Strict regulations in place

Consumer Data Right is an opt-in service, which means you can choose whether to use it or not. Businesses must get your explicit consent to use your data. 

Consumer Data Right has been set up by the Australian Government to benefit Australians. It is co-regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).

More about Consumer Data Right regulators

Consent requirements

Rigorous consent requirements are in place. Consumer Data Right providers must make it clear to you via their website or app:

• exactly what data you’ve agreed to share and how it will be used
• who will have access to your data
• how long they’ll have access to your data for
• how you can manage and withdraw consents.

The entire consent process takes place on a provider’s website or app. 

Learn more about how it works

Your privacy rights

The Consumer Data Right is designed to keep your data secure and protect your privacy.

The CDR privacy safeguards in the Competition and Consumer Act 2010 set out your privacy rights and the strict obligations on businesses collecting and handling your data.

There are 13 legally binding privacy safeguards. Among them:

• You have the right to make a request to correct your data if it is inaccurate.
• Your data cannot be sent overseas except in strictly limited circumstances.
• Your data can’t be used for direct marketing unless you consent and it’s allowed under the CDR Rules.
• Your data must be destroyed or de-identified when it’s no longer needed or at your request, unless an exception applies.

See the OAIC’s website for more information about the CDR privacy safeguards.

Making a complaint

The Consumer Data Right is designed to keep your data secure, with strict privacy protections built into the system.

If you are an individual or a small business with an annual turnover of $3 million or less, and you think a business has mishandled your CDR data, you have the right to complain. You should complain to the business first.

You need to give the business a reasonable amount of time to respond to your complaint (generally 30 days).

If the business doesn’t respond to your complaint or you are not happy with their response, you can lodge a complaint with the relevant external dispute resolution scheme (EDR scheme) indicated in the CDR Policy of the business, or the Office of the Australian Information Commissioner (OAIC).

Businesses are required to include the details of the relevant EDR scheme in their CDR policy.

The following EDR schemes handle CDR complaints.

 Banking sector and Accredited Data Recipients: 

• Australian Financial Complaints Authority

 Energy sector: 

• Australian Capital Territory: ACAT
• New South Wales: Energy and Water Ombudsman NSW
• Queensland: Energy and Water Ombudsman Queensland
• South Australia: Energy and Water Ombudsman SA
• Tasmania: Energy Ombudsman Tasmania
• Victoria: Energy Ombudsman Victoria

If you have a question about your Consumer Data Right privacy rights or making a complaint, you can make an enquiry or call the OAIC on 1300 363 992. For more information on Consumer Data Right complaints, see the OAIC’s website.

You can also lodge a complaint to the OAIC. 

Making a report about business misconduct

Where you have concerns about business practices and behaviours relating to the Consumer Data Right you can also submit a report to the ACCC  or OAIC to help us understand where there are problems. 

Data from these reports helps us to determine what we investigate as well as our compliance, education and enforcement activities in relation to business misconduct under the Consumer Data Right.

Business misconduct could include:

• A bank or energy retailer listed on the ‘Find a Provider’ page told you they don’t share data via the CDR or hasn’t allowed you to provide authorisation to share data.
• An entity has collected, used or disclosed your CDR data without your consent, or your consent was coerced.
• An entity hasn’t taken action in relation to a complaint you’ve made to them about your CDR data.
• The CDR data that an entity holds is not accurate, up-to-date or complete or has not been corrected after you’ve made a request (but you believe it should be corrected).
• An entity has failed to ensure the security of your CDR data or has not advised you of a data breach involving your CDR data.

Making a report is not the same as making a complaint. 

 You may not hear from us after submitting your report though we may be in touch if you've asked for help clarifying your rights or obligations under the law, or we need more information from you.

If you have a complaint you should follow the “making a complaint” section above though you may also choose to make a report to provide us with information to assist our activities.

Acting on breaches of the Rules

The ACCC and OAIC jointly monitor compliance and enforcement of the Consumer Data Right regulations. They work together to respond to any issues, including taking enforcement action if needed.

For more details on how the ACCC and OAIC undertake compliance and enforcement, view the Compliance and Enforcement Policy below.