Google quietly bought Mastercard credit and debit card records

It’s common knowledge that Google knows when we click on ads. But now, it also knows what we buy in brick-and-mortar shops, due to a previously unreported deal it cut with Mastercard to get our transaction histories, Bloomberg has discovered.

The offline credit card spending data, which anonymous Google insiders said cost millions of dollars, gives Google an unprecedented advantage over competitors such as Amazon, by helping it track users’ offline spending in stores.

The deal hasn’t been made public. The two companies reportedly hammered it out over the course of four years, according to four people with knowledge of the agreement, three of whom worked directly on it.

Mastercard has denied suggestions that the data could be used to identify exact purchases, but the Open Rights Group told the BBC that the confidential nature of the deal raises privacy issues.

Open Rights Group legal director Myles Jackman wondered – given that Google can now tell advertisers that people’s clicking on ads led to actual store sales – whether the company will cut any of those people in on the profit:

This raises serious concerns regarding the use of private financial data. Will Mastercard be compensating their clients for the data they have given away to Google for their own financial gain?

Don’t count your micropayments before they microhatch: The answer, of course, is that it will likely be a cold day in retail hell before that happens.

Christine Bannan, counsel with Electronic Privacy Information Center (EPIC), told Bloomberg that this is surprising news for consumers, and it’s not coming with enough context regarding what’s being done with our data or what we can do about it:

People don’t expect what they buy physically in a store to be linked to what they are buying online. There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.

At any rate, both Mastercard and Google are claiming that shoppers’ individual details aren’t being tied to the buying profiles.

A Mastercard spokesman told Bloomberg that the payment company shares transaction trends with merchants and their service providers to help them measure “the effectiveness of their advertising campaigns.” He said that the information – including sales volumes and average purchase size – is shared only with merchants’ permission, and that it’s not tied to individuals:

No individual transaction or personal data is provided. We do not provide insights that track, serve up ads to, or even measure ad effectiveness relating to, individual consumers.

Google declined to comment on the partnership, but it did address a powerful new ads tool – called Store Sales Measurement – that its select partners have accessed over the past year. The tool lets retailers track whether their online ads led to a sale at a physical store in the US: information reliant on a “stockpile of Mastercard transactions” that Google purchased, according to Bloomberg.

From a statement about the anonymization in Store Sales Measurement, provided by a Google spokeswoman:

Before we launched this beta product last year, we built a new, double-blind encryption technology that prevents both Google and our partners from viewing our respective users’ personally identifiable information.

We do not have access to any personal information from our partners’ credit and debit cards, nor do we share any personal information with our partners.

People can opt out of ad tracking using Google’s Web and App Activity controls, the company said.

Mastercard likewise told the BBC that the data it provides to retailers – via its own “media measurement services” – is stripped of personally identifiable information (PII):

We only provide merchants and their designated service providers trends based on aggregated and anonymized data, such as the merchant’s average ticket size and sales volumes.

The “it’s anonymized” line is a familiar one, and it’s one that Big Data researchers love to skewer by doing things like pinpointing people after looking at a bunch of supposedly anonymized credit card transactions.

Bloomberg reports that multiple Google staffers objected to the fact that the Web and App Activity control didn’t provide people with a more obvious way for cardholders to opt out of this kind of tracking.

In the past year, we’ve seen Google employees protest work on both a censored search engine for China and artificial intelligence-enhanced targeting of drone strikes for the Pentagon.

Will Google employees similarly raise ruckus over Google’s hush-hush deal with Mastercard? If so, we’ll let you know.

In the meantime, it’s unknown whether Google has struck similar deals with other payment companies, though one of Bloomberg’s sources said that it’s approached other credit card companies. What we do know is what Google has already bragged about: it claims to have access to about 70% of US credit and debit cards information, shared through partners, though it hasn’t named those partners.

Make of that what you will, but it sounds like Google has brokered its way into knowing an awful lot about the majority of US consumers’ spending activity and is on track to know the same about even more of us. From Bloomberg:

That 70 percent could mean that the company has deals with other credit card companies, totaling 70 percent of the people who use credit and debit cards. Or it could mean that the company has deals with companies that include all card users, and 70 percent of those are logged into Google accounts like Gmail when they click on a Google search ad.

Google has approached other payment companies about the program.