Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.” The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”
The significance of this is immense. No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products.
The first paragraph of EPIC’s complaint provides an overview of what EPIC believes to be at stake:
This complaint concerns “Store Sales Measurement,” a consumer profiling technique pursued by the world’s largest Internet company to track consumers who make offline purchases. Google has collected billions of credit card transactions, containing personal customer information, from credit card companies, data brokers, and others and has linked those records with the activities of Internet users, including product searches and location searches. This data reveals sensitive information about consumer purchases, health, and private lives. According to Google, it can track about 70% of credit and debit card transactions in the United States.
Suzanne Blackburn, Google spokesperson, sent Ars Technica, a well-known technology focused website, a statement regarding the pending FTC complaint:
“We take privacy very seriously so it’s disappointing to see a number of inaccuracies in this complaint. We invested in building industry-leading privacy protections before launching this solution. All data is encrypted and aggregated—we don’t share or receive any identifiable credit card data whatsoever.”
Additionally Google stated that it only learns the “aggregate value” of several purchases, not individual ones, and that neither it nor the ad buyer knows where the individual clicks came from.
This is an evolving event, and one that is very important to the privacy community. However, there are already some key takeaways that companies implementing similar programs may wish to consider:
Consider privacy from the start. Google’s statement emphasizes that it invested in privacy protections from the beginning, and considered measures like encryption and aggregation.
Understand internally what data streams are being accessed and related. Often, companies do not know what data they are taking in until there is an issue. Considering exactly what is occurring at the leadership level will enable faster and more accurate responses in situations like Google’s.
Be prepared to discuss what data the service exposes to third parties. Here, Google has already said that the purchases are exposed via an aggregate value and not linked to individual clicks. Companies would be wise to consider how they would explain these issues to individuals who are being tracked as well as interested parties such as EPIC, and potentially the FTC, in advance.