Who: MasterCard, Inc. (“MasterCard”), Melissa Tyler and Michaels Stores Inc
When: Late 2012 – April 2013
Law stated as at: 2 May 2013
Towards the end of 2012 the Mail Online reported that MasterCard had come under fire for leveraging apparently anonymised card transaction data by aggregating it into small segments comprising similar transactions and then making details of these segments, such as date, time, amount and merchant, available to advertisers.
Meanwhile, following court judgments, US bricks and mortar retailers have been assailed by legislation introduced in an increasing number of states which outlaws the collection of zip code details from customers when they use their credit cards to make a purchase at the till.
Leveraging credit card transaction data
In October 2012 details of the service offered by MasterCard Advisors Media Solutions Group became public, leading to concern in the US about the potential use of personal information collected by the credit card company.
When a customer uses their credit card, MasterCard receives information about the transaction, including the date, time, amount and merchant. When such data is received en masse, MasterCard can aggregate it into small anonymous segments of similar transactions by pulling together information relating to, for instance, restaurant or entertainment or automotive spending. These segments are then sold to advertisers who can manipulate the information to adapt their marketing policies by, for example, creating campaigns focused on a particular geographical area or time of year when spending by users within that segment might be higher than normal.
Privacy campaigners have been up in arms that MasterCard appears to be using details of people’s personal behaviour as its own property, but the card company has emphasised that the system used does not reveal card-users’ personal details, such as names or addresses, to third parties.
Given that MasterCard processes 34 billion transactions a year in 210 countries, it has a rare, yet wide-reaching intimacy with consumer experiences which is proving to be a very marketable commodity. However, the firm has confirmed that the scheme is currently only running in the US.
Other companies in the credit card industry have opted against directly selling information about customer buying histories, but are exploring different ways of making use of the data for marketing.
American Express has revealed that rather than selling aggregated anonymous credit card transaction data to advertisers, it conducts bespoke research for particular advertisers.
Fourteen US states control collection of additional data during credit card purchases
In the US, laws in fourteen states specifically control the collection of additional data by retailers in the course of a credit card transaction.
In Delaware, for example, a retailer may not ask customers paying by credit card to write down their address or telephone number unless required for delivery.
In Massachusetts, the Supreme Judicial Court held in the recent case of Melissa Tyler vs Michaels Stores that a zip code qualifies as personally identifiable information (“PII”) in the context of a state statute banning any business entity from requesting that a credit card holder write PII if this is not required by the credit card holder to complete the transaction.
This followed a similar verdict by the California Supreme Court in 2011 in the seminal case of Pineda v Williams-Sonoma.
What is most ominous for US retailers engaging in such practices, and for the credit card companies should such logic be extended to their operations, is that in the Tyler case the Massachusetts court identified two types of harm which might be caused by a data misuse law violation:
1. the receipt by the customer of unwanted marketing materials as a result of the unlawful collection of the customer’s personal data; and
2. the merchant’s sale of a customer’s personal identification information or data obtained from that information to a third party.
It seems that the second limb of #2 above could potentially cover the way in which customer transaction data is used and sold by credit card companies such as MasterCard as outlined above.
Why this matters:
Whilst it must be emphasised that the above developments are generally confined to the US, the opportunism of credit card companies in selling customer data brings up a few interesting issues in terms of data protection law should such operations be rolled out in the UK.
The credit card companies have been quick to insist that all data being transferred or otherwise analysed is anonymous.
Strict approach to anonymisation and purpose limitation
If the data which is shared with third parties is truly anonymised there should be no issue under the Data Protection Act 1998. See the recently published ICO Anonymisation Code of Practice.
However, this may need double-checking for UK purposes as ICO’s Code takes a strict approach.
If the anonymisation process is not completely successful, there may, for example, be issues in the form of the purpose limitation provisions under Article 6 of the EU Data Protection Directive 95/46/EC.
This provides that personal data must be collected ‘for specified, explicit and legitimate purposes’ and should not be ‘further processed in a way incompatible’ with those purposes. There is certainly an argument that when individuals hand over their information for the purposes of signing up to a credit card, they may not envisage that such information, even when aggregated and segmented, will be sold to marketing companies.
However, the Article 29 Data Protection Woking Party, a group formed of EU Member States’ Data Protection Commissioners which provides guidance on such issues, has stated that where data is used to detect trends and correlations in the information, explicit consent of data subjects may not necessarily be required. No doubt if credit companies are contemplating similar practices in the UK or elsewhere in the EU, they will be taking heed of this and ICO’s guidance.
No UK laws expressly forbid requesting additional information at time of credit card purchase
As regards asking customers to provide their post code or other personal data when making a credit card purchase, the UK has no specific controls over the practice, either under statute or case law.
Therefore provided the general principles applicable to personal data collection and processing set out in the Data Protection Act 1998 are followed plus, where applicable, the provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended, there should be no issue.