What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://usa.visa.com/legal/privacy-policy.html', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Submit a data deletion request through Visa's privacy rights portal, specifically requesting deletion of inferred and derived data profiles. California residents may also request access to view the categories of inferences Visa holds about them.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has identified commercial surveillance and consumer profiling as enforcement priorities under Section 5 of the FTC Act, with particular focus on undisclosed or deceptive inferred data practices.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'State_AG', 'reason': 'The California Privacy Protection Agency and California AG have specific enforcement authority over CPRA rights regarding inferred data, including the right to access and delete consumer profiles.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Collection of Inferred and Derived Data clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Collection of Inferred and Derived Data — Visa

Share 𝕏 Share in Share 🔒 PDF

What it is

Visa creates inferred profiles about you — including your preferences, behaviors, and characteristics — based on analysis of your transaction and other data, even if you never directly provided that information to Visa.

Consumer impact (what this means for users)

Visa builds behavioral profiles about you derived from your transaction history — including inferences about your preferences and lifestyle — which may be used in analytics and marketing products sold to third parties without your direct awareness.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Submit a data deletion request through Visa's privacy rights portal, specifically requesting deletion of inferred and derived data profiles. California residents may also request access to view the categories of inferences Visa holds about them.

Cross-platform context

See how other platforms handle Collection of Inferred and Derived Data and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Inferred data can be more sensitive and revealing than data you consciously share, and its creation and use in commercial products is a significant expansion of how your payment activity is monetized.

View original clause language

We collect information about you from various sources, including information we infer or derive about you based on the information we collect. This may include inferences drawn from your transaction data to create a profile about you reflecting your preferences, characteristics, behaviors, and attitudes.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: Inferred and derived data is explicitly included in CCPA/CPRA's definition of personal information (Cal. Civ. Code §1798.140(o)(1)(K)) as 'inferences drawn from any of the information identified in this subdivision to create a profile about a consumer.' CPRA established a new 'sensitive personal information' category that may capture certain inferences. GDPR Art. 4(4) defines profiling and Arts. 21–22 provide rights to object to profiling and restrictions on solely automated decisions with legal or significant effects. FTC Act Section 5 applies to undisclosed or deceptive profiling practices.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has identified commercial surveillance and consumer profiling as enforcement priorities under Section 5 of the FTC Act, with particular focus on undisclosed or deceptive inferred data practices.
File a complaint →
State AG

The California Privacy Protection Agency and California AG have specific enforcement authority over CPRA rights regarding inferred data, including the right to access and delete consumer profiles.
File a complaint →

Provision details

Document information

Document

Visa Privacy Notice

Entity

Visa

Document last updated

April 29, 2026

Tracking information

First tracked

April 27, 2026

Last verified

April 27, 2026

Record ID

CA-P-003384

Document ID

CA-D-00114

Evidence Provenance

Source URL

https://usa.visa.com/legal/privacy-policy.html

Wayback Machine

View archived versions →

SHA-256

0f3b20918fcde3434b1eb83f3ef5b6abd53b678f83f5a8ee823c96cbbe17c540

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Visa | Document: Visa Privacy Notice | Record: CA-P-003384
Captured: 2026-04-27 12:33:46 UTC | SHA-256: 0f3b20918fcde343…
URL: https://conductatlas.com/platform/visa/visa-privacy-notice/collection-of-inferred-and-derived-data/
Accessed: April 29, 2026

Classification

Severity

High

Collection of Inferred and Derived Data