Cardholder annual privacy statements: You have limited opt-out options

Federal law spells out rights to restrict info sharing and marketing

Credit card holders' privacy options

You may not even notice the privacy notices you get in the mail every year from your credit card issuer. It’s so easy to mistake them for junk mail that you may have tossed them out without even looking at them.

If that sounds like you, listen up. Carefully reading those privacy notices – and acting on their choice to opt out of your financial institution’s information-sharing practices – is something you may want to put on your to-do list.

In a nutshell, most cardholders will let you opt out of the sharing of your information for some marketing purposes, but only in very specific circumstances as spelled out in federal law.

Cardholder privacy policies: What you should know

  • Most card issuers are free to share and collect cardholders’ personal information, and that can include Social Security number, income, account balances, employment information, credit history and transaction history.

  • Most major issuers will let cardholders limit the sharing of personal information for some business marketing purposes with their affiliates (related companies) and nonaffiliates (outside companies).

  • To opt out, you may be able to go online, but some issuers require you to call.

  • To stay on top of your privacy options, read the annual privacy policies you receive in the mail every year. You also can read your card issuer’s privacy disclosure online.

  • Pay special attention: Some card issuers reserve the right to collect information about you from friends and social media.

What the law says about card data collection

“Our privacy laws are pretty weak,” says Lauren Saunders, associate director of the National Consumer Law Center in Boston. “There are some limits on what banks can do with your sensitive financial information, but for the most part, they’re just required to give disclosures, and there’s some limited information you have the right to opt out of having shared.”

The Gramm-Leach-Bliley Financial Modernization Act of 1999 requires card issuers to tell you what information they’re gathering, which is why you get those notices about the company’s privacy policy every year and shortly after you open an account. Banks that don’t share your information in ways that trigger the law’s opt-out requirement can skip the annual mailing requirement.

However, nearly uniformly, major card issuers and networks allow cardholders to opt out of only what’s legally required.

Basically, that is when your credit card issuer wants to share more detailed information about you – your creditworthiness, your specific transaction history, etc. – with its affiliates (related companies) or nonaffiliates (outside companies). You can opt out of those info-shares, and with them, cut out unwanted mailers and other marketing activity you may not want.

A few states, including California, forbid information sharing unless the customer opts in.

"In most cases, the card issuer doesn’t know the kind of products you’re buying. [It] knows you went to the grocery store and is going to know the dollar amount, the date and the location of the store, but not that you bought kitty litter."

What personal information card issuers collect from cardholders

For most consumers, the purchase data collection doesn’t extend beyond certain basics, and often includes fewer specifics than consumers give up when they enroll in a drug or grocery store loyalty card or reward programs that track every item purchased.

In other cases, however, card purchases are more detailed. With airline tickets, for example, the issuer will know not only the price, but also your date and itinerary.

“In most cases, the card issuer doesn’t know the kind of products you’re buying,” says Jason Steele, a credit card expert who runs the CardCon conference. “The issuer knows you went to the grocery store and is going to know the dollar amount, the date and the location of the store, but not that you bought kitty litter.” 

Card benefits and protections linked to data collection

Much of the data that card companies do collect about you is necessary to clear and process transactions and prevent identity theft and fraud.

While it might seem invasive for a card company to know every place you shop, for example, that information is used to verify that the merchant is legit and provides card benefits in terms of proof of purchase, warranty information or the ability to request a chargeback for a defective product. Other data is used for fraud prevention and technical reasons.

“Where it gets tricky is that when you do sign up for a credit card, there’s the usefulness of having your purchases tracked and there are legitimate uses for that data,” says Eva Velasquez, CEO of the Identity Theft Resource Center.

“The only way your bank can identify fraudulent charges is by knowing what your regular charges and patterns are,” Velasquez adds. “So, we have to balance between how do they defeat fraud and how are they cognizant of your right to privacy, and not have everybody know what your purchasing habits are.”

