In summary, provided an accredited data recipient (ADR) complies with the Competition and Consumer Act 2010 (Act) and the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules), including:
- Division 4.3 of the CDR Rules in relation to consents;
- Subdivision 7.2.3 of the CDR Rules in relation to permitted uses and disclosures of CDR data;
- rule 7.2 of the CDR Rules in relation to the ADR’s CDR policy; and
- the Privacy Safeguards in the Act,
an ADR can brand/market a product or service in any way – this could include using a different company as the brand name (i.e. ‘white labelling’). While an ADR should consider all relevant Act and CDR Rules requirements, for illustrative purposes we highlight below some requirements that are likely to be relevant to most white labelling proposals.
While a product or service could be marketed to consumers under a distinct brand name, information about the ADR will need to be provided to the consumer during the consent flow where the ADR collects, uses or discloses CDR data. For example, where an ADR must ask for consent in accordance with the CDR Rules, the ADR must:
- provide its name and accreditation number to the consumer (rule 4.11(3)(a)-(b));
- for a collection consent, explain how that collection is reasonably needed to provide the requested goods or services, or make the other uses consented to (rule 4.11(3)(c)); and
- otherwise comply with the consent requirements in the Act and CDR Rules.
An ADR must ensure consumers know they are consenting to the ADR collecting and using their data. This is necessary to meet the objective of informed consent (Division 4.3). An ADR’s consumer dashboard could be wholly ‘white-labelled’ as there is no requirement for an ADR’s name or accreditation number to be stated on the dashboard and no requirement to specify which accredited person the consumer has consented to collecting the CDR data – see rule 1.14. However, the consumer dashboard must include a functionality that is simple and straightforward to use (rule 1.14(1)(c)(ii)), and ADRs should consider this requirement in determining what information to include on the dashboard. Given the ADR’s name and accreditation number must be provided during the consent phase, including this information on the dashboard may, depending on the particular context, aid consumer comprehension of the dashboard’s functionality.
In addition, where a product or service is ‘white labelled’ by a legal entity which is separate to the ADR, the ADR would not be permitted to disclose any CDR data to that brand entity otherwise than in accordance with Subdivision 7.2.3. Under Subdivision 7.2.3, the disclosures an ADR is permitted to make of CDR data that has not been de-identified are limited to outsourced service providers, other accredited data recipients, CDR representatives and CDR consumers.
ADRs should note that the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021 (v3 Rules) include new CDR participation pathways that extend the circumstances within which ADRs can disclose CDR data to another entity (such as a brand entity), subject to specified requirements being met.
For example, under new participation pathways an ADR may collect CDR data on behalf of a person with sponsored accreditation or disclose CDR data or to a trusted adviser.
ADRs should consider whether these new arrangements suit their particular use case and white labelling arrangements.
Example: Fiddle is an ADR that provides a personal financial management (PFM) app to consumers under its own brand name. Fiddle also partners with a mortgage broking company, Home & Away, and white labels its PFM app to the company. Home & Away customers are encouraged by their broker to download the ‘Home & Away’ PFM app, however, when they give consent for the collection and use of their data, they give consent to Fiddle collecting and using their data. Fiddle not only provide their name and accreditation number to customers during the consent phase, but the branding of the app is ‘Home & Away’ with subscript that the app is ‘powered by Fiddle’ and there is a link that takes customers to Fiddle’s CDR policy. The CDR data Fiddle collects, including data in the customer’s PFM app, is not disclosed to Home & Away (for example –Home & Away cannot view, access, or use the data).
|NOTE: This document provides general guidance only. It does not constitute legal or other professional advice and should not be relied on as a statement of the law. As this is only a guide, it may contain generalisations. We encourage participants to obtain their own professional advice to ensure they understand their obligations under the CDR framework.