If an Accredited Data Recipient (ADR) makes a consent revocation request, then is the Data Holder (DH) required to remove only the consent, or should it also remove the associated Refresh Token?
An ADR must use the DH's CDR Arrangement Revocation End Point with a valid
cdr_arrangement_id to notify the Data Holder when consent is revoked by the consumer via the ADRs software product.
Once consent has been revoked, the DH must prevent consumers from retrieving data using the deauthorized consent. The DH's solution must prevent any data disclosure against the
The cleanup and removal of security artifacts such as the Refresh Token associated with the
cdr_arrangement_id is an implementation decision for the DH. The Consumer Data Standards do not prescribe how this should occur.