By Adam Atlas
Attorney at Law
Data ain't what it used to be. The New York Times is suing AI-giant OpenAI for copyright infringement because it alleges that ChatGPT by OpenAI is able to operate in part because it has used NYT data. That case is emblematic of the value of data in today's business market.
Payments data also has tremendous value. ISOs help create that data and are well-positioned to capitalize on it. Meanwhile, states are ratcheting up privacy laws to protect the privacy of consumers.
The purpose of this article is to highlight some of the legal considerations for an ISO or payment processor in the hot field of data rights management.
For better or for worse, it's hard to think of any speck of data that isn't somehow tied to payments. I'll avoid going on a (hypocritical) rant about how the digerati have financialized everything from putting air in the tires of your car to reading the news.
Data fields generated by a typical payment go well beyond the purchase price and payment card number.
They include location information, shopping cart contents, email address, device ID, age of the purchaser, home address, mouse movements and—in the world of VR—eyeball movements over the page.
In short, we kick-off reams of data wherever we go and, particularly in consumer purchase transactions.
Every payment will have a specific set of data fields and will also likely have a coterie of entities clamoring for rights in the same data, including the merchant, shopping platform, advertiser who borough the consumer to the merchant, fraud screening service, gateway, processor, acquirer, issuing bank, commercial bank and others.
Traditionally, card transaction information belongs to the acquiring bank, but others inevitably pick up rights in the same data by driving merchants and consumers through their own terms and conditions or embedding their own terms in others' terms.
Increasingly, state law prohibits the collection, storage, processing, use or disclosure of individual consumer data without express consent of the consumer. For example, the California Consumer Privacy Act of 2018 (CCPA) provides the following rights for California consumers:
Compliance with new state privacy laws is being managed through various opt-in buttons and consents woven into the consumer experience. The result is a mixed bag of providers obtaining various degrees of legitimate title in various breadcrumbs of consumer data related to payments.Many ISOs and acquirers do not contract directly with the consumer. Their title in transaction data therefore relates mostly to the necessity to take possession of card payment information for the purpose of processing merchant transactions.
However, some payment platforms, like PayPal, Stripe and others, encourage consumers to have a login to the portal thereby creating a direct relationship between the payment processor and the paying consumer. These payment platforms engage on both the consumer and merchant ends of transactions and are able to acquire more data than those that service only one end.
Curiously, most acquirers and processors and some ISOs pick up rights in data related to card payments, such as the name of the payor and the amount paid, but they do not pick up rights in information related to what the consumer actually purchased—which is the holy grail of commercial data. An acquiring bank, processor and ISO know that a person spent $100 at Walmart, but they do not know what that person bought. Online sellers are now obligated to collect and remit state sales tax. When a Florida fruit basket is sent to New York, the Florida seller has to collect and remit New York state sales tax. Calculating the amount of tax on such sales is complicated, as taxes may differ depending on what is purchased (for example, diapers versus beer) as well as where the products are sold (New York versus a native tribal land) and when it is purchased (tax-free Tuesday).
A new set of service providers has come along to help merchants sort all this out with APIs. Curiously, sales tax compliance providers need to peer into the consumer's shopping basket to calculate the taxes payable. Ironically, sales tax compliance platforms may be picking up more data on consumer habits than payment processors that handle funds and carry risk on the payment transactions behind the purchases.
Concluding on title in data, the answer lies in what consents the consumer and merchant have given to the processor, acquirer and ISO to collect, store, process, use and disclose their data. Without those consents in place a party's rights in data are tenuous.
ISO rights in data are a function of the consents of the data subjects given. For example, if a merchant has opted in to receive commercial solicitation by the ISO for additional services, then the ISO can use merchant contact information for that kind of solicitation.
If the merchant has given the ISO a more comprehensive consent—covering processing and banking information—the ISO might have the right to use that information to tailor offers, such as cash management.
With the benefit of AI, ISOs may be able to process merchant data in which they have rights to generate new value for merchants in areas such as risk management, marketing and pricing.
Today's reality is that there is more value in data than there ever has been before. The challenge for ISOs is to become the rightful holder of rights in the data (that is, do better than OpenAI) and then apply powerful tools to add value to the merchant experience, which is a cornerstone of any merchant services business. The flip side of collecting data and generating value with the data is, of course, security. 
In publishing The Green Sheet, neither the author nor the publisher are engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law email: atlas@adamatlas.com, Tel. 514-842-0886.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
