Tell Mastercard: Stop selling transaction data
Mastercard knows where people shop, how much they spend, and on what days - and it sells that information online.
Sign the petition
Today, many of the companies we interact with on a daily basis have found a new revenue stream: selling their customers’ data. There are huge markets for personal data, bought by companies ranging from advertisers and tech companies, to hedge funds and data brokers.
Credit card data in particular is extremely valuable. Knowing how much people spend, where and on what day says a lot about consumers’ financial situations, their personal lives and the decisions they might make in the future.
In the last decade, Mastercard has increasingly capitalized on the transaction data it has access to in the course of being a payment network. Mastercard sells cardholder transaction data through third party online data marketplaces and through its in-house Data & Services division, giving many entities access to data and insights about consumers at an immense scale.
Mastercard is far from the only company engaged in data sales, nor is it necessarily the worst actor. But in its position as a global payments technology company, Mastercard has access to enormous amounts of information derived from the financial lives of millions, and its monetization strategies tell a broader story of the data economy that’s gone too far.
Mastercard sells bundles of cardholder transaction data to third party companies on large online data marketplaces. Here, third parties can access and use information about people’s spending to target advertisements to individuals, build models that predict consumers’ behavior, or prospect for new high-spending customers.
For example, Mastercard’s listing on Amazon Web Services Data Exchange states that companies can access data like the amount and frequency of transactions, the location, and the date and time. Mastercard creates categories of consumers based on this transaction history, like identifying “high spenders” on fast fashion or “frequent buyers” of big ticket items online, and sells these groupings, called “audiences”, to other entities. These groups can be targeted at the micro-geographic level, and even be based on AI-driven scores Mastercard assigns to consumers predicting how likely they are to spend money in certain ways within the next 3 months.
The data Mastercard monetizes on these marketplaces is in aggregated and anonymized bundles. Aggregating and anonymizing consumer data helps cut down on some of the risks associated with data monetization, but it does not stop reaching people on an individual level based on data. High-tech tools connected to these third party data marketplaces allow companies to target and reach selected individuals based on traits like past spending patterns or geographic location.
Mastercard is a listed data provider on many of the major online data marketplaces. In addition to Amazon Web Services Data Exchange, Mastercard has listings on LiveRamp, Snowflake, theTradeDesk, and MediaMath, among others.
Since the publication of this report, Mastercard has removed its listings on a number of the marketplaces we originally identified in this report, including Adobe’s Audience Marketplace, Microsoft’s Xandr, Oracle’s BlueKai and Lotame.
However, selling data on even one of the marketplaces where Mastercard still maintains listings continues to make consumer transaction behavior available to a significant number of entities.
In addition to data sales on third party marketplaces, Mastercard also has its own Data & Services division. Here, Mastercard advertises access to its databases of more than 125 billion purchase transactions through its more than 25 data services products. Some products give companies the chance to pay for cybersecurity and fraud detection tools. Others are focused on the monetization of consumer information for AI-driven consumer modeling and highly-targeted advertising.
For example, Intelligent Targeting enables companies to use “Mastercard 360° data insights” for identifying and building targeted advertising campaigns aimed at reaching “high-value” potential customers. Companies can target ads to selected consumers with profiles similar to Mastercard’s models – people it predicts are most likely to spend the most money possible.
Another data services product, Dynamic Yield, offers dashboard tools allowing companies to “capture person-level data” of website or app users, do A/B consumer testing, and “algorithmically predict customers’ next purchase with advanced deep learning and AI algorithms”. One of Dynamic Yield’s data products, Element, advertises that companies can “[l]everage Mastercard’s proprietary prediction models and aggregated consumer spend insights to deliver differentiating personalization that caters to each users’ unique habits and expectations like never before.” While the transaction data Mastercard offers may be aggregated, it’s clearly used to identify targets and reach them at the individual level.
Another example is SessionM, Mastercard’s customer data management platform product, allowing companies to combine their first-party data with data from other sources to create “360 degree” profiles of consumers that can be updated in real time based on purchases.
