How Credit Cards Share Personal Data

Professor Roberts takes a look at credit cards...

Many of us lean heavily on credit cards as a convenience and I’ve written previously about their safety as compared to bank debit cards. However, much has been written recently about credit card data sharing. Whether this practice is a matter for concern is arguable and I’ll give arguments on both sides.

First, credit cards share transactional data. That includes topics like stores in which the customer shops and what products she purchases online. It also includes data about health care provider visits and medications purchased if those transactions are paid by credit card. The credit cards sometimes infer the customer’s financial status by actions like frequent shopping at thrift stores and applications for increase in credit lines. None of this is personal identifying data. What is does is allow users of the data to target ads and offers to consumers based on their purchase history. That is a staple of marketing by many companies in many industries.

Credit cards do “anonymize” data that is shared so consumer names and other personal data are not linked with the shared transactions data. Whether this is enough or whether it is even successful is in question. Some experts assert that the anonymized transactions data can rather easily be linked with the personal identifier. To what extent that endangers the consumer is not clear.

Recently a reporter from the Denver Post bought one banana with two different credit cards in an attempt to see where the data was going. His story has become something of an internet legend, and it is interesting and revealing. He compares his experience to the features of the new Apple credit card which has a number of privacy-friendly features.

There are ways in which customers can limit the sharing of their data. The word “limit” is accurate; limiting the sharing of data is possible but stopping it entirely is not. And the credit cards don’t necessarily make it easy.

All financial services firms are required to mail a privacy statement to each customer each year. My own informal surveys suggest that few people read them and even fewer have working knowledge about data sharing practices. The privacy policies, also posted online, are important but this is one of the areas where the firms do not make it easy.

In an effort to find an easier way to understand options for limiting data sharing, I visited the sites of multiple credit cards I use. Credit card issuers are very concerned about the security of customer data and, obviously, that’s good. It almost seems, though, that they are trying to bury privacy information in all the information about data security. Information about data sharing is there; by law it has to be. The consumer just has to be a bit persistent, wading through security information to find options for sharing or privacy or even account services, whatever they choose to call it.

The various cards offered different options and presented them in dramatically different ways. It appeared that I had never visited these pages, because in each case I was able to shut down several activities. For example, I long ago shifted all billing to online, but I had never gone to the effort of shutting down mail solicitations and offers from the credit cards. I’ve now done that and it will save several trees over the next few years, so that’s good. On one credit card I found that even if I shut down targeted advertising based on this transactions data, the ban would only last for five years, after which the credit card would be free to sell my data to advertisers—unless I remembered to shut it down again.

To recap, credit cards are only sharing anonymous credit card data which is used for targeted advertising. It is up to each of us to decide how useful that kind of advertising is or is not and how many of the available options we want to use to limit it. welcomes thoughtful comments and the varied opinions of our readers. We are in no way obligated to post or allow comments that our moderators deem inappropriate. We reserve the right to delete comments we perceive as profane, vulgar, threatening, offensive, racially-biased, homophobic, slanderous, hateful or just plain rude. Commenters may not attack or insult other commenters, readers or writers. Commenters who persist in posting inappropriate comments will be banned from commenting on