Google Now Tracks Your Credit Card Purchases and Connects Them to Its Online Profile of You

Google’s new ability to match people’s offline credit card purchases to their online lives is a stunning display of surveillance capitalism in action.

The capability, which Google unveiled this week, allows the company to connect the dots between the ads that it shows its users and what they end up actually buying. This is a crucial link for Google’s business that, for all of the company’s inventiveness, remains a matter of attracting users to its predominantly free services, collecting user data, and leveraging that data to sell advertising. If Google can show that someone who saw an ad for a furniture store in Google Maps, say, then went and made a big purchase at that store, the store’s owner is much more likely to run more ads.

Of course, Google has been able to track your location using Google Maps for a long time. Since 2014, it has used that information to provide advertisers with information on how often people visit their stores. But store visits aren’t purchases, so, as Google said in a blog post on its new service for marketers, it has partnered with “third parties” that give them access to 70 percent of all credit and debit card purchases.

So, if you buy stuff with a card, there’s a less than one-in-three chance that Google doesn’t know about it.

Google has talked a bit about the lengths it goes to in order to preserve user privacy. A piece in the Washington Post on the new service has the following: 

Google executives say they are using complex, patent-pending mathematical formulas to protect the privacy of consumers when they match a Google user with a shopper who makes a purchase in a brick-and-mortar store.

The mathematical formulas convert people’s names and other purchase information, including the time stamp, location, and the amount of the purchase, into anonymous strings of numbers. The formulas make it impossible for Google to know the identity of the real-world shoppers, and for the retailers to know the identities of Google’s users, said company executives, who called the process “double-blind” encryption.

The companies know only that a certain number of matches have been made. In addition, Google does not know what products people bought.

Beyond that, us regular folks pretty much have to take it on faith that this system works. Given how few “anonymous” data points are required to identify an individual from credit card data, it’s hard to believe that linking people’s behavior on services as diverse as Gmail, YouTube, Google Maps, and others to offline buying habits couldn’t result in someone’s privacy being compromised, especially if it ever fell into the hands of hackers.

But let’s not single Google out. For one thing, we users do willingly hand our personal data over to Google—that’s part of the service agreement (whether we have consented to let credit card companies hand our purchase records over in this way is potentially another matter). And for another, Google isn’t alone: Facebook is engaged in essentially the same practice of marrying online information with our offline lives. 

So, you know, everyone’s doing it.

(Read more: The Washington Post, “How Facebook Learns About Your Offline Life,” “Data Sets Not So Anonymous”)