FAQs

The Consumer Data Right is a legal framework introduced by the Australian government in 2019 to digitally transform the economy. It allows consumers, both individuals and businesses, to securely access and share their data which is held by Data Holders (e.g., financial institutions and utility providers) with accredited third parties (e.g., budgeting apps and comparison sites) to find better deals. The CDR has been rolled out sector-by-sector, starting with banking and energy. It enables greater consumer control, privacy, and competition through opt-in consent and secure data transfer.

Take the example of Michaela, a Melbourne based homeowner with rooftop solar, who was frustrated with her energy bills despite her panels.  She downloaded the accredited data recipient Automised Energy app, logged in via the CDR, and granted 90 days of secure consent for her usage data to be pulled directly from her current electricity provider—no meters or manual uploads needed.

The Automised app instantly compared her solar generation patterns against 40+ plans, identifying a competitors solar-optimised tariff that cut her net bill by $420 per year through better export rates and off-peak imports.

This showcases the CDR-powered value of an accredited data recipient for an every day consumer: real-time, personalised energy plan matching for solar households, leveraging live data to drive competition as CDR intended since the rollout of energy.

Data holders are organisations in government-designated sectors (e.g., banks, energy retailers and non-bank lenders) that hold consumer data and must share it upon consumer request.

A data holder is an organisation that is required to share consumer data under the CDR. An organisation is considered a data holder if it:

• Operates in a sector mandated to participate by the Australian government

• Holds consumer data that falls within the scope of the legislation, and

• Is legally required to share that data when a consumer makes a valid CDR request.

An official list of data holders can be found here.

An accredited data recipient is an organisation that has been accredited by the ACCC to receive a consumer’s data from a CDR data holder after the consumer has given their explicit consent. ADRs can use that data for the specific purpose the consumer selected, such as product comparisons and budgeting, and must follow strict CDR privacy and security rules.

Data holders under the CDR can choose to become accredited data recipients, allowing them to access CDR data themselves.

An official list of ADRs can be found here.

The CDR is being rolled out in stages:

• Banking and energy are already active

• Non-bank lenders are scheduled to come under the regime in phases, starting in 2026.

The ACCC oversees how organisations comply with the CDR and can step in if requirements aren’t met. The OAIC looks after privacy and confidentiality under the CDR, including handling complaints and managing notifications for eligible data breaches involving CDR data.

There are 2 key categories of CDR data:

1. Product Reference Data (PRD) - public details about products (e.g., fees, features, and terms)

2. Personal consumer data - information that is tied to you or your business, such as:

• Customer data

  • Individual consumer: name, occupation, contact details

  • Business consumer: organisation profile, organisation contact details

• Account data

  • account name and type

  • account numbers and features (e.g., fees, interest rates, account terms)

  • account balance and details

• Transaction data

  • Transaction details (e.g., incoming and outgoing transactions, dates, etc.)

Consumers are eligible for sharing data within the context of the CDR if they are:

• Individuals over the age of 18

• Businesses and non-individuals (i.e., companies, partnerships and trusts)

• Trusted advisors (i.e., professionals such as accountants and financial planners).

Open Banking is how the CDR applies to the banking sector. It enables banking data to be shared securely through the CDR ecosystem.

As banking was the first industry to adopt the CDR, the terms Open Banking and Consumer Data Right are sometimes used interchangeably. However, Open Banking is just one part of the CDR framework.

CDR data is expressly shared under Australia’s CDR framework. It applies to the specific sectors like banking, energy and non-bank lenders, and can only be shared when a consumer or eligible business gives explicit consent. This data is held by a data holder and shared with an accredited data recipient for agreed purposes.

Open data is data that is made publicly available for anyone to use and access. It is typically published using open standards and common technologies, and can include things such as transport timetables, climate data and public statistics. Open data does not require individual consent for sharing and is usually released under licenses that allow free reuse.

A reciprocal data holder is an accredited data recipient that also becomes a data holder for CDR data it generates and keeps itself. In other words, if a business that is approved to receive CDR data also holds its own CDR-relevant customer data (e.g., because it offers a bank-like product to consumers), it may be treated as a data holder and have to share that data in the same way other data holders do when the consumer requests it.

For authoritative guidance and detailed regulatory and technical information, you can visit:

• Official Consumer Data Right website

• ACCC Consumer Data Right

• Office of the Australian Information Commissioner

• Data Standards Body

• Consumer Data Standards Australia

Action initiation is an upcoming extension of the CDR that goes beyond just securely sharing data. It will let a consumer authorise an accredited provider to initiate action on their behalf – for example, making a payment, switching to a new provider, and opening and closing accounts – all via the CDR framework.

Today’s CDR supports read-only access. With action initiation (sometimes called “write-access”), a consumer can give a third party permission to send instructions to a data holder, and the data holder must carry out those instructions as if the consumer gave them directly.