The Digital Commerce Alliance board of directors convened a task force to explore different approaches to financial data and payment data across its member companies. Utilizing a consultative and collaborative approach, this task force interviewed and met with member companies including merchants, payment processors, card-issuing banks, payment networks, digital advertising publishers and legal/regulatory experts. Recognizing the different approaches to financial data among different regions and industries, the task force focused on identifying the common principles shared by member companies. The result of this work is the Consumer Data Principles. These principles establish a common aspirational and flexible framework for the use of consumer financial data.
Focused on driving trust, security and innovation.
The principles outlined in this framework promote fair, efficient and effective use of consumer data across all industries that have access to consumer financial data. The principles are designed to support DCA members’ implementation of data-driven products and to inform policymakers.
”We acknowledge that there exist significant complexities and different regional, national and global regulatory approaches to consumer financial data. These new principles reflect the combined aspiration of our members to implement common industry best practices and standards for the safe and effective use of financial data. CardLinx members understand the importance of establishing consumer data rights as an integral component to the continued growth and innovation in our industry.Silvio TavaresChairman of the Board of Directors
Consumer Data Transparency Rights
The Right to Transparency
Consumers shall have the right to be provided with clear understandable statements that help inform them about financial data collection, use, sharing, and retention in connection with their enrollment in a third-party program that includes such data. This includes being presented with a clear notice about the purpose of the data collection and the context of the relationship between the consumer and the company requesting enrollment of their credit/debit card in the program.
The Right to Consent
Consumers that enroll in a program shall have the right to be presented with an explicit consent, for example, similar to the CardLinx Consent Honeybee Standard, that helps them understand the purpose of processing their personal credit/debit card details within the context of the relationship between the individual to whom the data pertains and the organization requesting the enrollment of the credit/debit card.
The Right to Consumer Choice and Control
Companies that provide programs to consumers with enrolled debit/credit cards shall have appropriate controls to allow a consumer the right to have a choice over how their financial and associated data is used, and limit disclosure. Unless required to perform the service, and where it is not covered under a company’s privacy statement or a law enforcement request, consumers should also have the right to know what personal financial and associated data is disclosed to third-parties, to request such disclosure not take place, or prohibit marketing of personal data.
The Right to Access
Consumers shall have the right to reasonable access to the personal data held by the organization providing the program in which the consumer has enrolled, including observational data, inferences derived from browsing history, social media, or location tracking.
The Right to Data Portability
Consumers shall have the right to receive a copy of their personal financial data from the company providing the program (in which the consumer has enrolled) in a portable, commonly used and machine-readable format.
The Right to Correct and Delete Data
Consumers shall have the right to ensure that financial and associated data should be correct and accurate. Consumers shall also have, where reasonable, the right to correct inaccuracies of such data and have such data deleted.
The Right to Data Security
Consumers shall have the right to ensure that their data should be appropriately secured in a way that is commensurate with the sensitivity of the data and current/established standards.