Electronic and digital payments and privacy

Technology has significantly shifted the way we pay for goods and services. The payments space is no longer solely occupied by cash, credit and debit cards, but also includes electronic and digital payments such as online/mobile payments and digital wallets.

The convenience of these new methods of payment is clear; however, alternatives to cash may involve more than just paying for something — these new methods may also include personal information about you, your online activities, and your purchases being shared.

The following information provides an overview of electronic and digital payments, an explanation of how a few of the common types of digital payments work, and a description of their associated privacy risks.

What are electronic and digital payments?

Electronic payments are generally understood to be any type of payment that is not made with paper (cash or a cheque) — for example using a debit or credit card at a store. Digital payments are considered a subset of electronic payments in that the transaction takes place from a digital device — for example making a payment from a computer, tablet or smartphone.

The distinguishing feature of digital payments is that they do not involve the use of a physical card, but rather transactions take place using information that is stored on devices such as smartphones or tablets.

What are some privacy issues you should know about electronic and digital payments?

Electronic and digital payments generally involve transmitting personal information electronically to other organizations, such as financial institutions and payment processing companies. While most organizations go to great lengths to ensure the security of these types of digital transactions, errors or breaches in security can occur, so the risk to personal information is higher than with cash.

In addition, electronic and digital payments are generally not a purely financial transaction between an individual and a retail business. In many cases, they are a more complex exchange of purchase information and other personal information. For example, purchases can be associated with other information, such as your purchasing habits, your location, your social media connections, and much more, once again, raising privacy risks relative to cash only transactions.

Practices differ significantly between providers. As a result, it is important for consumers using electronic or digital payments to be aware of the extensive amounts of data involved when making a purchase.

It is also important to know that personal information in electronic and digital payments should only be shared, traded or sold, in accordance with applicable privacy legislation.

What privacy laws apply?

The Personal Information Protection and Electronic Documents Act, or PIPEDA, sets out ground rules for the management of personal information in the private sector.

PIPEDA applies across Canada to organizations that collect, use, or disclose personal information in the course of commercial activities, unless provincial privacy legislation deemed substantially similar to PIPEDA applies. Quebec, Alberta and British Columbia each have substantially similar legislation privacy covering the private sector.

In all provinces, including provinces with substantially similar laws, PIPEDA continues to apply to companies engaged in interprovincial or international transactions and to all federally regulated organizations (such as banking and telecommunications).

See our fact sheet on Privacy Legislation in Canada for more information about how Canada’s federal private-sector privacy law protects your privacy rights.

In addition to privacy legislation, there are other rules and standards in place to promote the protection of your information when performing payments. This includes standards set by the payment card industry (Payment Card Industry Data Security Standard) and rules developed by the Canadian Payments Association, which is Canada’s main financial market infrastructure for payments.

How do electronic and digital payments work and what is happening to my personal information?

The way electronic and digital payments work and the implications for personal information depend on the type of technology you are using and the retailer’s service arrangement for the transaction.

The links below provide an overview of a few types of electronic and digital payments:

Paying with a card at a store by tapping or using a chip

Paying on an online or mobile website

Paying with a digital wallet

Paying with virtual currencies

At the end of this article, there are also tips to help you protect your personal information when making digital payments.

Paying with a card at a store by tapping or using a chip

How it works

When you "tap" your debit or credit card, a retailer’s payment terminal automatically reads information, such as your card number and expiration date, from a microchip on your card using Near Field Communication (NFC) technology. This is the wireless method the card and payment terminal use to "talk" to each other. In other cases, you may have to insert the chip on your card into the payment terminal and enter a personal identification number (PIN).

Retailers often use other companies — known as payment processors — to provide them with payment terminal equipment to complete these kinds of payment transactions.

To authenticate the cardholder and verify availability of funds, the payment terminal first communicates with the merchant’s payment processor. The payment processor then exchanges data with the financial institution that issued your card either directly or through the payment card network operator (e.g., Interac, Visa, MasterCard, or American Express).

Basic information exchanged typically includes the value of the transaction, the merchant ID, and the time the transaction took place.

What happens to your personal information

At a minimum, information contained in the payment card and information related to the purchase will be shared with the retailer and the financial institution that issued the card, to verify that the purchase can be completed.

For the purposes of authorizing and approving transactions and mitigating fraud, the financial institution and the payment card network operator receive information about where and when you shopped and how much you spent.

Payment terminals can also be built to feed into a retailer’s "customer relationship management" database so that a retailer can track your purchases and tie those to other information about you, such as your email address, if you have given it to them. Financial institutions and payment card network operators could also profile you based on your purchase information.

This purchase information could potentially be shared and linked with information held by loyalty card companies, data brokers, or marketers.

Paying on an online or mobile site

How it works

When you make a purchase on a website, mobile application ("app"), or mobile site, you provide your payment card details in order to make a purchase. To complete the transaction, the retailer exchanges information with its processor and that information, in turn, is communicated to other parties in the same way that a transaction is approved at the physical point of sale. An online or mobile payment transaction can also involve transmitting your purchase information to the retailers’ databases.

