Add the credit card readers/POS tablets at stores, Starbucks, etc to that list, which mostly have tiny cell phone cameras built into them now (whether you knew it or not)
Traditionally we think of the information collected as:
8/11/2024 | Amazon.com | $50
But Level 3 data includes each individual line item:
8/11/2024 | Amazon.com | $50 | 1 Very Embarrassing item | some additional fields
This appears in all sorts of interesting ways, and is not restricted to B2B/B2G transactions as they state so prominently. Anyone can sign up if they have a certain number of transactions per year and save quite a bit on credit card processing fees for providing the data.
I can't find the article but there was a tire company that provided a branded credit card, and they had risk profiles for their customers. The riskiest went to some specific bar, and the least risky were buying snow removal tools. (Please forgive my memory if I have the details incorrect).
"Martin’s measurements were so precise that he could tell you the “riskiest” drinking establishment in Canada — Sharx Pool Bar in Montreal, where 47 percent of the patrons who used their Canadian Tire card missed four payments over 12 months. He could also tell you the “safest” products — premium birdseed and a device called a “snow roof rake” that homeowners use to remove high-up snowdrifts so they don’t fall on pedestrians."
Additionally if you try to buy large amounts of visa gift cards it can be problematic. This is one way they catch manufactured spend.
At the end of the day, some merchants are providing every single detail of your transactions down to the line item and all that information is being tagged to you.
Thank you. One note about the «Very Embarrassing item»: all purchases (in context) are private.
But: if the "purchased item" column is filled in the database of the credit card expenses, it means that the shop receiving the payment has transmitted the information. This is an unrequired deliberate action... The credit card company could just receive "Card ...1234 to pay 20u to Acme Inc. shop". That the shop transmit further information to the credit card company is a further action that should be made transparent to the card owner.
AFAIK level 3 data is essentially receipt line item level data.
I'd actually find it pretty cool to get access to my own level 3 data for smarter budgeting/analysis (eg: automatic tracking of food stocks, separation of spend on luxury foods from basics etc), but I've not found a way to get access as an individual yet
Merchants seldom submit L3 data with transactions for stupid legacy tech reasons. The card schemes encourage them to do so with bips off scheme fees for doing so, but it’s a minority of transactions I think with even L2 data.
Yes, it was learning about this level of data collection that made me stop using my credit card for routine purchases and go back to using cash instead.
Add a physical shutter to cover the camera when it is not in use. (In addition to avoiding spying, such a cover can also sometimes avoid the camera being dirty that it would not work when you are trying to scan something.)
That's an extra moving part that will break, get jammed, or will trap dirt/particles between the cover and lens and effectively sand off the lens over time.
The solution is proper, enforced anti-spyware and anti-stalking legislation (so not the GDPR), not hardware band-aids that are trivially bypassed.
The real solution is a better software culture that looks like GNU/FOSS. Such a culture would generate laws like that if a problem persisted but likely wouldn't need them.
NFC. We have NFC tags embedded in single use tickets for travel and events, the cost is marginal and most of the uses relevant to card readers could reuse cards.
Does that mean I can request all the pictures of myself checking out at Starbucks under the GDPR/CCPA? Has anyone done that yet? If not, any idea why not?
There are two types of ignoring that's been very common with the american and swedish companies I've battled with.
1. Protection against law suits. We reserve the right to not delete any information you have, since if there's a law suit we would need that as proof.
2. Freedom of speech. We are a publisher, so by removing your personal information, our right to free speech is threatened and since this is a foundational legal principle, it overrides any GDPR laws.
I worked in the communications part of a lender. We couldn't delete anyone's texts or other correspondence for a number of years due to compliance requirements.
Adding to this, I tried to do the same thing and after providing uuid2 they said "we don't know where it is, but if it exists we will delete it" or something like that, which of course is ridiculous because you can f-ing access the database and access the unique identifier. I'm gonna do it again in some time and try to file another gdpr complaint as soon as they tell "me nooo we can't do that silly ahah"
This is news to me, although now that you mention it I do recall seeing a lens like thing on some of them. What are those for - I assumed it was for some payment method I am not using and therefore wouldn’t have to think about.
