March 25, 2023

Volume XIII, Number 84


March 24, 2023

Subscribe to Latest Legal News and Analysis

March 23, 2023

Subscribe to Latest Legal News and Analysis

FTC Asked to Investigate Google’s Matching of “Bricks to Clicks”

Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.”  The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”

The significance of this is immense.  No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products. 

The first paragraph of EPIC’s complaint provides an overview of what EPIC believes to be at stake:

This complaint concerns “Store Sales Measurement,” a consumer profiling technique pursued by the world’s largest Internet company to track consumers who make offline purchases. Google has collected billions of credit card transactions, containing personal customer information, from credit card companies, data brokers, and others and has linked those records with the activities of Internet users, including product searches and location searches. This data reveals sensitive information about consumer purchases, health, and private lives. According to Google, it can track about 70% of credit and debit card transactions in the United States.

Suzanne Blackburn, Google spokesperson, sent Ars Technica, a well-known technology focused website, a statement regarding the pending FTC complaint:

“We take privacy very seriously so it’s disappointing to see a number of inaccuracies in this complaint. We invested in building industry-leading privacy protections before launching this solution. All data is encrypted and aggregated—we don’t share or receive any identifiable credit card data whatsoever.”

Additionally Google stated that it only learns the “aggregate value” of several purchases, not individual ones, and that neither it nor the ad buyer knows where the individual clicks came from.

This is an evolving event, and one that is very important to the privacy community.  However, there are already some key takeaways that companies implementing similar programs may wish to consider:

  1. Consider privacy from the start. Google’s statement emphasizes that it invested in privacy protections from the beginning, and considered measures like encryption and aggregation.

  2. Understand internally what data streams are being accessed and related. Often, companies do not know what data they are taking in until there is an issue.  Considering exactly what is occurring at the leadership level will enable faster and more accurate responses in situations like Google’s.

  3. Be prepared to discuss what data the service exposes to third parties. Here, Google has already said that the purchases are exposed via an aggregate value and not linked to individual clicks.  Companies would be wise to consider how they would explain these issues to individuals who are being tracked as well as interested parties such as EPIC, and potentially the FTC, in advance.

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VII, Number 220

About this Author

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often...

Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...