In some cases, the retailer may allow you to use a third-party company (for example PayPal) to make the payment so that you don’t have to share your card details with the retailer. In other cases, the retailer may use a third party application that is integrated with the retailer’s website, in which case, the retailer may not receive your card details.

As a result, it is important to find out what these third-parties are doing with your personal information, since each of these parties may not operate in the same manner.

In addition, many websites and apps also collect and transmit other personal information related to the purchase, such as your device’s IP address, information about previous purchases, location information, your browsing history, or other information about your device. This may be done in order to facilitate a payment or for fraud management purposes. This information could also be used to track and monitor your preferences to serve you targeted advertisements or offers.

What happens to your personal information?

When you make a purchase, your payment information will be shared with the retailer and whatever companies they are using to process the payment.

Other companies may be involved, including financial institutions that issue payment cards, the payment card network operators, payment processors, advertisers, loyalty reward companies or data brokers.

In some cases, you may have an account with the online or mobile site that links to your payment details. While this may be done in order to process your transaction, all your purchases can potentially be tracked, and combined with other information on your device (likely gathered by cookies).Footnote 1 Some companies may have deals with online marketing companies, and this information can be used to profile you or to serve you targeted advertising. It could also be sold to, or combined with, information held by data brokers or companies that offer loyalty points.

Some sites allow you to log in to your account using the credentials from your social network site. This may help you avoid having to remember many passwords while providing a more personalized experience. In some cases, however, this can mean that your social activity can also be tied to your purchases and may be further used to track and profile you. That profile information can in turn be sold or shared with other organizations that want to profit from your personal information.

If you use a third-party payment company to make a payment for a purchase, these companies may also use or share your purchase information. For example, they may keep track of your purchase history to provide you with relevant deals or promotions, or may share it with others, to profit on your information.

In some cases, your purchases could be tied to, or associated with, your in-person or online browsing activity as a result of sophisticated in-store tracking and monitoring. This is as a result of the Internet of Things.Footnote 2 In the Internet of Things, objects and devices have the ability to seamlessly connect and communicate a wide range of online and offline information (including location, purchases, and online browsing history).

With sensors in stores, or via apps using Bluetooth, an individual’s mobile device can reveal a lot about their interests, and when that is tied to purchases, it can paint an even more detailed portrait of the individual behind a device.

Paying with a digital wallet

How it works

A digital wallet is an "app" on a smart phone that lets you pay for products and services digitally.

Payment information is stored on a secure chip on your mobile device or on the digital wallet providers’ server. Some digital wallets may even store the information on your SIM card, and use your wireless provider to communicate the payment details.

Typically, when you store your payment card details using these methods, your information is encrypted and special "tokens" or "one-time security codes" are created to verify each payment transaction. This means that your payment details are not always being transmitted to complete a purchase. However, not all digital wallets use tokens. Since each digital wallet can be different, you would have to read the information from your digital wallet provider to find out how they operate.

In some cases your mobile device or digital wallet will require your fingerprint or password prior to making the purchase.

There are also payment apps that support facial recognition to approve a payment. Some payment models allow you to have a photo on your profile so a retailer can confirm payment by comparing that photo to your face when you make a purchase at their establishment. Some payment apps may also involve you using your camera to confirm your identity prior to making a purchase.

Biometrics, such as facial recognition and fingerprints, are unique to you, and you should be aware how these unique elements of you are being used, and the consequences if this information is compromised.

What happens to your personal information?

Depending on what technology is used, retailers may or may not receive detailed payment information such as your payment card number.

However, other types of personal information may be used or shared at the time of the transaction. This could include your location, unique information about your device, and even your contacts.

The personal information included with these transactions can be used or shared in a number of ways:

  • Retailers and Reward/Loyalty programs (if you are a member) could track your purchases and purchase history and tie it to other information they already have, such as your name, email address, and previous purchases.
  • Data brokers and marketers may, in some cases, buy data from retailers or loyalty/reward programs.
  • Financial institutions, payment card network operators, and payment processors may create a profile based on your purchase information and use it for fraud management, marketing, or targeting services.
  • There are some apps that allow you to transfer funds to your friends. These apps could collect information about your contact lists, including those contacts from your social media networks. In addition, some of these apps may even involve posting who you paid, and what you paid for.
  • Biometrics, such as fingerprints or images of your face, may be used to prove you are the one making the payment. There is no one way that payment apps collect, use, or disclose this information. As a result, you should be aware of what a company is doing with this information and ask them questions about their practices.

The ways personal information is used or shared should be specified in the terms and conditions and the permissions of the app. Note, however, while some digital wallet services specify that they will not use your information or payment history, these policies can change over time.

Paying with digital currencies

How it works

In general, digital currencies (like Bitcoin) transact using computing algorithms. They are a digital representation of value and are used as a medium of exchange, but they do not have legal tender status. People can buy these currencies using real money and store them in a "digital wallet" or with a service provider. When you want to use these digital currencies to make a payment, you send the payment to the retailer electronically.

