LETTER – Advocates to Mastercard: commit to limited data use policy

September 2023
Michael Miebach
Mastercard Inc., Chief Executive Officer

Dear Mr. Miebach,

We’re writing regarding Mastercard’s policies regarding the collection and use of its cardholders’ data.

In order to serve as a payment network, it makes sense that Mastercard has to collect some data about consumers – like how much money a cardholder spends, where, and on what day. What doesn’t make sense is that Mastercard then uses that data for purposes that have nothing to do with being a credit card – like selling it to data brokers, advertisers and other companies. When companies sell data, it increases the risks that data will be misused and cause outright harm to consumers. Therefore, we are asking Mastercard to commit to a limited data use policy and purpose specification – only collecting the data required to be a secure credit card, and using the data only for that purpose.

Mastercard uses the data it collects in its capacity as a credit card for purposes well beyond completing cardholder’s transactions. We have reason to believe it has sold and is currently selling consumer data to data brokers. 

When companies sell data to data brokers, the risks for consumers rise. Data brokers specialize in collecting, analyzing and bundling information about people into profiles and selling them to lots of other companies that a consumer has no direct relationship with. This means people’s data spreads rapidly throughout the digital economy. The more companies that hold an individual’s data, the more likely it is that data will be exposed during a breach or hack. Once exposed, breached data can lead to identity theft, serious damage to a consumer’s credit score, or fraudulent bank withdrawals. Data brokers have also supplied people’s personal data to scammers looking to find ideal victims, like targeting patients with dementia with fake lottery scams.

In addition to data broker sales, we believe that Mastercard monetizes consumer data in other problematic ways. Mastercard’s Data & Services division allows companies to use Mastercard’s data sets for targeting advertisements and prospecting for new high-spending customers.

Today’s consumer is inundated with ads. In the 1970s, the average American saw between 500-1,600 ads a day; today, powered by data-driven targeted advertising, it’s now an estimated 5,000 ads daily. We’re constantly bombarded with appeals to spend more money on more stuff we likely don’t need and didn’t ask to see – and there’s no way to escape it. We can protect our mailbox from junk mail, and we can protect our phones from junk calls, but as long as our data is collected and sold to the targeted advertising machine, we can’t protect our screens from annoying, distracting and unnecessary ads. 

The solution is straightforward. To protect consumers, Mastercard should commit to a policy of collecting only necessary data and using that data only for the purpose of providing consumers access to safe and reliable credit, and stop collecting, re-selling or otherwise monetizing or sharing consumer data for any other purpose. Mastercard has served as people’s credit card long before it was able to use and sell transaction data in all of the ways that modern technology enables. We urge you to return to those practices.

We’re writing to request a meeting with your team to ask Mastercard to adopt this corporate limited data use policy, including purpose specification. Mastercard is poised to be an industry leader in adopting a respectful approach to the use of consumer data. We appreciate your attention to this pressing issue. 

Respectfully,
Public Interest Research Group (PIRG)
Accountable Tech
American Civil Liberties Union
Center for Digital Democracy
Consumer Federation of America
Electronic Frontier Foundation (EFF)
Electronic Privacy Information Center (EPIC)
Oakland Privacy
Privacy Rights Clearinghouse