The Protecting Privacy in Purchases Act prohibits payment card networks and covered entities (acquirers, processors, and their agents) from requiring or assigning merchant category codes (MCCs) that identify a merchant as a firearms retailer distinct from a general-merchandise or sporting-goods retailer. It defines covered entities and firearms retailers, preempts any state or local regulation on MCCs for firearm sellers, and assigns enforcement to the U.S. Attorney General.
Professionals in payments, merchant services, compliance, and retail should pay attention: the bill removes one categorical data point used in underwriting, risk monitoring, and analytics, replaces state-level variation with a single federal rule, and limits remedies to DOJ-driven notices and injunctions rather than private lawsuits or statutory fines. That combination creates operational, compliance, and enforcement trade-offs for networks, acquiring banks, and regulators alike.
At a Glance
What It Does
The bill bars payment card networks from requiring merchants to use — and bars covered entities from assigning — an ISO-format merchant category code that singles out a firearms retailer as distinct from a general-merchandise or sporting-goods retailer. It centralizes enforcement with the Attorney General, who must create a complaint process within 90 days, investigate complaints, issue written notices requiring remediation within 30 days, and seek injunctions if violations persist.
Who It Affects
Primary targets are payment card networks, acquiring banks, processors, and agents that assign MCCs; merchants that sell firearms either as a primary business or as part of broader retail; and downstream analytics vendors and card issuers that consume MCC data for underwriting, fraud monitoring, or merchant segmentation.
Why It Matters
By removing a discrete classification label the payments ecosystem has used for routing, pricing, and risk scoring, the bill prioritizes purchaser privacy but constrains the data available for fraud detection, compliance, and commercial decisions. It also establishes a federal floor by preempting state and local MCC rules, shifting disputes into the Department of Justice and federal courts.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
This bill targets how merchants that sell firearms are coded in the payments system. Under current practice, merchants receive a multi‑digit merchant category code (MCC) — an ISO-issued classification — that identifies the type of business.
The Protecting Privacy in Purchases Act prohibits payment card networks from demanding that a merchant use an MCC that labels it as a firearms retailer and prohibits covered entities (acquirers, processors, or their agents) from assigning an MCC that distinguishes firearms sellers from general-merchandise or sporting-goods sellers. The prohibition is categorical: networks may not require the use, and covered entities may not assign, a distinguishing MCC for firearms retailers.
The bill establishes the Attorney General as the enforcer. The Attorney General must create a public complaint process within 90 days of enactment, investigate complaints brought through that process, and issue written notices when it finds violations.
Notices require the network or covered entity to remedy the violation within 30 days; failure to comply allows the Department of Justice to seek injunctive relief in federal court. The Act explicitly disallows private lawsuits alleging violations, so affected merchants or consumers cannot bring their own actions under the statute.The law also preempts state and local regulation that would govern use or assignment of MCCs for firearms retailers, replacing a patchwork of local rules with a single federal prohibition.
Finally, the bill contains an annual reporting obligation: the Attorney General must tell Congress how many investigations occurred, summarize outcomes, and provide any available data about whether the law is working. The definitions section borrows existing federal definitions for 'firearm' and 'ammunition,' defines 'merchant category code' as the ISO multi-digit classification, and paints a broad picture of 'covered entity' to include direct processors and entities that establish relationships for transaction processing.Practically, the law removes one clear merchant-level flag from the payment-transaction metadata available to issuers, acquirers, analytics firms, and regulators.
Networks and processors will need to update onboarding and coding rules; merchants that sell firearms as part of broader inventory may see fewer instances of being coded differently; and state or local authorities lose the ability to require distinct MCCs. Enforcement is administrative and injunctive rather than remedial by private right or statutory damages, which shapes how disputes will be resolved and how quickly corrections must occur.
The Five Things You Need to Know
The bill prohibits payment card networks from requiring — and covered entities from assigning — any merchant category code that distinguishes a firearms retailer from a general‑merchandise or sporting‑goods retailer.
The Attorney General must establish a public complaint process within 90 days of enactment and investigate complaints submitted under that process.
If DOJ finds a violation it must send a written notice requiring correction within 30 days; failure to remedy authorizes DOJ to seek an injunction in federal court.
The Act preempts any state or local law regulating MCCs for firearm retailers and expressly bars a private right of action under the statute.
The Attorney General must submit an annual report to Congress listing the number of investigations, case summaries and any available data on the law’s effectiveness.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the statute the 'Protecting Privacy in Purchases Act.' This is a captionary provision with no operative effect, but it signals the bill’s framing: the sponsor intends the measure as a privacy protection focused on purchase metadata.
Prohibition on distinguishing merchant category codes
Subsection (a) contains the core operational rule. It splits two duties: payment card networks may not require a firearms retailer to use an MCC that identifies it as such, and covered entities (acquirers, processors, or agents) may not assign an MCC that distinguishes firearms retailers from general‑merchandise or sporting‑goods retailers. Practically, networks must not impose a policy that forces a merchant to accept a firearms‑specific MCC, and acquirers must not set that code on a merchant record. The wording targets MCCs specifically — ISO multi‑digit merchant classifications — rather than broader transaction descriptors, but it covers both direct assigners and intermediary agents that establish processing relationships.