What happens to your personal information?

Some people suggest virtual currencies can be used to make purchases anonymously. This isn’t necessarily true because the digital trail associated with these currencies can still be tied to an individual, although the trail usually consists only of transaction records rather than personal information. To set up an account in order to use these virtual currencies, however, you may be required to provide some personal information, such as your name, credit card information, banking information, driver’s licence, utility bill or even passport information.

While the anonymity of digital currencies may limit the exposure of details related to your payment information, retailers can still combine your purchase information with other information they have such as your name, email address, purchase history or rewards/loyalty points you have with the store.

Tips for protecting personal information

Don’t post or share your card numbers or PIN

These numbers are valuable and can be used for identity theft or identity fraud.

Use strong passwords

It’s important to use strong, unique passwords on your mobile device, for the apps used for payments, and any sites where you create a user account.

Read privacy policies and terms of service agreements

These documents should tell you what happens to your personal information when you make a purchase.

There are a number of companies that can be involved in digital payment transactions including but not limited to retailers, financial institutions that issue payment cards, the payment card companies, third parties that make devices and payment terminals, loyalty reward companies and data brokers.

Find out how these companies are involved with the payment method you are using and ask questions about what information is collected, how it will be used and who it will be shared with.

  • For example, if you have a digital wallet that uses your contact list, find out how they use it and what other companies they may share that information with.
  • If there is a payment app that can post your purchases, find out how you can change your settings. Take time to think about what it means to have all of your payments posted online.
  • If a payment method uses biometrics, such as images of your face, or fingerprints, make sure you are comfortable with what they are doing with this information, and how it is stored and protected.

There are circumstances where organizations may use information for reasonable purposes, for example, administrative or anti-fraud purposes. Even in these cases though, this must be done in a manner that is consistent with privacy legislation.Footnote 3

If you have questions about your privacy or what you read in a privacy policy, privacy laws require an organization to provide a contact person to whom you can address your questions.

Ask what happens when you use your social network identifier

This may help reduce the number of passwords that need to be remembered, while providing a more personalized experience. However, you should be aware that signing in using a social network site could tie your social activity to your purchases and be used to track and profile you.

If you don’t want your social media profile to be linked to your purchases then think twice before providing that information.

Opt-out when you want to

If you are not comfortable with being tracked, consider opt-outs from tracking and profiling for subsequent marketing or other purposes.

If the process for opting out is not in an organization’s privacy policy or terms and conditions, contact the organization to ask about your opt-out options and how to exercise them.

An organization should have a privacy contact person to answer your questions.

Learn more about "free" Wi-Fi

Information about your device could be tracked by a store, or third-party partners, that offer the free Wi-Fi service. This tracking could involve combining location information with information about online search activity, shopping carts, and loyalty programs. Even more information can be gleaned if a social network site authenticator (like a social network account) is used to sign in to the Wi-Fi services.

Before signing into the free Wi-Fi, read the terms of service to find out what happens with your device browsing and purchase information and talk to the privacy contact person at the store if you have any questions.

If you are unsure whether your device location information is being tracked, check your settings on your device. If you are not comfortable with your location being tracked, shut off location tracking on your device.

(Note: This advice also applies if you use Bluetooth and connect to a store’s app.)

For further information, please see the OPC’s research paper on The Internet of Things.

Ensure websites are legitimate and secure

Before making a purchase online or on your mobile device, check to see if the site uses encryption to protect personal information from hackers — you can tell if the website begins with "https:" and has a picture of a padlock next to the web address (also known as the URL). Beware: Some sites try to spoof legitimate sites and even use the "https:"

Make sure you are on the right site by following these tips:

  • It is generally safer to log onto the web site directly by typing the web address in your browser.
  • Be suspicious of e-mails from financial institutions, Internet service providers and other organizations asking you to provide personal information online.
  • Be aware of any websites or URLs that contain spelling mistakes.
  • Click on the padlock near the URL, this will tell you which company was issued the certificate for this website.

Ask what happens when a store offers to email your receipt

While it’s great to have less paper, you may want to ask the store what it is doing with your email address and purchase information.

In addition, if you have the receipt emailed to a free email service, you should also remember that many free email services may scan your emails to send you targeted ads based on information in that email. If you don’t want your email service tracking your purchases then you may not want that receipt sent electronically.

Understand the loyalty or rewards program before you join

Consider how much personal information you have given a retailer when you make a purchase and make sure you are comfortable with it.

You may have provided a retailer with a fair amount of personal information. Perhaps you have given your email address because you wanted to be notified about deals. Maybe you are a member of a retailer’s loyalty program.

All of this is fine as long as you are aware of — and are comfortable with — the amount of personal information they are collecting and how they are combining it with your purchase information.

Inform yourself, ask questions, and then decide if you want to join a loyalty program.

Date modified: