San Francisco - Google has begun using billions of credit-card transaction records to prove that its online ads are prompting people to make purchases - even when they happen offline in brick-and-mortar stores, the company said Tuesday.
The advance allows Google to determine how many sales have been generated by digital ad campaigns, a goal that industry insiders have long described as "the holy grail" of online advertising. But the announcement also renewed long-standing privacy complaints about how the company uses personal information.
To power its multibillion-dollar advertising juggernaut, Google already analyses users' Web browsing, search history and geographic locations, using data from popular Google-owned apps such as YouTube, Gmail, Google Maps and the Google Play store. All that information is tied to the real identities of users when they log into Google's services.
The new credit-card data enables the tech giant to connect these digital trails to real-world purchase records in a far more extensive way than was possible before. But in doing so, Google is yet again treading in territory that consumers may consider too intimate and potentially sensitive.
Privacy advocates said few people understand that their purchases are being analysed in this way and could feel uneasy, despite assurances from Google that it has taken steps to protect the personal information of its users.
Google also declined to detail how the new system works or what companies are analysing records of credit and debit cards on Google's behalf. Google, which saw $79 billion in revenue last year, said it would not handle the records directly but that its undisclosed partner companies had access to 70 percent of transactions for credit and debit cards in the United States.
"What's really fascinating to me is that as the companies become increasingly intrusive in terms of their data collection, they also become more secretive," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. He urged government regulators and Congress to demand answers about how Google and other technology companies are collecting and using data from their users.
Google said it took pains to protect to protect user privacy.
"While we developed the concept for this product years ago, it required years of effort to develop a solution that could meet our stringent user privacy requirements," Google said in a statement. "To accomplish this, we developed a new, custom encryption technology that ensures users' data remains private, secure, and anonymous."
The announcement comes as Google attempts to weather an outcry from advertisers over how their ad dollars are spent. Google is working to move past an advertising boycott of YouTube, its lucrative video site, after news reports that ads for mainstream brands were appearing alongside extremist content, including sites featuring hate speech and violence.
Google for years has been mining location data from Google Maps in an effort to prove that knowledge of people's physical locations could "close the loop" between physical and digital worlds. Users can block this by adjusting the settings on smartphones, but few do so, privacy experts said.
This location-tracking ability has allowed Google to send reports to retailers telling them, for example, whether people who saw an ad for a lawn mower later visited or passed by a Home Depot. The location-tracking program has grown since it was first launched with only a handful of retailers. Home Depot, Express, Nissan and Sephora have participated.
"Google - and also Facebook - believe that to get digital dollars from advertisers who are still primarily spending on TV, they need to prove that digital works," said Amit Jain, chief executive of Bridg, a start-up that matches online and offline behaviour. "These companies have to invest in finding the identity of the consumer at the moment when that shopper is at the cash register."
Tuesday's announcement gives Google a clearer way to understand purchases than just location and allows it to understand purchase activity even when consumers deactivate location tracking on their smartphones.
Google executives say they are using complex, patent-pending mathematical formulas to protect the privacy of consumers when they match a Google user with a shopper who makes a purchase in a brick-and-mortar store.
The mathematical formulas convert people's names and other purchase information, including the time stamp, location and amount of the purchase, into anonymous strings of numbers. The formulas make it impossible for Google to know the identity of the real-world shoppers, and for the retailers to know the identities of Google's users, said company executives, who called the process "double-blind" encryption.
The companies know only that a certain number of matches have been made. In addition, Google does not know what products people bought.
"Through a mathematical property, we can do double-blind matching between their data and our data," Jerry Dischler, vice president of product management for AdWords, Google's online advertising service, said in an interview. "Neither gets to the see the encrypted data that the other side brings."
The tech giant declined to describe its mathematical formulas in anything more than broad terms, citing the patent application. It said the work was based on a 2011 research paper by three MIT scientists, which was funded by Google and Citigroup.
Dischler described the modelling as a "revolutionary" step forward for Google and advertisers. He added that users who signed into Google's services had consented to Google sharing their data with third parties.
But the company would not say how merchants had obtained consent from consumers to pass along their credit-card information. Google said that it requires its partners to use only personal data that they have the "rights" to use, but it would not say whether that meant the consumers had consented.
In the past, both Google and Facebook have obtained purchase data for a more limited set of consumers who participate in store-loyalty programs. Those consumers are more heavily tracked by retailers and often give consent to share their data with third parties as a condition of signing up.
Tuesday's initiative enables Google to use transaction data from a much wider swath of consumers than ever before, but the lack of detail on how personal data was being handled caused concern for privacy advocates.
Paul Stephens, of Privacy Rights Clearinghouse, a consumer-advocacy group based in San Diego, said only a few pieces of data can allow a marketer to identify an individual, and he expressed scepticism that Google's system for guarding the identities of users will stand up to the efforts of hackers, who in the past have successfully stripped away privacy protections created by other companies after data breaches.
"What we have learned is that it's extremely difficult to anonymize data," he said. "If you care about your privacy, you definitely need to be concerned."
Such data providers have been the targets of cybercriminals in the past. In 2015, a hack of data broker Experian exposed the personal information of 15 million people.