A ‘software product’ is the software used by an accredited data recipient (ADR) or CDR representative to collect a CDR consumer’s CDR data so it can provide the consumer with a service. The ACCC does not accredit or endorse software products. 

There is no regulatory requirement for an ADR to introduce a new software product where it updates an existing product or service or introduces a new product or service. However, there are circumstances in which introducing a new software product may provide preferred technical and/or consumer experience outcomes.

This guidance provides information about practical issues and technical considerations that ADRs should take into account when determining whether a new software product is needed.

Technical considerations

If an ADR develops a new or revised product that uses a different code base[1] to its existing software product, the ACCC recommends the ADR submit the product to a new round of Conformance Test Suite (CTS) testing. Given the need for additional testing, an ADR may wish to create a new software product for the new offering.

Creating a new software product in this scenario allows an ADR to mitigate risk. If the new software product does not immediately pass CTS testing, or encounters technical or compliance issues after activation, the separate software product can continue to operate without disruption. Depending on the ADR’s circumstances, another option may be to submit a test version of a new software product through CTS, and then replace the existing software product once the new version passes testing.

Ongoing compliance with consent requirements

As outlined above, the ACCC recommends ADRs submit software products with new / revised code bases to a new round of CTS testing. ADRs should also consider whether changes to a software product prompted by a change to the ADR’s services affect existing consumer consents. That is, ADRs should consider whether there is a need to obtain new consents, or amendments to existing consents, to ensure they remain compliant with the CDR Rules. ADRs who collect, use or disclose CDR data without an appropriate consent contravene various CDR provisions, including Privacy Safeguards 3, 6 or 7.

For further questions about software products, please log a ticket in the CDR support portal.

[1] A code base generally refers to the background coding of a software product, distinct from the consumer experience flow.