If you've used a credit card this week, Mastercard, Amex, or Visa has a record of it, and at least two of them are doing something with that record you probably don't know about.

Mastercard has a division built specifically to package up cardholder transaction data and sell it to advertisers, data brokers, and anyone else willing to pay for access. A 2023 investigation by U.S. PIRG (a consumer advocacy group) found that Mastercard runs at least 25 different data products through this division, and most cardholders have no idea it exists. Mastercard’s public position is that it doesn’t sell “personal cardholder data for marketing.” PIRG’s response was that the distinction doesn’t hold up. While Mastercard isn’t handing over your name, it doesn’t need to. The categories themselves are personal enough.

Amex just got back into this business too. In October 2025 the company launched Amex Ads, which lets brands target its 34 million U.S. cardholders based on what they’ve bought and where they’ve traveled.

Visa is the interesting case. It ran a similar product called Visa Ad Solutions until 2021, then shut it down. Whether that means Visa stopped monetizing transaction data, or just stopped doing it through that particular product, is something Visa has never clearly answered.

What this all means is that three companies process essentially all of the card payments in the country. Two of them are actively selling insights derived from those payments to outside parties right now, and the third has a complicated history that nobody’s fully accounted for.

How This Actually Works

The way people imagine this works is that the credit card company sells a list of your purchases with your name attached. That’s not quite how it works.

When you buy something, the network sees the merchant name, the amount, the date, and roughly where the transaction happened. Mastercard’s own privacy policy says it generally doesn’t need your name to process the transaction, and usually doesn’t have it in that data stream.

What the network does have is volume. Billions of transactions, attached to anonymized account identifiers, repeating over months and years.

From that, Mastercard builds what PIRG described as behavioral categories. Frequent late-night fast food orders. Big spikes in spending around certain dates. A pattern that looks like someone furnishing a new apartment, or someone who just had a baby, or someone the company would internally tag as a “high-value” customer worth targeting with offers. The Electronic Frontier Foundation pointed out that Mastercard uses transaction frequency, amount, location, date, and time specifically to predict what kind of spender you are.

None of that requires your name. Instead, it requires only your pattern. And patterns are often more identifying than names, because almost nobody else shares your exact combination of where, when, and how much.

It’s worth being clear about how we know credit card companies use your spending data versus what’s a reasonable worry.

The advertising use case is documented and not in doubt. But health and life insurers buying this kind of data for underwriting is not something I found evidence of happening today, at least not directly. But privacy advocates have flagged it as the obvious next step, and it’s not hard to see why. A pattern of frequent fast food orders and no gym membership charges is exactly the kind of signal an insurer would want and a data broker would be happy to package.

Nothing about the current setup prevents that from happening, of course. It’s just, as far as anyone’s reported, not happening yet.

Share

This Is a Deliberate Business Now

Mastercard didn’t end up with 25 different data products by accident. Someone built a roadmap for that, with robust sales teams and growth targets.

Amex didn’t launch Amex Ads in October 2025 because they happened to have some data sitting around. That’s a media business they stood up on purpose, with named partners like Marriott and Macy’s, and they’re describing it to cardholders as a perk (“relevant content at exactly the right time”) rather than something being done to them.

My honest read is that this is going to keep expanding because the economics are good and because most of what these companies are doing is, in fact, legal under current federal privacy law. The Gramm-Leach-Bliley Act lets financial companies share data with very limited opt-out rights, and what opt-out rights exist are often buried in annual privacy notices nobody reads. A handful of state privacy laws (California’s among them) give residents stronger opt-out and deletion rights, but enforcement against card networks specifically has been close to nonexistent.

So if you’re waiting for this to get fixed at the policy level, I wouldn’t hold your breath. The more useful question is:

what you can actually do about your own exposure, given that this is the environment.

Where the Opt-Outs Actually Lead

Before getting into what to do, it’s worth being straight about what doesn’t work, because most privacy advice oversells the opt-out step.