Watchdog asks FTC to look into how Google collects shopping data

Back in May, Google introduced a new tool, "store sales measurement," which tracks debit and credit card purchases in the real world. The company claimed it could help them prove that online ads directly lead to in-store purchases. But a privacy watchdog group isn't comfortable with the vague safeguards the search giant put in place as it tracks buying habits, and has asked the FTC to investigate.

As written in its formal complaint to the FTC, the Electronic Privacy and Information Center (EPIC) is requesting the agency discover how Google's tool connects online browsing with in-store shopping, which the search giant has kept secret. The company's post introducing the tool back in May outlined its potential benefits to marketers, but not how it collects data; It did note that the tool's methods "match transactions back to Google ads in a secure and privacy-safe way, and only report on aggregated and anonymized store sales to protect your customer data."

But the complaint goes a step further. Google maintains that users can opt-out of the tool's data collection by going to their account settings and toggling off "Web and App Activity." But EPIC claims that's a spurious assurance and outright deceptive trade practice because some users must also call their banking or credit institution, which might have its own third-party relationship feeding consumer purchasing data to Google. To that end, EPIC requests the FTC force Google to divulge all of its third-party partnerships, which the tech titan noted "capture approximately 70% of credit and debit card transactions in the United States" in the May blog post.

The FTC has its own FAQ page describing what rights users have when opting out.

Update: Google responded to our request for comment with this statement:

"We take privacy very seriously so it's disappointing to see a number of inaccuracies in this complaint We invested in building industry-leading privacy protections before launching this solution. All data is encrypted and aggregated— we don't share or receive any identifiable credit card data whatsoever.

Users have robust controls— we only use data that they've consented to have associated with their Web and App activity in their Google account, which users can opt-out of at any time. We are committed to constantly innovating and continuing to provide transparency to users on what data we collect and how we use it."

Further, Google maintains that it doesn't gather data on individual purchases, either product or amount, nor the specific identity of the buyer -- just the aggregate value of several purchases. The company insists it doesn't have any identifiable individual user's credit card data from their partners, and since it's encrypted when Google receives it from partners, cannot discern individual identities anyway. Germane to the complaint, the search giant says its tool doesn't use location services nor does it use CryptDB -- and it's currently only operating in beta in the US>