August 22, 2017

August 21, 2017

Subscribe to Latest Legal News and Analysis

FTC Asked to Investigate Google’s Matching of “Bricks to Clicks”

Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.”  The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”

The significance of this is immense.  No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products. 

The first paragraph of EPIC’s complaint provides an overview of what EPIC believes to be at stake:

This complaint concerns “Store Sales Measurement,” a consumer profiling technique pursued by the world’s largest Internet company to track consumers who make offline purchases. Google has collected billions of credit card transactions, containing personal customer information, from credit card companies, data brokers, and others and has linked those records with the activities of Internet users, including product searches and location searches. This data reveals sensitive information about consumer purchases, health, and private lives. According to Google, it can track about 70% of credit and debit card transactions in the United States.

Suzanne Blackburn, Google spokesperson, sent Ars Technica, a well-known technology focused website, a statement regarding the pending FTC complaint:

“We take privacy very seriously so it’s disappointing to see a number of inaccuracies in this complaint. We invested in building industry-leading privacy protections before launching this solution. All data is encrypted and aggregated—we don’t share or receive any identifiable credit card data whatsoever.”

Additionally Google stated that it only learns the “aggregate value” of several purchases, not individual ones, and that neither it nor the ad buyer knows where the individual clicks came from.

This is an evolving event, and one that is very important to the privacy community.  However, there are already some key takeaways that companies implementing similar programs may wish to consider:

  1. Consider privacy from the start. Google’s statement emphasizes that it invested in privacy protections from the beginning, and considered measures like encryption and aggregation.

  2. Understand internally what data streams are being accessed and related. Often, companies do not know what data they are taking in until there is an issue.  Considering exactly what is occurring at the leadership level will enable faster and more accurate responses in situations like Google’s.

  3. Be prepared to discuss what data the service exposes to third parties. Here, Google has already said that the purchases are exposed via an aggregate value and not linked to individual clicks.  Companies would be wise to consider how they would explain these issues to individuals who are being tracked as well as interested parties such as EPIC, and potentially the FTC, in advance.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Associate

Brian has extensive experience in patent litigation and intellectual property matters, as well as privacy and data protection matters, particularly as to data aggregation, network security, and technology transactions. Beyond counseling on compliance, incident response, and data privacy and protection, Brian has advised on technology-centric agreements, licensing issues, open source software licensing, vendor agreements, and hosting agreements, and analyzed patent portfolios for potential assertion or freedom to operate. He is a Certified Information Privacy Professional...

858.314.1583
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

617-348-1732