The consumer regulator has warned participants in the new Consumer Data Right (CDR) regime to be both careful and clear with consumers when combining a customers’ data with information sourced from more controversial “screen scraping” methods.
Companies must ensure they don’t misrepresent the data collection process to consumers, or what protections will apply to that data, the Australian Competition and Consumer Commission (ACCC) warned.
Any information gained by combining CDR data with other sources, including screen scraping, would be treated as CDR data, the ACCC said, requiring higher standards of consent, privacy and security.
Screen scraping typically involves using automation to extract data from human readable sources such as bank transactions, often accessed by sharing credentials with a third party. Critics of screen scaping – including Australia’s big banks – say the method creates a security risk.
Since 2017 Australia has been developing a more advanced way of sharing data using APIs under a Consumer Data Right (CDR) scheme which aims to improve consumer choice and industry innovation.
The data portability scheme is currently being applied to the banking sector but is to be applied to other sectors, including energy and telecommunications.
On Thursday the scheme’s regulator, the ACCC, issued new guidance for the use of screen scraping data alongside data obtained through the Consumer Data Right regime.
While CDR rules do not prohibit the use of alternative methods of data sharing like screen scraping or its combination with CDR data, those doing so must “carefully design your consent flows and consider the impression you create in your interactions with consumers”.
According to the regulator, screen scrapers that also use CDR data must gain separate consent for each data collection method. Screen scrapers must also not mislead consumers by suggesting data collected that way is subject to the protections of CDR.
‘Co-mingling’ CDR data with non-CDR data would not excuse data recipients from applying the high standards of protections that apply to CDR data generally. And any data derived from CDR data, even as a result of combining with non-CDR data, will be considered CDR data by the regulator.
“This could include data that is a transformation of, processed alongside or pooled with CDR data,” the new guidance said. “You should consider whether you need to be prepared to deal with any such data in accordance with CDR.”