How-tos

CDR Consumer Consent Withdrawal

The Consumer Data Right is a right for consumers to choose to safely share their data with accredited, trusted recipients. It is not a right for businesses to share consumers’ data without their consent. All participating systems must ensure that consent is genuine – that consumers understand what they are consenting to, that consents are clear and unambiguous, and they are not open ended. There should be no ‘implied’ consent allowed for data transfers. Consumers should be able to keep track of consents to share data and will be able to withdraw(revoke) them. In this article, we will explore how Cloudentity facilitates withdrawal of consent(arrangement) provided by consumers through various mechanisms.

CDR Arrangement Withdrawal

Consent in the CDR must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn (rule 4.9). Allowing consumers to be able to withdraw authorisation through alternative channel(s) supports the principle that consent should be ‘easily withdrawn’.

An existing data sharing agreement between an Accredited Data Recipient (ADR) and a Data Holder (DH) consented by a consumer is termed as a CDR arrangement. cdr_arrangement_id is a unique identifier of the CDR arrangement related to the authorization which is internally mapped to a consumer and related data sharing details as part of a specific consumer consent. Consent withdrawal is also commonly referred to as Consent revocation.

Such consumer consents for data sharing can be withdrawn by consumers either from

  • the Accredited Data Recipient application(s)
  • Data Holder application(s)

CDR governance specifies that consumer should be allowed to withdraw consents from either parties.

Withdrawal or revocation of an existing consent can be initiated by a consumer at ADR (Accredited Data Recipient) end as well.

CDR data holder consent withdrawal

Once ADR receives a consent withdrawal notification, ADR must stop utilizing the consent arragement for requesting any new data from Data Holder and act as per CDR guidelines on existing acquired data sets using the withdrawn arrangement. In such a scenario, ADR must inform Data holder about the consumers withdrawal request after processing the withdrawal request within its system.

Cloudentity publishes the CDR arrangement revocation endpoint in OIDC discovery endpoint that can be utilized by ADR. As per CDR specification the endpoint is an HTTP POST endpoint at /arrangements/revoke. An ADR must use the DH’s CDR Arrangement Revocation Endpoint with a valid cdr_arrangement_id to notify the Data Holder when consent is revoked by the consumer via the ADR’s software product.

Sample endpoint URL in OIDC discovery info:

{
  ..
"cdr_arrangement_revocation_endpoint":"https://cdrdemo.authz.cloudentity.io/cdrdemo/arrangements/revoke"
..
}

Once consent has been revoked and ADR has notified Cloudentity CDR Arrangement Revocation Endpoint, Cloudentity takes the following actions immediately:

  • Revokes any access token issued for the cdr_arragement_id.
  • Prevent any new access token being issued for the cdr_arragement_id.
  • Revokes any refresh token issued for the cdr_arragement_id.
  • Prevents any new refresh token being issued for the cdr_arragement_id.
  • Fails any data authorization checks that utilizes access token issued for the cdr_arragement_id

Once consent is revoked, Cloudentity will automatically fail any data authorization checks that utilizes access token issued for the cdr_arragement_id and the data holder API provider must ensure consumers from retrieving data using the deauthorized consent by checking validity of access tokens frequently with Cloudentity.

Consumers must be able to continue to interact with data holders regarding their CDR authorisations through channels they currently leverage and are familiar with in their normal interactions with data holders. CDR rule states that the consumer must be able to withdraw authorisation at any time via the data holder’s consumer dashboard or a simple alternative method of communication. In order for a consumer to be able to withdraw via either method, data holders must make both methods available to consumers.

CDR data holder consent withdrawal

The consent withdrawal journey for a consumer contains serveral steps like:

  • identifying the consent to be withdrawn
  • reviewing the implications and confirming the withdrawal and
  • receiving a final notification on withdrawal

Data holders can provide consumers with a choice of self service consumer dashboard or an agent managed consumer dashboard application to act on users behalf. To facilitate above consumer journey by Data Holder, Cloudentity provides some key functionalities in the form of APIs.

Cloudentity platform exposes Consent Management APIs that allows Data Holders to build out Consumer dashboards to meet CDR requirements. Details of building out such dashboards for consent management can be found in below referenced guides.

Once consumer confirms a withdrawal for a specific CDR arrangement, Cloudentity system immediately does the following things to safeguard consumer data access:

  • Revokes any access token issued for the cdr_arragement_id
  • Prevents any new access token being issued for the cdr_arragement_id
  • Revokes any refresh token issued for the cdr_arragement_id
  • Prevents any new refresh token being issued for the cdr_arragement_id
  • Fails any data authorization checks that utilizes access token issued for the cdr_arragement_id

Once consent is revoked, Cloudentity will automatically fail any data authorization checks that utilizes access token issued for the cdr_arragement_id and the data holder API provider must ensure consumers from retrieving data using the deauthorized consent by checking validity of access tokens frequently with Cloudentity.

Once the consent is revoked within the Data holder, data holders also has the responsibility to inform the corresponding ADR for which the consent was granted about the consumer consent withdrawal.

Cloudentity will handle the specific notification about consent withdrawal to ADR. Some specifics about the notification communication and payload to ADR is as follows:

  • Cloudentity retrieves the ADR revocation endpoint address(revocation_uri) from the Software Statement Assertion(SSA) presented by the ADR during client registration
  • Cloudentity sends an HTTP POST request notification to ADR revocation endpoint
  • The client assertion is sent in the body of the POST request.
  • The JWT is signed using a private key within Cloudentity.
  • The ADR must decrypt and validate the JWT by using the Cloudentity public key(available in the JWKS endpoint exposed by Cloudentity)

Once ADR receives a consent withdrawal notification, ADR must stop utilizing the consent arragement for requesting any new data from Data Holder and act as per CDR guidelines on existing acquired data sets using the withdrawn arrangement.