Data collection gets personal

Beyond purchase data, card issuers can vacuum up all other kinds of information about you. Here are a couple of examples:

  • Visa’s disclosure explains that the network may collect information about you from its partners, as well as third parties, social media and even your friends. As for checking the “Do Not Track” option on your browser when visiting Visa’s website, don’t bother. The card issuer’s privacy disclosure says it “has no mechanism to respond to such a signal.”
  • At Discover, users can restrict their credit information from going to affiliated companies for “everyday business purposes.” But those same affiliates are allowed to get “information about your transactions and experiences.”

Want to know more about your card’s privacy policy? It’s usually available online.

Cardholder privacy limitations not an issue for consumers

Despite limits on how credit card consumers can restrict the use of their data, complaints about card privacy policies make up a tiny portion of the grievances on file with the Consumer Financial Protection Bureau, which oversees compliance with Gramm-Leach-Bliley.

Of the 964,142 complaints on file at the bureau’s website, a mere 902 involve credit card privacy issues – less than a tenth of 1 percent. Complaints include American Express, Discover, Chase, Chase, Capital One, Bank of America and others, and often cover multiple issues.

While the bureau investigates complaints, a spokesman said the consumer bureau hasn’t issued any enforcement actions against card issuers or networks relating to privacy issues.

Despite growing consumer concerns about privacy, card issuers haven’t made efforts to introduce expanded or enhanced privacy issues, experts say.

“I’ve never seen any issuer say that they’re going to protect the privacy of your transactions and information better than any other credit card,” Steele say. “I just don’t see them competing on that.”

"I’ve never seen any issuer say that they’re going to protect the privacy of your transactions and information better than any other credit card. I just don’t see them competing on that."

How cardholders can minimize data sharing and collecting

For real privacy, Steele adds, just cut the card issuer out of the loop.

“If you’re extremely privacy conscious, the simple thing you can do is to use your credit card to purchase a prepaid card,” Steele says. “There’s no registration when you purchase a prepaid card, and there’d be no easy way of tracing back those purchases to you.”

Even closing your accounts won’t end a card issuer’s ability to keep sharing the information that’s already been collected, and it won’t force an issuer to stop sending promotional and marketing information.

In the end, card users aren’t clamoring for more protections, and seem mostly willing to trade some loss of privacy and control over their data for the convenience, protections and benefits provided by credit cards.

After all, says Velasquez of the Identity Theft Resource Center, “who wants to go back to using cash?”

Opting out of information sharing: 5 FAQs

If I’ve already opted out of a financial institution’s privacy options, do I need to ever opt out again?
Only if you get a notice that its information-sharing options have changed. If you have more than one account with the same institution, you may have to opt out once for each account.
I already opted out. Will I continue to get a privacy notice from my credit card company every year?
Not necessarily, unless your card’s privacy policies have changed, affecting your right to opt out. Under a 2014 rule by the Consumer Financial Protection Bureau, card issuers are allowed to post their annual privacy notices online rather than delivering them individually as long as they do not share data with unaffiliated third parties in a way that triggers customers’ rights to opt out. Under the same rule, card issuers have to inform you about the online availability of their disclosures, but they are not required to send a separate communication to inform you about it. A notice on the online availability of privacy disclosures may be included in a monthly billing statement or any other regular consumer communication.
Once I get the privacy notice, how long do I have to respond?
According to the Federal Trade Commission, you need to opt out within a “reasonable period of time” – generally about 30 days after the company mails you the notice. Otherwise, the company is free to share certain personal financial information. But if you didn’t opt out the first time you received a privacy notice from your card issuer, it’s not too late. You can always change your mind and exert your right to opt out. Contact your card issuer and ask for instructions on how to proceed. Just remember that any personal information that was shared before you opted out cannot be retrieved.
Can I only opt out at a specific time of year?
No, you can opt out any time.
Will opting out limit the number of prescreened credit offers I get in the mail?
No, that’s a separate process managed by the credit reporting agencies. To opt out of prescreened credit and insurance solicitations, go to OptOutPrescreen.com.
Will opting out of sharing my information make it hard for me to get other financial products in the future?
“Absolutely not. By law, companies are not permitted to penalize you for opting out,” says Jared Ihrig, chief compliance officer for the Credit Union National Association. “Your future credit options are determined only by your own creditworthiness.”

See related: Security tips for protecting your privacy, 10 things you should know about identify theft, 6 things to know before buying identity-theft protection


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 08-19-2018