Consumer Data Right (CDR) Consumer Consent Withdrawal
The Consumer Data Right (CDR) is a right for consumers to choose to safely share their data with accredited, trusted recipients. It is not a right for businesses to share consumers’ data without their consent. All participating systems must ensure that consent is genuine – that consumers understand what they are consenting to, that consents are clear and unambiguous, and they are not open ended. There should be no ‘implied’ consent allowed for data transfers. Consumers should be able to keep track of consents to share data and will be able to withdraw (revoke) them. In this article, we will explore how SecureAuth facilitates withdrawal of consent (arrangement) provided by consumers through various mechanisms.
CDR Arrangement Withdrawal
Consent in the CDR must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn (rule 4.9). Allowing consumers to be able to withdraw authorisation through alternative channel(s) supports the principle that consent should be ‘easily withdrawn’.
An existing data sharing agreement between an Accredited Data Recipient (ADR) and a Data Holder (DH) consented by a consumer is termed as a CDR arrangement. cdr_arrangement_id is a unique identifier of the CDR arrangement related to the authorization which is internally mapped to a consumer and related data sharing details as part of a specific consumer consent. Consent withdrawal is also commonly referred to as Consent revocation.
Such consumer consents for data sharing can be withdrawn by consumers either from
the Accredited Data Recipient application(s)
Data Holder application(s)
CDR governance specifies that consumer should be allowed to withdraw consents from either parties.
Data Recipient Consent withdrawal
Withdrawal or revocation of an existing consent can be initiated by a consumer at ADR (Accredited Data Recipient) end as well.
 |
Once ADR receives a consent withdrawal notification, ADR must stop utilizing the consent arragement for requesting any new data from Data Holder and act as per CDR guidelines on existing acquired data sets using the withdrawn arrangement. In such a scenario, ADR must inform Data holder about the consumers withdrawal request after processing the withdrawal request within its system.
SecureAuth publishes the CDR arrangement revocation endpoint in OIDC discovery endpoint that can be utilized by ADR. As per CDR specification the endpoint is an HTTP POST endpoint at /arrangements/revoke. An ADR must use the DH's CDR Arrangement Revocation Endpoint with a valid cdr_arrangement_id to notify the Data Holder when consent is revoked by the consumer via the ADR's software product.
Sample endpoint URL in OIDC discovery info:
{
..
"cdr_arrangement_revocation_endpoint":"https://cdrdemo.authz.cloudentity.io/cdrdemo/arrangements/revoke"
..
} Once consent has been revoked and ADR has notified SecureAuth CDR Arrangement Revocation Endpoint, SecureAuth takes the following actions immediately:
Revokes any access token issued for the
cdr_arragement_id.Prevent any new access token being issued for the
cdr_arragement_id.Revokes any refresh token issued for the
cdr_arragement_id.Prevents any new refresh token being issued for the
cdr_arragement_id.Fails any data authorization checks that utilizes access token issued for the
cdr_arragement_id
Once consent is revoked, SecureAuth will automatically fail any data authorization checks that utilizes access token issued for the cdr_arragement_id and the data holder API provider must ensure consumers from retrieving data using the deauthorized consent by checking validity of access tokens frequently with SecureAuth.
Data holder Consent Withdrawal
Consumers must be able to continue to interact with data holders regarding their CDR authorisations through channels they currently leverage and are familiar with in their normal interactions with data holders. CDR rule states that the consumer must be able to withdraw authorisation at any time via the data holder’s consumer dashboard or a simple alternative method of communication. In order for a consumer to be able to withdraw via either method, data holders must make both methods available to consumers.
 |
The consent withdrawal journey for a consumer contains serveral steps like:
identifying the consent to be withdrawn
reviewing the implications and confirming the withdrawal and
receiving a final notification on withdrawal
Data holders can provide consumers with a choice of self service consumer dashboard or an agent managed consumer dashboard application to act on users behalf. To facilitate above consumer journey by Data Holder, SecureAuth provides some key functionalities in the form of APIs.
SecureAuth platform exposes Consent Management APIs that allows Data Holders to build out Consumer dashboards to meet CDR requirements. Details of building out such dashboards for consent management can be found in below referenced guides.
Once consumer confirms a withdrawal for a specific CDR arrangement, SecureAuth system immediately does the following things to safeguard consumer data access:
Revokes any access token issued for the
cdr_arragement_idPrevents any new access token being issued for the
cdr_arragement_idRevokes any refresh token issued for the
cdr_arragement_idPrevents any new refresh token being issued for the
cdr_arragement_idFails any data authorization checks that utilizes access token issued for the
cdr_arragement_id
Once consent is revoked, SecureAuth will automatically fail any data authorization checks that utilizes access token issued for the cdr_arragement_id and the data holder API provider must ensure consumers from retrieving data using the deauthorized consent by checking validity of access tokens frequently with SecureAuth.
Once the consent is revoked within the Data holder, data holders also has the responsibility to inform the corresponding ADR for which the consent was granted about the consumer consent withdrawal.
SecureAuth will handle the specific notification about consent withdrawal to ADR. Some specifics about the notification communication and payload to ADR is as follows:
SecureAuth retrieves the ADR revocation endpoint address (
revocation_uri) from the Software Statement Assertion(SSA) presented by the ADR during client registrationSecureAuth sends an HTTP POST request notification to ADR revocation endpoint
The client assertion is sent in the body of the POST request.
The JWT is signed using a private key within SecureAuth.
The ADR must decrypt and validate the JWT by using the SecureAuth public key(available in the JWKS endpoint exposed by SecureAuth)
Once ADR receives a consent withdrawal notification, ADR must stop utilizing the consent arragement for requesting any new data from Data Holder and act as per CDR guidelines on existing acquired data sets using the withdrawn arrangement.