Living with credit, Protecting yourself, Shopping

Google plan to track card data outrages privacy activists

Kelly Dilworth

Google has started tracking what you buy with your credit and debit cards so that it can convince retailers that its targeted ads are persuading you to spend more. While this helps marketers, privacy activists – and everyday consumers like myself – are less than thrilled.

Google announced the controversial new tool in late May in a blog post intended for advertisers. The new tool allows marketers to peer into people’s web viewing and in-store purchasing behaviors to monitor the effectiveness of their ad spending far more deeply than ever before.

“You need to know: Are my online ads ringing my cash register?” wrote Sridhar Ramaswamy, senior vice president of ads and commerce at Google, in an AdWords blog. “In the coming months, we’ll be rolling out ‘store sales measurement’ at the device and campaign levels. This will allow you to measure in-store revenue in addition to the store visits delivered by your Search and Shopping ads.”

While the new tool is a potential game changer for marketers who, until recently, have had a hard time gauging how well their ads were working, for people like me who already feel unsettled by the creepy specificity of online ads, Google’s latest move feels downright disconcerting.

By following people offline and collecting information about their real world habits, Google is amassing a formidable amount of information about its users – most of whom Google already knows a ton about. In addition to its latest AdWords project, Google has been quietly collecting information culled from people’s Google searches and Google accounts for years.

Google’s “store sales measurement” tool has already come under fire from privacy advocates who worry that Google is going too far by tracking people’s real-world purchases.

“The one thing people regularly state as ‘creepy’ online is when an advert follows them around on the Internet,” said British privacy advocate Renate Samson in an interview with the BBC. “These plans appear to extend ‘creepy’ into the physical world.”

Unlike traditional web tracking tools that look at whether you clicked on an online ad and then purchased that product online, this tool tracks what happens – through your card transactions – when you visit a brick-and-mortar store. For example, if you search Google for washing machine reviews and click on an appliance store’s ad, then visit that store sometime later in the week, the service could record whether you actually bought a new appliance with your credit or debit card.

Google says the data it sells to retailers is anonymous and aggregated so won’t reveal your identity or spill secrets about what you bought.

Google also says it has safeguarded users’ privacy by restricting the information shared between Google and its partners. For example, a Google executive told The Washington Post that it doesn’t know the names of specific cardholders and it doesn’t share card details, such as how much an item cost.

But despite that protective shield, privacy advocates have expressed concern about Google’s ability to match people’s web browsing activities to their specific transactions – even if it doesn’t share that specific information with retailers or look up people’s identities.

Just by collecting such a large amount of information, Google is opening a door that we may eventually wish it had kept shut. After all, even if Google never shares all the data it collects, does anyone really want a private internet company to know how you are using your credit and debit cards? I’m not sure I do – especially since I can’t guarantee that information will stay behind a protective door.

“What we have learned is that it’s extremely difficult to anonymize data,” said Privacy Rights Clearinghouse’s Paul Stephens in an interview with The Washington Post. “If you care about your privacy, you definitely need to be concerned.”

Privacy advocates are especially concerned that hackers could potentially uncover people’s identities – particularly since it doesn’t take much to match a person’s identity to his or her credit card transactions.

Previous research has found that hackers can figure out a cardholder’s identity just by looking at anonymous transaction data and piecing together a few publicly available data points, such as Facebook posts or tweets.

Google’s tool is similar to a Facebook tool that also uses encrypted transaction data and customer information to help retailers zero in on what people are buying offline after they view an ad online. Facebook’s tool relies on spending data and customer details, such as email addresses and phone numbers, that retailers supply themselves.

Typically, retailers obtain that kind of information when customers sign up for retail loyalty programs and allow their purchases to be monitored in exchange for discounts. Facebook also uses location tracking to determine if a Facebook user has visited a particular store.

Google, by contrast, uses credit card and debit card transaction data it purchased from undisclosed third parties. According to Google, its third-party partners have access to around 70 percent of all credit and debit card transactions that occur in the United States – including in-store purchases.

What this means: Even if you turn off location tracking services on your smartphone and decline to sign up for retail loyalty programs that ask for your personal information and track your spending, the credit and debit card transactions you make in person could still get scooped up and analyzed by Google. Retailers also have the option of loading data they acquired through loyalty programs.

To avoid having your web history matched with your transaction history, you’ll need to opt out of Google’s personalized ad program. If you’re really worried, you can also safeguard your privacy by using cash for at least some or all of your purchases.

But as privacy advocates have lamented in the past, it’s next to impossible to protect your privacy from similar types of data collection completely. As the Privacy Rights Clearinghouse’s Stephens noted in a 2013 story I wrote about data brokers (see: 12 creepy details data collectors know about you), data collectors are everywhere and have access to a surprising amount of information about us all.

“Unfortunately it’s really, really difficult to avoid the information collection,” Stephens told me. “Because unless you live on an island in the middle of the ocean, you’re constantly going to be engaging in activities that at least to some extent are going to be sold to others.”

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

  • Devin Salisbury