Decision Proposal 333 - Business Consumer Provisions #333
Comments
CDR-CX-Stream
added
Status: Proposal Pending
CDR-CX-Stream
changed the title
CDR-CX-Stream
added
Status: Open For Feedback
|
The decision proposal has now been published for consultation. The paper can be found in the original post. This consultation will close on Tuesday 21 November 2023 |
|
The definition of SHOULD means "that there may exist valid reasons in particular circumstances to ignore a particular item". The proposed Standard suggests the introduction of statement into the non-accredited person disclosure notification:
Under what valid circumstances would this not be the case? At face value this statement should actually be a MUST so as to avoid the introduction of a new dark pattern by Recipients exposing Consumers to disclosure outside of the CDR that they were not aware of. |
|
Could we clarify 'without further interaction' as well; would 'scrolling' be considered an interaction? The current wireframe has the section "The data you share with [non-AP] is not subject to CDR protection at the bottom" of the consent. However, this would require a user to scroll, considering the level of information to be disclosed above. An interaction is more like an 'event', for example, a consumer clicking on a button/link for a pop-up or clicking to open an accordion. As an aside, we like this disclosure at the bottom of the consent next to the Approve or Deny options as it will be the last thing consumers will read before their consent. |
|
Hi all, to support the feedback upon this consultation. The team have put together a video summarising Decision Proposal 333. |
|
Skript is supportive of the proposed standards for business consumer statements and disclosure consents. Our assumption has been that scrolling does not constitute 'further interaction', especially given the wireframes where the disclosure is included at the bottom of a long screen. Agree with @joshuanicholson that this is a good spot for the disclosure. |
|
Thanks @perlboy, @joshuanicholson and @paige-skript for your comments. Stu, as you’ve noted in your question, the meaning of SHOULD given in RFC2119 is that:
If no valid reason exists, participants are expected to implement the standard. As Joshua has noted, valid reasons may exist for consumers to scroll on the consent screen before this information is actually visible. This is the type of interaction that was considered when wording the proposed standard as a SHOULD. Other implementations may exist where SHOULD provides an appropriate level of flexibility. If an interaction such as scrolling is required, the expectation is that the content be immediately available to the consumer once they have scrolled to the relevant section. This content should be available without the consumer needing to engage in any further interactions, such as the expansion of an accordion. Under these circumstances, the need to scroll is permissible through the use of SHOULD. |
In that case this standard isn't really worth much as it is going to be an extremely hard rule to enforce.
If I was to (mis)read this statement I could also say that, after clicking a modal the disclosure is immediately made available. It was "necessary" because the screen was too small cause my hypothetical app is designed for desktop. The point I'm trying to make here is that a Finding a way to get to
"Default state" would allow for the scrolling but not allow a situation where a Recipient would deliberately hide important information (which they currently are) behind a clickable modal. P.S. @perlboy or Stuart is fine. Thanks. |
|
Thanks for adding this detail @perlboy We take your point about the use of a modal in that scenario, and the proposed standard is not intended to support this approach when implementing the disclosure notification. We appreciate the alternative suggestion with the use of a MUST. The term 'default state', at least in design, can mean the state of the screen before scrolling, and as such may run into similar interpretation issues. For example, it could prescribe that ADRs display the notification immediately, such as at the top of a mobile screen, instead of a more contextually relevant area after scrolling, which we expect to be just before the affirmative action of consent. We expect the dark patterns proposals from the consent review consultation would help avoid any intentional or unnecessary obfuscation of critical information in scenarios such as this one. We can consider how a MUST could be used in this statement and invite views from those who have indicated support for the current proposal, e.g. @paige-skript, @joshuanicholson and @commbankoss. However, given this amendment would apply to existing implementations for Trusted Adviser and Insight Disclosure Consents too, our preference would be to maintain the currently proposed SHOULD statement to afford flexibility during any requisite transitions. The introduction of a MUST could then be assessed if issues are identified with business consumer disclosure consent implementations, and pending views raised in this consultation. |