Enforcement by the Attorney General
Subsection (b) vests enforcement authority in the Attorney General. DOJ must create a complaint intake process within 90 days, investigate each complaint filed through that process, and issue written notices when it finds a violation. Notices obligate the network or covered entity to cure the violation within 30 days. If the entity fails to comply, the Attorney General may file for an injunction in federal court to stop the offending practice. The statute explicitly denies a private right of action, so individuals and merchants cannot sue under this law — enforcement is driven by federal prosecutors and injunctive relief rather than statutory damages or private remedies.
Preemption of state and local MCC rules
Subsection (c) preempts any state or local law that would regulate merchant category codes for firearm retailers. That language eliminates local legislative or regulatory attempts to require distinguishing MCCs and replaces them with a nationwide federal standard. The provision reduces compliance fragmentation for networks operating across jurisdictions but also removes a lever that municipalities or states might use to track or regulate firearms-related commerce.
Annual reporting to Congress
Subsection (d) requires the Attorney General to report to Congress yearly on enforcement activity: total investigations, summaries of cases and dispositions, and any available data assessing the law’s effectiveness. The report requirement creates a legislative feedback loop but does not prescribe specific metrics or data collection methods, leaving DOJ discretion over how to evaluate impact.
Key definitions
Subsection (e) defines 'merchant category code' as the ISO multi‑digit classification used to categorize merchants, 'covered entity' broadly to include entities that establish relationships for processing credit, debit, or prepaid transactions (and entities that establish such relationships on behalf of others), and borrows federal definitions of 'firearm' and 'ammunition.' The breadth of 'covered entity' means both acquirers and third‑party processors and agents fall within the prohibition, expanding the operational scope beyond only major networks.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Firearms retailers — They avoid being assigned a discrete MCC label that could single them out for differential pricing, higher processing fees, account restrictions, or public exposure of sales activity.
- Consumers who purchase firearms — The removal of an MCC that explicitly flags firearm merchants reduces a persistent, merchant-level data point that could be used to profile or track purchase behavior at the card-transaction level.
- Retailers that sell firearms as part of broader inventory — General‑merchandise and sporting‑goods stores that occasionally sell firearms will be less likely to be recoded into a stigmatized category that affects acceptance or rates.
- Privacy and civil‑liberties advocates — Organizations focused on transactional privacy gain a concrete limitation on a payment‑industry practice that has been used to segment and monitor certain categories of purchases.
Who Bears the Cost
- Payment card networks — They must alter rulebooks, merchant onboarding requirements, and network policies to remove any mandate or default that leads to firearms‑specific MCC assignment.
- Acquiring banks and processors (covered entities) — Those entities must change their merchant classification workflows and may lose a straightforward data point used in underwriting, risk scoring, and fraud detection.
- Compliance and fraud teams at issuers and processors — Teams that rely on MCCs for screening, red‑flagging, or monitoring will need to redesign detection models and find alternative indicators.
- State and local governments — Jurisdictions that wanted to require distinct MCCs as a policy or enforcement tool lose that authority due to federal preemption.
- Department of Justice — DOJ gains the enforcement workload (complaint intake, investigations, notice issuance, litigation) without the statute providing dedicated funding or civil penalty revenue, absorbing operational costs into existing budgets.
Key Issues
The Core Tension
The central dilemma is the trade‑off between protecting purchaser privacy by removing an explicit merchant‑level flag versus preserving payment‑system functionality that uses merchant classification for risk management, compliance, pricing and routing. Eliminating a discrete data point protects privacy but forces networks, banks, and regulators to find alternative signals — and those alternatives may be more opaque or harder to regulate than an explicit MCC.
The bill protects a specific piece of payments metadata — ISO merchant category codes — but it leaves open many operational questions. It does not restrict networks or processors from using other identifiers, sub‑classifications, merchant descriptors, or internal risk tags that can serve the same practical purposes as an MCC.
As a result, networks could comply with the letter of the law while preserving functional distinctions using alternate fields, potentially undermining the privacy objective. The law targets MCCs specifically, which helps define scope, but also encourages workaround behavior unless regulators and DOJ scrutinize secondary signaling methods.
Enforcement is structured around DOJ administration and injunctive relief rather than monetary penalties or private litigation. That choice narrows remedies: the Attorney General can order correction and, failing that, seek an injunction, but the statute does not authorize fines or provide victims a private claim for damages.
That design reduces the risk of a flood of private lawsuits but places heavy reliance on DOJ capacity and priorities. Another unresolved issue is legal clarity: the statute bars MCCs that 'distinguish' firearms retailers from general‑merchandise or sporting‑goods retailers, but it does not define what degree or method of distinguishing is prohibited.
Ambiguities about classification thresholds, mixed‑use merchants, and how to treat marketplace sellers will generate interpretive disputes and likely test litigation over vagueness and scope.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.