Even if the time resolution is 5 minutes, and the spacial resolution is only enough to identify which stores I visit, that is enough to identify me. If I go to the mall, stop by and get a coffee, wander around for a while, then make another purchase in another store, using my credit card both times, I may very well be the only person who made purchases at those two stores within a 5 minute window at each store. Each purchase makes it more likely to be unique. Now if I put on dark glasses and a baseball cap and stop by Victoria's Secret to buy some lingerie for my mistress, with cash, it's possible to link that to me via your path data.
you had me concerned for a minute! but then i thought about it, and i realised that if you take a venn diagram of the set of credit card purchases (assuming a subpoena has obtained full details), and a venn diagram of the set of paths (from WIFI or other method), what you get if you take the AND of those is no more than what was obtained from the credit card details.
in other words, your privacy has already been violated by a subpoena for the *credit card* details in ways that a subpoena for the path details could not possibly hope to match or add any information to that is *not already known* from the credit card subpoena. except for some outliers... discussed below:
what you get if you *remove* the set of location/time-cross-referenced credit card purchases from the set of "paths" is actually much more interesting. scenarios where the two data sets do not match would include where someone borrowed your credit card (with or without permission), or cloned it.
we're beginning to get into quite complex territory here, but let's say that someone stole your credit card. let's assume that the thief also has a mobile phone. let's say that they (rather stupidly) use the credit card in the same store to make multiple purchases. *then* you have a situation where it woud sort-of be possible to narrow down the numbers from *maybe* 10,000 possible candidates down to say 2,000 possible candidates, down to maybe 100, with each extra piece of information (assuming WIFI / GSM not say camera tracking) ... and at the end of that, what you would have would be a set of anonymised pieces of information, all of which you *still* could not identify the thief - based purely on the path information (even if you add the credit card details) - because of the salted hash. (if you actually caught them then it's still dicey but you *might* be able to provide some "statistically-dubious" circumstantial evidence but it would require an additional subpoena to the mobile phone company to get them to provide the TMSIs... it's complicated, but TMSI stands for *TEMPORARY* mobile subscriber identity - it's 32-bit and it changes something like once every 24-72 hours. i do not know if mobile phone operators keep records of the TMSIs allocated to phones, but it would be unlikely that they bother, as it's something that the base station cell towers allocate locally. WIFI on the other hand would be a different matter, as MAC addresses typically do not change).
so about the only thing you _could_ do was to notice that the credit card was no longer "in proximity" with the mobile phone "path" information and perhaps report it to the credit card company. *but*, bear in mind that it's on a 20 metre radius and on a 5-15 minute "ping" and it's pretty touch-and-go as to whether the information would be in time to stop fraudulent purchases... or even if it would be correct (not a false positive).
now, with this visual tracking stuff, you *might* have better luck (assuming it's ok to run a beowulf cluster on-site within the shopping mall premises), but i have serious doubts that it's within reasonable cost for deployment.
the only thing i can think of, if you are genuinely genuinely concerned about privacy:
(a) take the battery out of your phone or better leave it behind entirely
(b) use cash as long as it's not an attention-seeking amount
(c) if you can't use cash get prepaid credit cards (plural) and use one per purchase.
but, bottom line: really, if a court has access to the credit card details (times, stores and purchases) they *genuinely* have access to far more accurate information than what may be obtained from such sparse and positionally-broad GSM / WIFI tracking, and in the majority of cases i think you'll find that the addition of that information as a dataset to what can be obtained from credit card subpoenas really _really_ isn't hugely useful.