|
Dear @CDR-CX-Stream, thank you for providing us with additional information. We have already implemented our design with the aim of having the product ready for production by December 1st, 2023. Our design ensures that consumers do not need to take any further actions, as the disclosures are prominently displayed (i.e. MUST) without requiring the user to even scroll. We acknowledge that we have developed a solution that goes above and beyond the requirements, and our primary focus is aligned with potential changes from the consent review(s) while avoiding any dark patterns. However, the use of the word "should" creates ambiguity, which could lead to friction between our clients and us. We firmly believe that these disclosures must be presented prominently to consumers, and we have designed our solution accordingly. As an ADR we accept the risks and liabilities of consumer consents with DH's, while many other organisations who will be the end beneficiaries of CDR data may prefer to minimise disclosures and create less friction for the consumer. |
|
CBA supports the proposed Consumer Experience standards amendments in DP333 as these enhance transparency for consumers in relation to business consumer statements and disclosure consents. |
|
Please find attached Biza.io feedback regarding DP-333. Specifically, we wish to highlight our callouts regarding whether Business Consumer Consents are, in essence, the introduction of Nominated Representatives by another name and caution all participants that, if so, there is a level of deceptive complexity in technical delivery coupled with a lack of Rules/Standards specificity at this point in time. |
CDR-CX-Stream
added
Status: Feedback Period Closed
|
This consultation is now closed. Thank you to all who responded. |
CDR-CX-Stream
added
the
Status: Decision Made
|
The Data Standards Chair has approved this decision. The decision record can be found in the original post. This decision takes effect immediately and, as such, the new July 2023 business consumer provisions are now considered permitted CDR functionality. The DSB will discuss the queries raised during this consultation with other CDR agencies, and will consider responses and/or CX Guidelines in due course. |
|
For the record, it is unclear how the Chair has appropriately considered his obligations under the Rules specifically with respect to clarifying the applicability of Privacy Safeguard violations as a result of permitted but poor CX experience as a result of these Standards. |
|
Thanks for this input @perlboy. To help us consider this comment, could you please clarify:
|
Biza specifically asked questions in order to clarify what you are now seeking to clarify, restating them here:
I note that the Decision Record contained no response to these questions nor any other discussion around the feedback received. This is relevant because under Division 8.3, 8.10(b) the Chair "must have regard" for submissions received during public consultation. Given the speed of binding on this DP it seems unlikely this feedback was properly considered and promises to come back later do not meet the bar as far as the Chairs legal obligations. At a personal level, the way this and #334 have been dealt with by the DSB is quite disappointing. Participants expend significant resources based on real world experience to provide constructive input in order to better the CDR ecosystem. To promise feedback but bind immediately essentially highlights that the DSB and the Chair appear to have little regard for the potential fallout that may result. I'll try and answer your clarification request but it's pretty difficult without receiving clarification on the questions already posted. Privacy Safeguards It's honestly pretty disappointing that the DSB can't see the scenarios which are problematic but by way of sampling some and giving a free kick to help:
Finally, not so much a safeguard as much as a Rules violation, if a Data Recipient used data past a year on the basis of a BCDC but that data was, in fact, for an Individual Consumer (or a Sole Trader disclosed as an Individual but included non business related accounts), this would actually be a direct violation of the entire BCDC Rules structure because it does not apply to Individual Consumers. Fundamentally it's unclear if the OAIC is even aware of this proposal (@OAIC-CDR?) as they seem best placed to provide guidance on the impact of the now binded Standard in relation to these safeguards. By binding this Standard with immediate effect the DSB has now permitted Recipients to place Holders in essentially undefined territory as far as how to deal with the inevitability of a human selecting the wrong profile. That is particularly relevant in the situation where the BCDC is