Banks have access to a treasure trove of data about their customers and their habits. What data they’re allowed to access, and what they do with it, is an increasingly pressing question as more payments go digital.

This came up recently in the Netherlands, one of the most cashless (and, perhaps, open minded) countries in Europe. The Dutch Data Protection Authority (or AP, its Dutch acronym) said it had heard from many people who are concerned about banks using their payment data to deliver personalized advertising. The privacy watchdog said in a letter (in Dutch) to the Dutch Banking Association (NVB) that it was concerned about non-financial information that gets recorded, such as location, time, and the payer and receiver of transactions.

These “data can thus refer to payment transactions with hospitals, pharmacies, casinos, sex clubs or otherwise, from which special personal data and other sensitive data can be derived,” the AP said in an appendix to the letter. The information could also be used to expose things like memberships of religious institutions, trade unions, or political parties, which could pose a risk to the rights and freedoms of bank customers.

The data watchdog appeared to be referring to Amsterdam-based ING, which was reportedly planning to use customer payment data to send them more relevant text message and email offers. The bank said in an email that it was in talks with the regulator and that does not currently “send its customers personal offers for relevant ING products and services based on transaction data, and will not start these practices for the time being either.”

Cash is still the state of the art (Quartz member exclusive) when it comes to payment privacy, but people around the world are switching to payment cards and smartphones for a growing share of their transactions. Electronic money is convenient and can help reduce crime and money laundering, but it also enables surveillance and new types of fraud.

And while most people probably aren’t that worried about governments or companies snooping on their daily coffee purchase, it’s clear that there are risks. In a recent example, Quartz reported that protestors in Hong Kong queued up to buy transit cards in cash to prevent the government from using electronic payment data to trace their activities and press charges (which is what happened during the Umbrella Movement protests in 2014).

Debates about transaction privacy could have a major impact on how the financial industry evolves. Many fintech startups see data collection as a way to offer more personalized, helpful financial advice and services for customers. Some hope to one day provide a kind of self-driving money that automatically suggests when to refinance a mortgage or change utilities. Banks are also building systems that use payments data to assess creditworthiness for loans.

The prospects for this strategy will depend on whether consumers and regulators are creeped out by it. Facebook, which is developing a cryptocurrency called Libra, says it won’t collect transaction data from the payment system, but the social network will still have access other types of information that come from engaging with its apps.

Digital money like bitcoin, which can process peer-to-peer transactions outside the financial system, can provide some degree of privacy, but these systems generally haven’t caught on with consumers for making payments. Since most people appear to value convenience over anonymity for their payments, it seems likely that it will fall to regulators to determine the limits of how our transaction data are stored and used in an increasingly digital world.