Implement CDR Australia consent withdrawal and data deletion obligations when a consumer revokes access

Verified steps

1. Monitor for consent withdrawal events via the CDR consent dashboard webhook (if your Data Holder supports push notifications) or by polling the consent status endpoint regularly
2. When a withdrawal is detected, immediately cease all data API calls using the revoked consent's access and refresh tokens; making further calls after consent withdrawal is a CDR Rules breach
3. Identify all data collected under the revoked consent in your data stores; under CDR Rule 7.5, an ADR must delete or de-identify CDR data within a reasonable period after consumer request for deletion or consent expiry
4. Trigger your data deletion workflow: remove raw CDR data fields (account numbers, balances, transaction details) from your live databases; update audit logs to record the deletion timestamp, data categories deleted, and consumer identifier
5. Retain only data required by law or legitimately needed for complaint resolution or legal proceedings; document the legal basis for any retained data in your privacy policy
6. Notify the consumer via email or in-app message confirming that their data has been deleted; provide a reference number they can use when contacting the ACCC or OAIC if they wish to verify compliance