incorporated in the standard consent flow which is why the Biza submission also included a recommendation on Page 3 of it's submission "Biza supports explicitly separating the collection of the Business Consumer Statement experience steps from the other consents currently collected by Data Recipients.". This statement was included specifically to attempt to ameliorate the likelihood the Consumer may select the incorrect profile (i.e. their individual consumer profile) when they get to the Holder, essentially "cognitive context loading". This suggestion also does not appear to have been considered. Permitting Standards As outlined in the Biza submission "Biza supports standardising copy content in simple and concise language for Business Consumer Statements but we note that the proposed Standards place significant responsibility on the end-user to complete the Data Holder workflow correctly. Specifically, the lack of a technical authorisation mechanism that would allow an ADR to request disclosure authorisation for a constrained set of profile types, i.e. Non-Individual Consumers.". Specifically, by binding a Standard enabling BCDC to occur on the Recipient side without solving for a signalling mechanism to the Holder of the intent of the arrangement setup it is impossible for the Holder to limit such options. I guess short version to answer the request for clarification, the Standard permitting this behaviour is allowing BCDC to be entirely Recipient side without ensuring consent workflow binds the requirement to filter to Non-Individual Consumers. Clarifying applicability of Privacy Safeguard violations I'm not sure if I'm repeating myself here but the issue this Standard now introduces is that an action by a Data Recipient (establishment of a BCDC) now potentially exposes the Holder directly to multiple Safeguard violations. Without going into too many specifics, Regulatory action (both Regulators) has been strong in this regard and procedurally are dealt in a very similar way to a Reportable Data Breach. Holders may now be significantly exposed based on the well meaning actions of a Data Recipient and a User who clicked one wrong button. |
|
The code changes for this decision are staged for review - ConsumerDataStandardsAustralia/standards-staging@release/1.29.0...dp/333 |
CDR-API-Stream
removed
the
Status: Feedback Period Closed
* Create clean version of release 1.29.0 * Added releasenotes file for 1.29.0 * Added redirect_uri * Update CX Guidlines link * Removed amending authz * added RFC7636 to refs * Updated Intro DSB link * Differences in naming of Register endpoints * Added obligation schedule to FDO * Updated desc of minimumValue maximumValue unitOfMeasure * Updated markdown of minimumValue maximumValue unitOfMeasure * Added missing fields for PAID_OUT_AT_MATURITY ROLLED_OVER for maturityInstructions * Updated definition of Number in common field types * Updated descriptions on ErrorMetricsV2 * Modified URL in line with request example * url encoded * Retain Version Delta for Additional Standards Re-added the 1.28.0 Version Delta comments for the Candidate and Draft Standards recently updated and still under consultation in 1.29.0. * Added authorization_signed_response_alg & authorization_encrypted_response_alg as conditional * Resolve link and navigation issues Addresses: ConsumerDataStandardsAustralia/standards-staging#222 * Switch tracking and add Standards category ribbon Addresses: ConsumerDataStandardsAustralia/standards-staging#334, ConsumerDataStandardsAustralia/standards-staging#332 * Corrected minor typos only Addresses typos: ConsumerDataStandardsAustralia/standards-staging#312 * Remove resource name to reduce length + complexity Addresses: ConsumerDataStandardsAustralia/standards-staging#222 * Added end & * Removed FDO Obligation date from Amending authorisation * Created a single link for [PKCE] / [RFC7636] * Standards Maintenance Issue #587: Added new field measureUnit in EnergyBillingDemandTransaction * Adjust heading levels and add navigation classes Addresses: ConsumerDataStandardsAustralia/standards-staging#338 * Identifying superseded versions in obsolete path Addresses: ConsumerDataStandardsAustralia/standards-staging#334 * Business Consumer Provisions Addresses: #333 * Added link to change description * Added link to change description * Standards Maintenance Issue #587: Fixed typos. Re-arranged order of api versions for consistency * Add style to override class for CX submenu items * Added Data Holder Dashboards section Addresses: #334 * Added link to issue * Added issue link to description * Added issue link to description * Updated with data attribute to apply CSS * Updated with data attribute * Added FDO details * Standards Maintenance Issue #613: Changed type of time fields in energy plan data to ExternalRef referring to ISO 8601 Times specification * Standards Maintenance Issue #613: Changed description of affected time fields for