Page 30 - GS240301
P. 30
Education
Who owns data generated by payments?
Every payment will have a specific set of data fields and
will also likely have a coterie of entities clamoring for
rights in the same data, including the merchant, shop-
ping platform, advertiser who borough the consumer to
the merchant, fraud screening service, gateway, processor,
acquirer, issuing bank, commercial bank and others.
Legal ease:
Traditionally, card transaction information belongs to the
acquiring bank, but others inevitably pick up rights in the
same data by driving merchants and consumers through
their own terms and conditions or embedding their own
terms in others' terms.
Increasingly, state law prohibits the collection, storage,
processing, use or disclosure of individual consumer data
without express consent of the consumer. For example,
the California Consumer Privacy Act of 2018 (CCPA) pro-
Who owns this data? vides the following rights for California consumers:
• The right to know about the personal information
By Adam Atlas a business collects about them and how it is used
Attorney at Law and shared;
• The right to delete personal information collected
ata ain't what it used to be. The New York from them (with some exceptions);
Times is suing AI-giant OpenAI for copyright
infringement because it alleges that ChatGPT • The right to opt-out of the sale or sharing of their
D by OpenAI is able to operate in part because it personal information; and
has used NYT data. That case is emblematic of the value
of data in today's business market. • The right to non-discrimination for exercising
their CCPA rights.
Payments data also has tremendous value. ISOs help cre-
ate that data and are well-positioned to capitalize on it. Compliance with new state privacy laws is being managed
Meanwhile, states are ratcheting up privacy laws to pro- through various opt-in buttons and consents woven into
tect the privacy of consumers. the consumer experience. The result is a mixed bag of pro-
viders obtaining various degrees of legitimate title in vari-
The purpose of this article is to highlight some of the legal ous breadcrumbs of consumer data related to payments.
considerations for an ISO or payment processor in the hot Many ISOs and acquirers do not contract directly with the
field of data rights management. consumer. Their title in transaction data therefore relates
mostly to the necessity to take possession of card payment
What data do payments generate? information for the purpose of processing merchant trans-
actions.
For better or for worse, it's hard to think of any speck of
data that isn't somehow tied to payments. I'll avoid going
on a (hypocritical) rant about how the digerati have finan- However, some payment platforms, like PayPal, Stripe
and others, encourage consumers to have a login to the
cialized everything from putting air in the tires of your
car to reading the news. portal thereby creating a direct relationship between the
payment processor and the paying consumer. These pay-
ment platforms engage on both the consumer and mer-
Data fields generated by a typical payment go well beyond chant ends of transactions and are able to acquire more
the purchase price and payment card number.
data than those that service only one end.
They include location information, shopping cart con-
tents, email address, device ID, age of the purchaser, home Curiously, most acquirers and processors and some ISOs
pick up rights in data related to card payments, such as
address, mouse movements and—in the world of VR—eye-
ball movements over the page. the name of the payor and the amount paid, but they do
not pick up rights in information related to what the con-
sumer actually purchased—which is the holy grail of com-
In short, we kick-off reams of data wherever we go and, mercial data. An acquiring bank, processor and ISO know
particularly in consumer purchase transactions.
that a person spent $100 at Walmart, but they do not know
what that person bought.
30
