A prominent privacy rights watchdog is asking the Federal Trade Commission to investigate a new Google advertising program that ties shoppers’ online behavior to their purchases in physical stores.

The legal complaint from the Electronic Privacy Information Center, to be filed with the FTC on Monday, alleges that Google is newly gaining access to a trove of highly sensitive information — the credit and debit card purchase records of the majority of U.S. consumers — without revealing how it got the information or giving people meaningful ways to opt out. Moreover, the group claims that the search giant is relying on a secretive technical method to protect the data — a method that should be audited by outsiders and may be vulnerable to hacks or other data breaches.

“Google is seeking to extend its dominance from the online world to the real, offline world, and the FTC really needs to look at that,” said Marc Rotenberg, the organization’s executive director.

Google — a subsidiary of Mountain View, Calif.-based Alphabet Inc. — called its advertising approach “common” and said it had “invested in building a new, custom encryption technology that ensures users’ data remains private, secure and anonymous.”


The tech giant announced the program, Store Sales Measurement, in May. Executives have hailed it as a “revolutionary” breakthrough in advertisers’ abilities to track consumer behavior. Google said that, for the first time, it would be able to prove with a high degree of confidence that clicks on online ads led to in-person purchases.

To do this, Google said it had obtained access to the credit and debit card records of 70% of U.S. consumers. It had then developed a mathematical formula that would make anonymous and encrypt the transaction data, and then automatically match the transactions to the millions of U.S. users of Google and Google-owned services such as Gmail, search, YouTube and maps. Google said this approach prevents it from accessing the credit or debit card data for individuals.

But the company did not disclose the mathematical formula it uses to protect consumers’ data. In a statement, Google said it had taken pains to build custom encryption technology that ensures the data it receives remain private and anonymous.

The privacy organization is asking the government not to take Google’s word for it and to review the algorithm itself. In its complaint, the organization said that the mathematical technique that Store Sales Measurement is based on, CryptDB, has known security flaws. Researchers hacked into a CryptDB-protected healthcare database in 2015, accessing more than half the stored records.


Google also would not disclose which companies were providing it with the transaction records. When asked if users had consented to having their credit and debit transactions shared, Google would not specifically say. It replied that it requires that its unnamed partners have “the rights necessary” to use these data.

In its complaint, the privacy group alleges that if consumers don’t know how Google gets its purchase data, then they cannot make an informed decision about which cards not to use or where not to shop if they don’t want their purchases tracked. The organization points out that purchases can indicate medical conditions, religious beliefs and other intimate information.

Google also said that it does not have access to the names or other personal information of the credit and debit card users, and that it does not share any information about individual Google users with partners. Advertisers receive aggregate information. For example, for an ad campaign for sneakers that received 10,000 clicks, the advertiser learns that 12% of the clickers made a purchase.

Users can opt out any time, Google said. To do so, users of Google’s products can go to their My Activity page, click “Activity controls,” and turn off “Web & App Activity,” Google says.


The privacy group says the opt-out settings and the descriptions of what users are opting out of are confusing and opaque. The group says that the company continues to store server and click data even when “Web & App Activity” is turned off, and that to opt out of everything requires a labyrinthine process of going to a number of third-party sites. Meanwhile, opting out of location-tracking requires going to a separate button and interface. None of the opt-out descriptions specifically describes credit card data.

In 2011 and 2012, Google paid multimillion-dollar fines to settle FTC allegations on privacy issues. The 2012 case, for $22.5 million, said that Google misrepresented its privacy promises to users of Apple’s Safari browser, who were the under the impression that they could opt out of ad tracking. In 2011, in response to a case brought by the Electronic Privacy Information Center, Google settled FTC accusations that it used deceptive tactics and violated its own privacy promises when it launched its social network Google Buzz.

Dwoskin and Timberg write for the Washington Post.