clarity. * Standards Maintenance Issue #587: Fixed typos * Standards Maintenance Issue #587: Fixed typo in FDO table * Retaining majority of useful original anchors Addresses: ConsumerDataStandardsAustralia/standards-staging#222 * Display the x-cds-type for array items Addresses: ConsumerDataStandardsAustralia/standards-staging#348 * Show format of request parameter enums correctly Addresses: ConsumerDataStandardsAustralia/standards-staging#349 * Adding release notes and delta comments Update for: ConsumerDataStandardsAustralia/standards-staging#348 * Update to release notes and NBL version delta * Remove last diffs * Moving NBL Draft to Candidate Standards Addresses: #318 * Rebuild * Add FDO diff statement for 587 * Add diff statements and release notes * Add diff and release notes * Add release note reference to CR620 * Add release notes * Add santa hat * Update release date * Fix release notes Update obligation date counts * Corrected typo * Add MI 17 DP to release notes Addresses: #328 * Updated links * Updated dates * Added deprecation dates * Corrected typo * Rebuild * Update change log with DP328 --------- Co-authored-by: Hemang Rathod <hemang.rathod@consumerdatastandards.gov.au> Co-authored-by: kirkycdr <brian.kirkpatrick@consumerdatastandards.gov.au> Co-authored-by: Nils Berge <60594671+nils-work@users.noreply.github.com>
|
Hi @perlboy, We have now discussed these queries with other CDR agencies and can provide the following response: The general nature of these queries are considered rules rather than standards issues. The Role of the Standards The scenarios outlined in the feedback were identified early on and considered during the rule making process. The subsequent feedback provided on the standards in relation to these scenarios was considered. However, the cited scenarios were not considered to be standards-related/enabled because they go to the operation of the Rules and Privacy Safeguards. Operation of the Provisions The ADR is also required to obtain a business consumer statement from the CDR business consumer – this statement certifies that relevant consents are given for the purpose of enabling an accredited person to provide goods or services to the CDR business consumer in its capacity as a business (i.e. not an individual). The rules do not constrain data access to non-individual data in relation to these provisions, provided these requirements are met. Flexibility has been provided for a CDR business consumer to share individual data, such as may occur when a sole trader with an active ABN uses their individual account for business purposes. Constraining or requiring data holders to only share non-individual data would be impractical and in conflict with the provisions in the CDR rules. If a business consumer statement is not given, then an accredited person cannot ask for durations of up to 7 years for the relevant consents, and also cannot request a business consumer disclosure consent. Privacy Safeguards However, key issues to consider include:
If the CDR data was unsolicited by the ADR - i.e. the ADR had not sought to collect the particular data authorised by mistake – the ADR would generally need to destroy it under Privacy Safeguard 4. If the CDR data was not unsolicited – i.e. the ADR did intend to receive the particular data – the consumer could then choose to withdraw their consent, and this would generally trigger an ADR’s Privacy Safeguard 12 obligation to delete or de-identify redundant CDR data. As noted above, we have liaised with the other CDR agencies to provide this information. They will give further consideration to how best to clarify this in their respective guidance. |
|
This decision has been reflected in v1.29.0 of the published standards, so this issue will now be closed. |
Tuesday 28 November: Decision Made
The Data Standards Chair has approved this decision.
The decision record can be found below:
Decision 333 - Business Consumer Provisions.pdf
This decision takes effect immediately and, as such, the new July 2023 business consumer provisions are now considered permitted CDR functionality.
Tuesday 24 October: Decision Proposal Published
Decision Proposal 333 proposes data standards for the new business consumer provisions introduced in the July 2023 CDR Rules.
The decision proposal can be found below:
DP333 - Business Consumer Provisions.pdf
The specific topics covered in this paper are:
This consultation progresses from DP276 to outline which data standards are being proposed as binding. This paper reflects those proposals and, in response to feedback, incorporates minor wording changes in some instances for greater clarity.
Community views are now being sought before these standards are proposed to be made binding to support the 1 December 2023 obligation date for the new business consumer provisions.
This consultation will close on Tuesday 21 November 2023
The text was updated successfully, but these errors were encountered: