Can I use screen-scraping alongside CDR?
The Competition and Consumer (Consumer Data Right) Rules 2020 do not prohibit alternative methods of data sharing, such as digital data capture services (also known as screen-scraping). However, if you obtain data through both CDR and non-CDR mechanisms, you will need to carefully design your consent flows and consider the impression you create in your interactions with consumers, to ensure you comply with the CDR framework and are not likely to mislead consumers.
- Any request to a consumer asking for their agreement for you to access their data other than through the CDR must not purport to be or be presented as part of the CDR consent flow. This may breach the rules relating to bundling, referring to other documents, and the requirement to make consent as easy to understand as practicable.
- You must not suggest or in any way imply that a consumer’s data will be collected through the CDR, when it is instead obtained through an alternative mechanism.
- Separate to the CDR pre-consent information, and the CDR consent flow, we would expect you to inform the consumer that you also intend to access non-CDR data to provide the service. You should explain the consequences of doing so, including any risks which may arise from the alternative method of sharing.
In addition, you are required to treat CDR data in certain ways.
- Co-mingling CDR data with non-CDR data will not excuse you from applying the high standard of protection that applies to CDR data, and you should consider whether you need to treat all data co-mingled in one pool to those high standards.
- You should be mindful that any data derived from CDR data is considered to be CDR data, whether or not it is also derived from non-CDR data. This could include data that is a transformation of, processed alongside or pooled with CDR data. You should consider whether you need to be prepared to deal with any such data in accordance with CDR
Those requirements are set out in the Act, Rules and Standards. In particular, you should note:
- Rule 4.10 which requires that an accredited person’s processes for asking a CDR consumer to give consent must accord with the data standards and have regard to the consumer experience guidelines
- CX Standard #11, which provides that data holders and data recipients MUST state in consumer-facing interactions and communications that services utilising the CDR do not need access to consumer passwords for the purposes of sharing data. The exact phrasing of this is at the discretion of the data holder and data recipient.
- Section 56BN of the Competition and Consumer Act 2010 regarding misleading and deceptive conduct.