'Is that even legal?': Companies may be sharing new credit or debit card information without you knowing

A Vancouver woman is sounding the alarm for millions of Canadians who have credit and debit cards, after information about her debit card was shared when it shouldn't have been.

Vanessa Acua blames an "updating service" that some credit and debit card companies have that allows new account numbers and expiry dates to be shared with merchants customers have dealt with in the past.

Information about the sharing of this kind of information with third party companies is often buried in the fine print of bank and credit card agreements.

• Been wronged?Contact Rosa and the Go Public team

She thought the details of her Visa debit card a debit card that can be used for online purchases were secure.

"[I thought], 'How is this legal?'" Acua said after discovering PayPal was given the new expiry date on her Visa debit card without her knowledge.

Visa and other major credit cards have "updater" programs, that automatically provide updatedcustomer credit card information to subscribing merchants, including account numbers and expiry dates.

Companies automatically opt-in their customers to the service, whether they realize it or not.

The program is meant to be a convenience for customers and help merchants avoid missed payments on recurring bills.

"I have huge privacy concerns I would really prefer that they tell you and give you an option to opt out of it. But that's not what they did."

The merchants who get the automatic updates pay for the service.

Thomas Keenan, author of TechnoCreep a book about how technology is eroding privacy says financial institutions need to ask themselves if they should be making money by sharing customers' information.

"Banks make a business out of information sharing. They actually have services Visa, MasterCard and they are paid to share that information," said Keenan.

Acua believes that updater service is the reason the online payment system got her card information when it shouldn't have but when she tried to find out why it happened, she couldn't.

'The bank wouldn't do that'

Acua thought what happened to her private information was her decision, when PayPal sent an email in March asking her to update her debit card's expiry date.

She says she ignored the request, since she opened the account five years ago and rarely shops online and didn't want PayPalto have her new card information.

"Two days afterwards, I got another email saying, 'Oh we updated for you, so you don't have to.' And I just thought 'what?'" Acua said.

She spent hours on the phone withTD Canada Trust, PayPal and Visa Canada,but instead of getting an explanation, she got three different answers.

PayPal told Acua it got her new expiry date from her "financial institution or her credit card company."

Visa and TD both denied giving PayPal thatinformation.

"[They said] they don't know who gave PayPal my information, which I don't think is a very good answer," Acua said.

PayPal backtracks

It turns out Acua's information shouldn't have been shared at all, since only Visa credit not debit cards are part of the updating agreement with TD.

Yet, none of the three companies involved will explain how hernew debit card data ended up with PayPal.

After initially telling Go Public it got Acua's information from the "account update services," PayPal backtracked a few days later, saying the account updater service "doesn't apply" in Acua's case.

So, how did PayPal get her new expiry date? It won't say, citing customer confidentiality even though Acua agreed to waive confidentiality to allow the company to answer Go Public's questions.

Visa Canada and TD also won't say who gave her card's new expiry date to PayPal.

"Visa does not automatically update expiry date information on behalf of TD Visa debit cardholders," a Visa spokesperson said in an email."Please refer your questions to PayPal."

"TD has no ability to automatically update expiry date information with merchants on behalf of TD Visa debit cardholders. For more information about the service, we recommend reaching out to Visa," wrote Geraldine Anderson from the bank's public relations department.

'Totally unacceptable'

The lack of answers is why banks and credit card companies shouldn't be sharing anycredit or debit card informationwithout clear consent from customers, says Ann Cavoukian, who heads up the Privacy by Design Centre of Excellence at Ryerson University in Toronto.

"It's totally unacceptable," said Cavoukian, who worked as Ontario's information and privacy commissioner from 1997-2014.

"PayPal is one thing. But your own personal bank where your financial info is stored and kept? As I keep telling businesses, this is not your information. The information belongs to the individual."

She wants to see banks get what she calls "positive informed consent" before providinga third party with a customer'sinformation.

"The banks have to step up and do this. They can't just assume you're OK with them sharing your new credit information."

Cavoukian wants to see Canada's privacy legislation, the Personal Information Protection and Electronic Documents Act, upgraded to match the one the European Union introduced in May. The General Data Protection Regulation is considered to have some of the world's strictest online privacy rules.

For now, if customers want to stop merchants from getting updated credit card information, they have to opt out through their banks although it's unclear if that would have helped Acua.

"I'm capable of putting in my information online if I need to. It's not a hassle for me, so I definitely would like the option," Acua said

She says from now on, she'll take the time to read through all the legalese on those lengthy card agreements, and make sure she opts out of anything that allows financial institutions to share her information with third parties.