CREDIT CARDS ARE THE SPIES IN YOUR WALLET
Credit cards have a privacy problem and they are watching
Irecently used my credit card to buy a banana. Then I tried to figure out how my credit card let companies buy me.
You might think my 29-cent swipe at Target would be just between me and my bank. Heavens, no. My banana generated data that’s likely worth more than it is. It ended up with marketers, Target, Amazon, Google and hedge funds, to name a few.
Despite a federal privacy law covering cards, I found six types of businesses could mine and share elements of my purchase, multiplied untold times by other companies they might have passed it to. Credit cards are the spies in your wallet — and it’s time we add privacy, alongside rewards and rates, to how we evaluate them.
Apple, branching out from gadgets, just began offering a needed alternative. The new Apple Card’s best attribute is privacy. Apple limits bank partner Goldman Sachs from selling or sharing your data with marketers. But the Apple Card,
which runs on the Mastercard network, doesn’t introduce much new technology to protect you from a lot of other hands grabbing at the till.
With my banana test — two bananas, one purchased with the popular Chase Amazon Prime Rewards Visa and the other with Apple’s Mastercard — I hoped to uncover the secret life of my credit card data. But in this murky industry, I was only partly successful. Unlike my other recent technology experiments, such as watching what my iPhone does while I sleep, I couldn’t hack into cards to follow the data.
Instead, I asked insiders and privacy advocates to help identify the types of companies that had given themselves access to my swipe for purposes unrelated to payment and preventing fraud. “Where does it end? Nobody really knows,” said Ted Rossman, an analyst at comparison site CreditCards.com.
The card data business is booming for advertisers, for aiding investors and for helping retailers and banks encourage more spending. And there are many ways a card swipe can be exploited that don’t always require a transaction being “sold” or “shared” in a way that fully identifies you. Data can be aggregated, anonymized, hashed or pseudonymized (given a new name), or used to target you without ever technically changing hands.
What’s the harm? We’re legally protected from fraudulent charges and unfair lending practices. But spending patterns can reveal lots — possibly enough to blackmail you. Any time data passes to new hands, there’s another chance it could get stolen. (Witness: Equifax.)
So who all can track, mine or share your transactions? Where does the Apple Card help? Let’s unravel the kinds of companies that sold me out. It’s bananas.
The bank: When I swiped my cards, of course my banks received data. What’s surprising is who they can share it with. My data helped identify me to Chase’s marketing partners, who send me junk mail. Some even got fed to retail giant Amazon, because it co-branded my card.
Banks have long been required to report suspicious transactions to the government. But the 1999 Gramm-LeachBliley Act also allows banks to share personally identifiable data with companies.
They just have to send a privacy notice, and give you the right to opt out.
When I used my Visa, Chase’s privacy statement reserves the right to share my data for seven different kinds of reasons. The most appalling category is: “For non-affiliates to market to you.” Who are “non-affiliates?” Whoever the bank darn well wants.
Chase would not tell me the specific data it shared from my card or the companies it shared it with. Instead, spokeswoman Patricia Wexler listed kinds of data Chase doesn’t share — including “personalized transaction level data.” But that leaves room for lots of uses. Chase, for example, opts us in to receiving offers from partner companies based on our spending habits.
This is where the Apple Card is different. In the Goldman Sachs privacy statement, its answers to most kinds of sharing is “no.” Goldman still shares information to credit agencies about whether you pay your bills. But it says it doesn’t feed transactions to marketers or a sister company that mines card data.
The card network:
This is where Apple’s advantage starts to fade. Once my banana purchase passed to card networks run by Visa and Mastercard, either might have shared them — in an anonymized form — with businesses ranging from tourism bureaus to Google.
The networks, whose main business is connecting banks, have side gigs in aggregating purchases and selling them as “data insights.” Visa said it allows clients to see data on populations as small as 50 people, often tied to groups in ZIP codes. Mastercard wouldn’t disclose its minimum group size.
One Mastercard program particularly irks privacy advocates. Bloomberg has reported that data from millions of Mastercards — now likely including Apple Cards — ends up helping Google track retail sales.
The store: To Target, my credit card acted as a kind of ID — each swipe helps build a “guest profile” about me. That’s useful for learning my habits, targeting me with ads on Facebook and sharing information about me with others. It made no difference whether I paid with the Chase Visa or Apple Card.
Target says it does not “sell” our data. But its privacy policy grants it the right to “share your personal information with other companies” who “may use the information we share to provide special offers and opportunities to you.”