Back to News & Commentary

Why Don’t We Have More Privacy When We Use A Credit Card?

A customer uses a contactless credit card at a card reader
A customer uses a contactless credit card at a card reader
Jay Stanley,
Senior Policy Analyst,
ACLU Speech, Privacy, and Technology Project
Share This Page
August 13, 2019

Yesterday, we published a piece on cashless stores and how they are bad for low-income communities, undocumented people, and many merchants — and for privacy. In this post, we take a closer look at the privacy problems with electronic payment systems such as credit cards.

Simply put, cash is good for keeping people from prying into our lives, and credit cards are not. That starts with the stores and restaurants where we use them. When we use a credit card to buy something, the seller can learn our first and last name, which, combined with a zip code (either requested at the register or guessed at, since most transactions take place near where people live), can be used to learn a lot more about us. Using “data appending” services, the merchant may then be able to acquire our email and postal addresses and our telephone number. That, in turn, permits a merchant to tap into the databases of the giant data broker industry and learn anything from demographic information to our employment, marital, and homeownership status to our interests and hobbies and even our medical conditions. A retailer may also add our personal data, including purchases, into a “data cooperative” where it will become available to all the other participating companies as well.

It is true that there are other ways for merchants to track people and their purchases, including those made with cash — from loyalty programs to Bluetooth tracking to face recognition. It is also theoretically possible that cash could be tracked using serial number readers, but we know of no existing infrastructure for doing that. Cash is not a guarantee of privacy, but it is still far more privacy-protective than credit cards.

A big reason that electronic payment systems threaten privacy is that they introduce a middleman. When a middleman becomes part of the process, that company often gets to learn about the transaction — and under our weak privacy laws has a lot of leeway to use that information as it sees fit.

The primary middlemen in most non-cash transactions today are the oligopolistic credit card companies (Visa has around 60% of the credit and debit card market, MasterCard has 25%, American Express 13%, and Discover 2%). Mobile apps such as Apple Pay, Venmo, and Square are also gaining a foothold.

But, regardless of who plays that role, Congress has bent to the will of the financial industry and refused to enact adequate privacy protections. In 1999, Congress passed the Gramm-Leach-Bliley Act (GLB). Although it has often been described as a “financial privacy law,” Gramm-Leach created nothing more than a weak “fig leaf” privacy standard. The real effect of the law, which manages to be both extremely complex and weak, has been to ratify the abandonment of customer privacy by an industry (banking) that, once upon a time, prided itself on discretion:

  • Under GLB, companies can sell their customers’ financial data to anyone they choose, including credit card information such as the date, amount, and recipient of charges, and the personal details consumers provide when they fill out applications. Consumers have no privacy under federal regulations unless they affirmatively take steps to “opt out” of this sharing, repeating the process for each and every financial service provider who may have data about them. (Personally, I’ve found that opting out with a credit card issuer, which should be made easy, is like pulling teeth.) That means these companies could be collecting a vast amount of detail about our lives: how much we spend on travel, restaurants, political or religious donations, liquor stores, sex shops, and on and on. And of course, that kind of information is more powerful and revealing when combined with other data.
  • Even this opt-out option is not available for consumers to stop credit card companies and issuing banks from sharing this data with their financial affiliates and financial “joint marketers,” a vaguely defined term that provides a giant loophole in privacy protections.
  • Nor do consumers get the transparency they should as to how their information is being shared. Companies are required to provide “privacy notices,” but they don’t have to reveal the specific information that they share with third parties, or the names of those parties — only the categories of information they share and the categories of organizations shared with. When the journalist Kashmir Hill tried to find out what was being done with her Amazon/Chase credit card data, both companies basically stonewalled her. The impossible number of click-through contracts we’re swamped by online makes these notices just part of a wave of fine print and even less meaningful.

In 2002, citizens in states around the country began to rebel against this rule by passing their own, tougher “opt-in” financial privacy rules requiring people’s affirmative permission before their information could be shared. In North Dakota, for example, the battle over a proposed ballot measure to require opt in for the sharing of financial data was a true David and Goliath story. On one side were wealthy and powerful financial interests including big, national banks and insurance companies, which ran a sophisticated media campaign opposing the measure, and outspent the pro-privacy forces by a factor of at least 6-to-1. On the other side was a group of citizen-volunteers led by Charlene Nelson, a homemaker and mother of three working out of her home. Until a last-minute $25,000 contribution by the ACLU for radio ads, the grassroots effort had reported donations of just $2,450.

Yet despite this lopsided battle, the ballot measure won with over 70 percent of the vote.

Unfortunately, in the face of this rebellion by North Dakota, and another in California, as well as similar “opt-in” laws in some other states, financial interests ran to Congress and were able to use their sway to thwart states’ ability to pass stronger standards than GLB. In many crucial areas, GLB was made the ceiling rather than the floor for privacy protection. (A similar preemption battle is shaping up today over consumer internet privacy legislation.)

The result is that we now have a situation in which consumers’ credit card and other financial information is bought, sold, traded, and accumulated by the private sector at an ever-faster pace — and made all the more convenient and available for access by the government.

For example:

  • The major credit card companies have quietly turned their access to consumer transactions into a new revenue stream, according to AdAge. And not just the networks like MasterCard and American Express, but also issuing banks. “Representatives from the four top credit card issuers — Bank of America, Citi, Chase and Wells Fargo — declined to discuss details of how they use purchasing data internally,” a credit card analyst wrote in 2009, adding that “a spokeswoman from a banking industry trade group acknowledged that the practice is common.”
  • Google has made secret data-sharing agreements with credit card companies and, according to the Washington Post, now has access to 70% of the nation’s credit and debit card transactions. Google, which refused to explain how its new system works, uses it to track the success of its online ads, which already rely on access to highly personal data about consumers’ search, browsing, and location histories. Although advertisers regularly protest that ad data is based on anonymized information, that system could only work if Google connects people’s online clicks to their real offline identities.
  • “Behavioral scoring” by credit card companies can be used in unfair ways. One man who had paid his credit card off in full every month received a notice that his credit limit was being lowered. When he asked why, according to ABC News, he was told it was because other shoppers at certain stores he patronized had proven to have poor credit records. It’s very easy to see how that kind of analytics, especially when done in secret, could have strong, even if unintentional, discriminatory consequences.

The current ecosystem of privacy invasion needs to stop, and is one more reminder why Congress needs to enact strong, comprehensive privacy legislation — and why we need to preserve cash as a widely-available option for making purchases in our society.

Learn More About the Issues on This Page