it open-ended!
Mr. CDR: I think you have a good hang of the things now. The last thing that is relevant here is the ease with which you can withdraw or revoke a consent that you granted.
Jim: Does that mean, that it should be easy for me to withdraw a specific consent that I provided to you a third-party (ADR as you call it)?
Mr. CDR: Yes. The CDR rules mandate that the players (Data Holders such as Banks or ADRs should make it easy for you to withdraw a consent that is active). Hopefully the picture below helps you to have a quick view of the characteristics of a Consent in the CDR.
Jim: I get it. The CDR consent is a lot more involved than the traditional “accept all” activity that I perform for my Cookie Consent. As a consumer I should clearly make my choices and ensure that I provide consent only to the required data and that too for a specific period of time.
Mr. CDR: Good. The rules mandate that the maximum period that you can grant consent to is 12 months. The ADR that you work with may grant a few choices ranging from a few days to 12 months! (depending on their use-case/offering).
Jim: I think that I have learnt some good info on CDR consent today. Can we call it quits now for the day?
Mr. CDR: Looks like it has been an information overload. I would want you to look at the CX Guidelines to see how the consent flow looks like. The Consent specific pages start from 27. I suggest you look at them before we meet next time.
Jim: Is this an easy read?
Mr. CDR: Honestly, I think it is. However, this document is not aimed at a consumer such as yourself! It should still give you an idea of what is involved. The ADRs will likely provide a great consumer experience building on what is described in the document.
Jim: Is there a teaser for what’s coming next when we meet again in a few weeks?
Mr. CDR: I wasn’t planning on one. I would like to build upon this construct of Consent. We talked about it broadly. There are multiple types of Consent (shown in the diagram below)
Mr. CDR: We can talk about each of these types in a bit more detail
Jim: There is more to it (Consent) than what meets the eye!
Mr. CDR: Enough fun for a day. Enjoy reading the links/docs. I have put them all together in the References section below.
Jim has more reading/homework to do. The CX Guidelines will give him a visual representation of things which should help solidify his understanding. May be Jim will be brave enough to try and look at some of the ADR offerings to see if he would be interested in utilizing their services.
If Jim does not have specific questions, then we will look at the Consent types in detail in the next edition.
It’s more than 8 months since the launch of CDR Data with the Big 4 banks. The ecosystem is growing with 5 active Data Holders and 3 active Accredited Data Recipients. There are few more accredited ADRs who are working towards the “active” status!
Also, it’s been over 3 years since Open Banking went live in the UK. We would be completing our first anniversary of CDR launch come 1st July 2021 by which time the number of active Data holder would have increased manifold!
- Competition and Consumer (CDR) Rules 2020: Compilation date: 23/12/2020
- OAIC: Consent to the handling of Personal Information
- Consumer Experience Guidelines v1.4.0
- Official CDR Website