Consent and the Consumer Data Right in Australia
The challenges and complexities of consent, and how it plays into the Consumer Data Right.
In this week's Consumer Data Right (CDR) advisory committee meeting, there was a healthy debate about the concept of "consent" and how it plays into the CDR. The topic was raised by Lisa Schutz from Verifier, and it got me thinking, so I thought I'd share some of my thoughts here. This is my first attempt, so feel free to share your feedback on my thoughts and conclusions below.
What is consent?
When you strip away the complexity of looking at consent in the context of data and technology, it's actually not a complicated concept. Simply put, it means one person giving their permission for something else to happen.
In the real world, we give our consent for things all the time. When you tap your bank card on the machine at the cafe, you're consenting to that business taking money from your bank account. When you download an app on your phone, chances are that you're agreeing to the app's terms and conditions. When you have a meeting with someone, you probably consented to shaking their hand (or maybe an elbow bump during this new normal!).
So why is consent so important for the Consumer Data Right, and what are some of the challenges?
If you don't already know, the CDR is the legal framework being put in place to help you get access to and share your personal data. This will create the building blocks that let companies like Finder create tools that will help you make better decisions. As you probably guessed, we're very supportive of the CDR, which is why I'm on the advisory committee.
Importantly for this discussion, the scheme will be "opt-in". This means that if you want to share your data with Finder using the CDR, you'll effectively need to say, "Yes, I am happy for Finder to have access to that data for this amount of time." However, getting this statement from customers is made complicated by the need for this consent process to be done digitally.
Why? Because we need to be sure that you are who you say you are, and we need to make sure you fully understand what you're agreeing to. These are some of the challenges that the CDR is grappling within Australia, and if you look around the globe, no one has really found a perfect solution. Get it right, and we could set a powerful example to the rest of the world.
Friction… and getting it right
The challenge of building consent flows in digital experiences like the CDR, is finding the right amount of "friction". You want to make it just difficult enough so that the consumer understands what they're agreeing to, but not to the extent that it stops them from using a product or service that could significantly improve their life or help them make a better decision.
In Europe, they've introduced the General Data Protection Regulation (GDPR), which has led to consent requests popping up so often on websites that it becomes too much for people to comprehend. I believe consumers are now basically blindly accepting these requests in order to access the service they want. This is not a good outcome.
On the flip side, if you've ever tried to sign up for a new product or service, you'll know that having to provide lots of information and supporting documents will minimise your chances of signing up. We're all time-poor so we often put things in the "too hard" basket, even if we know that switching a product or taking an action could save us hundreds of dollars a year. So getting the balance right when it comes to friction is key.
What's the current plan for consent in the Consumer Data Right?
The CDR has been live in Australia for customer banking data since July 2020, so if you bank with one of the Big Four, you can now share your banking data with accredited data recipients. To enable this, the first set of customer experience guidelines have been architected by Michael Palmyre and the CX team at the Data Standards Body. This work has been research-focused and evidence-driven, so if you haven't already, you should take a look at some of their reports.
A wireframe that visualises the proposed flow can be seen here. One key element is that if a customer wants to share their data with an accredited data recipient, then the customer will be provided with a "one-time password" from their bank. This will then be entered into the bank's online platform.
There are rules that define the responsibility of the data recipient to make the request for access to data as clear as possible for the consumer. These state that any consent given must be done in a way that is:
- 1. Voluntary (i.e. done so without coercion)
- 2. Express (i.e. done in an open and obvious way)
- 3. Informed (i.e. given on the basis of good comprehension)
- 4. Specific to purpose (i.e. limited to the purpose of the request)
- 5. Time limited (i.e. given only for a certain period of time)
- 6. Easily withdrawn (i.e. easy to revoke)
How can we make it even better?
We believe that simple access to data makes it easier to make better decisions and, as a result, we want to see consent flows that encourage consumers to access data-driven tools rather than slow them down.
In a practical sense, this means reducing the number of steps in the process and not being too prescriptive about how the consent request is set up. There's work to be done to improve the one-time password experience to ensure this is seamless and slick while still providing the required level of authentication.
More broadly, I'd like to see a principle-based approach that passes a level of trust onto the accredited data recipients in the CDR regime. We need to make it the responsibility of the data recipient to obtain consent in a way that balances simplicity with comprehension and authentication, but we shouldn't necessarily have to tell them exactly how to do it.
If we want the CDR to result in better outcomes, we have to make it easy for Aussies to access data-driven tools. We also have to create enough flexibility to allow the fintechs building the tools to innovate. My default position is that most people are smarter than the industry gives them credit for and I also believe that most companies in this space are passionate about delivering valuable solutions for consumers.
The CDR is built on the principles of competition and innovation, so let's make sure that this spirit is captured on the important topic of consent so we can empower Aussies to make data-led decisions that improve their lives.
