It’s a small plastic rectangle that knows us inside and out: the bank card records a lot of data about our shopping behavior or our movements, which can be used by banks or other actors.
Does my bank know everything I buy?
When paying by card, the bank collects “payment data”: amount of the transaction, date and time of payment, identity of the merchant, etc.
On the other hand, it does not have access to the details of the products purchased, the so-called “purchase data”.
When it comes to paying online, things get complicated because purchase data can be propagated between many actors, “including banks,” explains Aymeric Pontvianne, financial and innovation advisor at the National Commission for Information Technology and Liberties (CNIL).
“But they have no interest in writing the history of that data,” he believes, because their customers expect a pure banking service and “certainly would get very angry” if their bank tracks their purchases.
“Trusting banks for data management is a huge asset, and we don’t want to play with that,” confirms Sophie Heller, Head of Commercial, Retail Banking and Services Division at BNP Paribas.
In addition, retailers are jealous of their customers’ purchase data because passing it on to banks would give too many indications of their performance.
Mr. Pontvianne believes that there can be a data exchange between a merchant and a bank actor in a specific case: in the case of store cards that also act as a payment card. Typically, to operate this type of card, merchants need to have a banking subsidiary that they can safely exchange data with as it is part of the same group.
However, the consumer must first give their consent, as required by the General Data Protection Regulation (GDPR).
And beware of ambiguities: Carrefour and its subsidiary bank were fined 3 million euros by the CNIL in 2020 because they had not complied with their obligation to provide information on the passport card. However, the data officer pointed out that the group subsequently made “considerable efforts” to comply with the regulations.
What can this data be used for?
Historically, banks have had access to payment data to enable their customers to estimate their spending, provide advice and for anti-money laundering purposes. This data is protected by banking secrecy.
Subject to the express consent of their customers, they may also use them for marketing purposes.
In this case, a bank can analyze a customer’s payment data in order to target him or her with the promotion of certain services offered by its affiliates. For example, if someone spends a lot of money on insurance or gas, they can offer them their own insurance or their electric car rental.
The Bank does not have the right to use its data to create a “profile” of its customers, which could deprive them of certain rights: for example, refusal to take out credit or insurance because a customer makes regular purchases at the pharmacy and could therefore potentially be affected by a Illness.
Are banks the only ones who can know this information?
Banks aren’t the only ones who have information about our habits, as means of payment have multiplied in recent years and digital purchases have “generated more data movements that are less expected,” notes Aymeric Pontvianne.
Some start-ups, bank account aggregators or large digital platforms developing means of payment can therefore have access to a large amount of data, sometimes without being transparent about it.
For the Cnil, the only solution to keep their payments anonymous is cash, which is used less and less every day and more for small purchases.