In the last 15 years, Mastercard’s data monetization strategies have been a growing part of its revenue stream. In 2008, Mastercard’s then head of Global Technology and Operations said in an interview that a big question for Mastercard was how to “leverage that gold mine of data that occurs when you have 18.7 billion transactions that you’re processing.” By 2013 the company had established an in-house data monetization division – then called Information Services – and was approaching online advertising and media desks about opportunities to leverage its then reportedly 80 billion consumer purchases data. In 2018, Bloomberg reported that Mastercard and Google made a deal to provide credit card data for Google’s ad measurement business.
Recently, corporate acquisitions have helped drive Mastercard’s data revenue growth. In 2019, MasterCard acquired the AdTech platform SessionM, and in 2021 bought the AI company Dynamic Yield from McDonald’s. We briefly outline both platforms in the section above.
Almost every company we interact with collects some amount of data on us. Often it’s more information than they really need – and it’s often used for secondary purposes that have nothing to do with delivering the service we’re expecting to get. This way of doing business unnecessarily increases the risks for regular people whose data has become a commodity, often without their knowledge.
When companies engage in data harvesting and sales to third parties, it increases the personal security risks for consumers. The more companies that hold a person’s data, the more likely it is that information will end up exposed in a breach or a hack. Once exposed, consumers are much more likely to become the victim of identity theft or financial fraud, and experience serious damage to their credit score.
Data sales also increase the odds scammers will gain access to personal data, allowing for the construction of targeted predatory schemes. Data brokers that often rely on other companies’ collection of consumer data have furnished scammers looking to find ideal victims with data, like identifying patients with dementia for targeting with fake lottery scams.
Data sales often flow into the advertising industry, fueling the inundation of people’s screens with ads they didn’t ask to see that range from annoying to creepily invasive. In the 1970s, the average American saw between 500-1,600 ads a day; today, powered by data-driven online advertising, it’s now estimated at 5,000 ads daily, spanning across traditional ads on TV, radio and billboards, and targeted digital ads on websites, social media, podcasts and emails.
Advertising often encourages consumers to spend more money on purchases unlikely to shore up their financial health in the long-term. Americans currently owe more than $1 trillion in credit card debt – a record high. In today’s market with rising interest rates, endless data-driven appeals to spend more money play an increasingly unhelpful and potentially dangerous role in people’s lives.
While consumers have official government channels for opting out of junk calls and junk mail, there’s little consumers can do to protect their screens from unnecessary annoying, distracting and invasive ads they didn’t ask to see and didn’t give permission to have their data fuel.
Some tools companies use to protect privacy are not as secure as they sound, like aggregation and anonymization. A 2015 MIT study found this was the case with anonymized credit card data. Using an anonymized data set of more than 1 million people’s credit card transactions made over 3 months, MIT researchers could identify an individual 90% of the time using the transaction information of just 4 purchases. Data that’s provided in batches also has its limitations. For instance, providing data by micro-geography, like zip+4, can in some cases end up being so specific as to point to a specific address.
Additionally, just because data is aggregated and anonymized does not mean consumers aren’t being singled out for their purchasing habits. Using high-tech automated tools, anonymized and aggregated data can be used to reach specific consumers with tailored messages or help predict a given individual’s behavior.
Companies have taken data harvesting and sales too far. The collection and sale of people’s data is almost entirely unregulated, and virtually every major company has begun monetizing customer data in ways people are not expecting.
Mastercard should commit to a policy of limited data use by implementing the principles of data minimization and purpose specification. This would mean collecting only the data necessary for providing the services cardholders are expecting to get – access to a safe and reliable credit card – and using the data only for that purpose.
PIRG has launched a coalition with Accountable Tech, American Civil Liberties Union, Center for Digital Democracy, Electronic Freedom Foundation, the Electronic Privacy Information Center, Oakland Privacy and Privacy Rights Clearinghouse asking Mastercard to commit to a limited data use policy.
Mastercard has served as people’s credit card long before it was able to use and sell transaction data in all of the ways that modern technology enables. Growing its profit margin is not a compelling reason for Mastercard to contribute to the massive marketplaces for data.
Passing new consumer data laws and having strong enforcement will be key to curtailing today’s invisible economy for people’s data. This is an urgent task. In the meantime, companies should voluntarily implement limited use data policies, and bring their business models back in line with consumer expectations.
Mastercard sells transaction data -- like where cardholders shop, when and how much they spend -- to third parties.
Sign the petition
R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.