Consumer Data Right (CDR) participant accreditation + compliance
Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.
Who must comply
Designated data holders + accredited data recipients in banking, energy, and (in scope) non-bank lending and telecommunications.
What triggers it
Becoming a data holder or accredited recipient.
When due
Continuous; incident notification within 30 days.
Evidence required
Accreditation, CDR Policy, Privacy Safeguard compliance documentation, incident register.
Max penalty
Civil penalties up to $10M / 3× benefit / 10% turnover (CDR, CCA s56EV) for serious breaches
Summary
The Consumer Data Right (Pt IVD Competition and Consumer Act) and the CDR Rules require data holders to share consumer data on request and accredited data recipients to handle CDR data under the 13 Privacy Safeguards. ACCC + OAIC jointly enforce; CDR has its own incident notification regime distinct from NDB.
Enforced by
Source legislation
Industries
Topics
Related obligations
- CWLTHMajor banks must provide CDR Banking + Action Initiation (2026)CDR Action Initiation lets accredited recipients initiate payments + actions on consumer behalf.
- CWLTHComply with CDR Banking (Open Banking) — major + non-major ADIsBanking data holders must share consumer data with accredited recipients on consumer consent.
- CWLTHCDR Energy sector — phasedEnergy retailers + distributors must share data via CDR.
- CWLTHNotifiable Data Breach (NDB) schemeUnder the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- CWLTHAutomated Decision-Making transparency under Privacy Act (phased)From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
Frequently asked questions
- Who must comply with Consumer Data Right (CDR) participant accreditation + compliance?
- Designated data holders + accredited data recipients in banking, energy, and (in scope) non-bank lending and telecommunications.
- What triggers Consumer Data Right (CDR) participant accreditation + compliance?
- Becoming a data holder or accredited recipient.
- When is Consumer Data Right (CDR) participant accreditation + compliance due?
- Continuous; incident notification within 30 days.
- What is the maximum penalty for Consumer Data Right (CDR) participant accreditation + compliance?
- Civil penalties up to $10M / 3× benefit / 10% turnover (CDR, CCA s56EV) for serious breaches
- What evidence is required for Consumer Data Right (CDR) participant accreditation + compliance?
- Accreditation, CDR Policy, Privacy Safeguard compliance documentation, incident register.
Source: https://cdr.gov.au. Rules Mate is not a law firm. Always verify against the live regulator source before acting.