When you use your Mastercard, the company receives data about your transaction, like how much you spent, where and on what day. It needs this information to be your credit card – but Mastercard doesn’t just use your data to complete payments. It monetizes that information by selling it to data brokers, advertisers and other companies. Mastercard’s data practices contribute to a larger economy of data harvesting and data sales that can be harmful to consumers.
We’re working to get Mastercard to commit to only collecting and using cardholder data for what consumers are expecting: being a safe, secure credit card. In the meantime, however, there are some small steps you can take to better protect your data. We recommend taking advantage of as many of these services as you can
Opt-out of your Mastercard data being used for analytics
You can opt out of your data being used for analytics by filling out this form on Mastercard’s website. It’s unclear to what extent this stops Mastercard from monetizing your data for all secondary uses, but it’s better to submit a request than to not.
Request a copy of your Mastercard data
Mastercard offers a data portal where you can view Mastercard’s privacy information and submit requests to access a copy of your data. You can also request Mastercard delete what they have on you. First you need to create an account with the data portal. From there, you will have access to a central dashboard from which you can submit an access request. Mastercard may take up to 30 days to get back to you. You can check the dashboard for status updates.
Request Mastercard delete your data
How Mastercard sells its ‘gold mine’ of transaction data
Additional data rights if you’re a Mastercard holder and a Virginia or California resident
If you’re a resident of Virginia or California, you have more options for protecting your data. That’s because both states have enacted consumer privacy laws granting legal data protections.
Use this form to submit a request to access, correct or delete your data, as well as opt out of some personal information sales. If you want to access your data, there are some additional steps the form will walk you through, like uploading your driver’s license or utility bill to prove you are who you say you are.
This form allows you to exercise more control over the data Mastercard uses in one part of its data operation. Mastercard buys and combines detailed personal information about consumers as a part of a fraud prevention service, where companies can pay to authenticate online transactions before completing them.
This is a service aimed at companies, and Mastercard buys and sells lots of information, including your name, email address and geographic location. It even combines data to figure out who your family and friends are, and their contact information.
Unfortunately, not everyone can opt out of this part of Mastercard’s data business. If you are a resident of California or Virginia, we recommend you submit deletion and opt out requests in particular.
Consumer data rights aren’t enough
Being able to access and delete your data is a good thing. So is being able to opt-out of some types of uses of your data. But it’s not enough.
Right now, the responsibility to apply safeguards to how companies use your data falls squarely on your shoulders. To really protect your data, you’d need to research and submit individual data requests like the ones we’ve outlined above to virtually every company you interact with, plus hundreds of companies you’ve never even heard of who have bought your data from others.
It’s no wonder very few consumers exercise these rights. Even companies that offer better-than-average tools get very few data rights requests. For example, out of more than a billion cards globally, Mastercard received fewer than 1,000 requests to access, correct or delete data in all of 2022 worldwide.
Consumers should absolutely take advantage of the privacy tools they have. But it’s time to change our approach to our data. Instead of harvesting your data and using it in ways you don’t expect, companies shouldn’t be able to collect and use your data however they want in the first place.
That’s why we’re calling on Mastercard to change its data practices and commit to a limited data use policy – only collecting the data it needs to complete the service consumers are expecting to get, being a safe, secure credit card, and using that data only for that purpose.
Director, Don't Sell My Data Campaign, U.S. PIRG Education Fund; Policy Analyst, Frontier Group
R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.
Intern, Don't Sell My Data campaign