Washington Post columnist Geoffrey A. Fowler conducted an experiment to see how businesses could mine and share data from his credit card purchases.
He bought two bananas for $0.29 each at Target using Chase Amazon Prime Rewards Visa and Apple’s Mastercard. What he found, he said, was a murky industry where he was only partly successful in following his data.
Despite a federal privacy law covering cards, his banana purchase data ended up with marketers, Target, Amazon, Google and hedge funds, who may have passed it on to other companies, multiplying the effect.
Unable to hack his own cards, Fowler asked privacy advocates to help identify the types of companies that had given themselves access to his swipe for purposes unrelated to payment and preventing fraud.
He studied credit card companies’ privacy policies then asked more than 24 of them specific questions about what data are they sharing and with whom.
Listen to GHOGH with Jamarlin Martin | Episode 66: Jamarlin Martin
The Case Against John Ali: Jamarlin Martin goes solo to discuss Malcolm X and actual facts concerning the allegations that John Ali, the former national secretary of the Nation of Islam, was an operative of the FBI or U.S. intelligence agencies.
“Some didn’t answer,” Fowler said. “Others sent me to a Bermuda Triangle of legalese where few straight answers escaped alive. In 2019, it’s hard to trust companies that don’t think they owe us clarity about data.”
Black Americans Have the Highest Mortality Rates But Lowest Levels of Life Insurance
Are you prioritizing your cable entertainment bill over protecting and investing in your family?
Smart Policies are as low as $30 a month, No Medical Exam Required
Click Here to Get Smart on Protecting Your Family and Loves Ones, No Matter What Happens
Card data helps businesses but can put consumers at a disadvantage, Fowler said. For example, data can be used to model behaviors, such as figuring out exactly how many price hikes or bad experiences customers will put up with before go to the competition.
“We’re legally protected from fraudulent charges and unfair lending practices,” Fowler wrote, “but spending patterns can reveal lots — possibly enough to blackmail you. Anytime data passes to new hands, there’s another chance it could get stolen.”
Fowler identified six kinds of companies that can track, mine or share your credit card transactions:
Financial service apps: The free ones that let you track all your accounts in one place use your data to market to you. Or they sell you out to market research firms, retailers and investors.
Mobile wallets: Smartphone-payment systems introduce even more transactions. Apps can access and store not only what you buy but also where you go.
Point-of-sale systems and retailer banks: The tech that helps stores track us often comes from card-swipe machines and the merchant banks that process transactions for them. Those firms know your name, credit card number and other details and often have rights to share your data. What are they doing with it? Fowler said this is where his data trail gets particularly murky. Target — where he bought the bananas — wouldn’t say who its so-called acquiring bank is or what restrictions it places on it.
The store: Fowler’s credit card acted as a kind of ID at Target. Each swipe helped build a “guest profile” about him, useful for learning his habits, targeting him with ads on Facebook and sharing information about him with others. “It made no difference whether I paid with the Chase Visa or Apple Card,” he said.
The card network: Once Fowler’s banana purchase passed to card networks run by Visa and Mastercard, either might have shared them with businesses including tourism bureaus, Google and others, he wrote.
The networks’ main business is connecting banks. They have side gigs in aggregating purchases and selling them as “data insights.” Visa said it allows clients to see data on populations as small as 50 people, often tied to groups in Zip codes. Mastercard wouldn’t disclose its minimum group size.
The bank: When Fowler swiped his cards, his banks received data. Chase’s marketing partners send him junk mail, he said. Some data got fed to Amazon because it co-branded his card.
Banks have to to report suspicious transactions to the government, however the 1999 Gramm-Leach-Bliley Act also lets banks share personally identifiable data with companies. They just have to send a privacy notice and give you the right to opt out.
When I used my Visa, Chase’s privacy statement reserves the right to share my data for seven different kinds of reasons. The most appalling category is: ‘For nonaffiliates to market to you.’ Who are ‘nonaffiliates?’ Whoever the bank darned well wants. The term just means a company not owned by Chase.Washington Post columnist Geoffrey A. Fowler
If a company wants our trust, it’s no longer good enough to say, “We care about your privacy,” and point to some legalese. It’s time to come clean.Washington Post columnist Geoffrey A. Fowler