University of Ottawa

Google Links Online Search Data and Offline Purchase Data

Assignment #2

Group #22
Last Name First Name Student Number

Diaz Paredes Daniela 300126507

Dowling Lilli 300105387

Guirguis George 300174455

Nielsen Amelia 300210087

Zagallai Shahd 300174444

Zhou May May 300147238

ADM 2372, Management Information Systems [P]

Dr. Alhassan Ohiomah

February 14, 2022

Question #1: The case study shows that Google is linking Online Search Data and Offline
Purchase Data. Is this a legal and/or ethical practice? Why or why not? Please justify your
answer (10 marks)
It is legal for Google to link online search data and offline purchase data. This practice is
legal because of consent from users and a lack of laws. To start, users consented to Google
sharing their data with other businesses. For example, in this case, it is stated that “all users who
signed into Google’s services consented to Google’s sharing their data with third parties.” Once a
user accepts the terms and conditions, they are explicitly consenting to the content in the
agreement. Additionally, Oromoni (2021) reported that the Court of Appeal for Ontario found
that “When an individual makes a conscious decision not to read the terms of a contract in a
stock award agreement but clicks on the confirming box that says they have read and understood
the proposed agreement, they are legally bound by the terms.” The Ontario Court of Appeal’s
ruling provides further evidence that when users accept Google’s services they are legally bound
to the agreement. Moreover, only select shared data was used by third parties. To illustrate, in
this case, Google claimed that “it requires its partners to use only personal data that they have the
rights to use.” These conditions in place demonstrate that Google was ensuring there were
standards for the access and use of personal user data. Thus, users provided consent by signing in
to Google, which is legally binding, and Google has data access provisions in place. Therefore, it
is legal for Google to link online search data and offline purchase data. Finally, there currently
are no Canadian laws regarding the linking of online search data and offline data. For instance, in
this case, it is explained that Marc Rotenberg “urged government regulators and the U.S.
Congress to demand answers about how Google … are collecting and using data from their
users.” Signaling that there are no current laws in place regarding this specific practice.
However, that being said, Google must be careful that they do not breach the Personal
Information Protection and Electronic Documents Act (PIPEDA). PIPEDA governs all
“for-profit commercial organizations,” and in 2004, it began to apply to “all commercial
activities,” (Ohiomah, 2022). As such, credit records are included under personal information.
The credit card holders must consent to an organization using their information. Thus, despite
there not being Canadian laws prohibiting this practice, there is PIPEDA that can put Google in
violation of information privacy. Therefore, due to the lack of laws, it is legal for Google to link
online search data and offline purchase data. In summary, this practice is legal, since Google has
their users’ consent, which is legally binding, and there are no Canadian laws banning this data
collection. Nevertheless, Google should be more transparent with this data linking practice to
ensure they are not breaching PIPEDA.
Google linking Online Search Data and Offline Purchase data is not ethical because
ethics is explained by morals and rules of conduct. Ethics is all about distinguishing “right” from
“wrong” and the rights and respect of a person. As discussed above, Canadian laws prohibit
organizations from using Canadian customer information (such as credit card numbers,
addresses, etc.) because it violates the customer’s privacy. Even though Google has most likely
figured out a way to get around it legally, does not mean it is ethical to use Online Search Data
and Offline Purchase data to help track an organization’s feedback from customers. This Case
Study is a prime example of Quadrant III of Legal vs. Ethical. The definition of this Quadrant is:
“not all legal activities are ethical” (Ohiomah, 2022). The act of Google collecting data from
customers and declining to explain how its new system works or to identify which companies are
using analyzing records is a big red flag, making you wonder what else they are utilizing that
data for. Since websites show that they are using cookies, the customer should be able to
customize what type of cookies they are willing to provide. Also, when a customer is purchasing
a product or service with a coupon, deal, or even at its normal price that user’s data should
remain private, secure, and anonymous. Google has been very clear that they keep customers’
private information as said in the Case Study: “formulas convert people’s names and other
purchase information, including the time stamp, location, and the amount of the purchase, into
anonymous strings of numbers, a process called encryption”(Google Links Online Search Data
and Offline Purchase Data, 2022). Despite this, how many customers are aware that they are
being tracked on what they look at, what they go on, what they search, or even what they say?
Spontaneously, customers are not necessarily notified if they are being watched by Google, and
stated in the Case Study: “However, it would not say whether that meant that consumers had
explicitly consented.” (Google Links Online Search Data and Offline Purchase Data, 2022). In
the Case Study, they say that Google does say that all users who signed into Google’s service
consent to Google using and sharing their data with third parties. However, when did we all
consent to this, when we downloaded Google on our computers, laptops, or phones? Was that our
consent to Google tracking our every move? Even though Google is certainly making sure that
their actions are legal, they are not taking precautions in their actions to use ethics to give
customers a sense of privacy when purchasing online and as well as offline.

Question #2: Does the sharing of consumers' credit card information by retail merchants
infringes customer privacy? Why or why not? Please justify your answer (10 marks)

It is important to distinguish if sharing consumers credit card information by retail

merchants is unethical or illegal. There are 4 scenarios: legal but unethical, illegal and unethical,
legal and ethical and illegal but ethical. In the case study there is an overall issue of consumer’s
consenting to credit card information sharing by merchants. Under PIPEDA guidelines, consent
is defined as “The knowledge and consent of the individual are required for collection, use, or
disclosure of personal information, except when inappropriate (Ohiomah, 2022).” In most cases
where merchants claim to have the consent of their customers, it is from agreeing to sign up for a
loyalty program, however it is hidden in the TOS (terms of service) or simply a transaction.
There was no mention of which consumers had explicitly consented to having their personal data
shared. Furthermore it is important to understand the rights of consumers to their information
privacy. To what extent can merchants gather information about their customers and share this
information. Unfortunately, this is legal for merchants to collect credit card information since
transactions (whether you pay in store or online) is a consent agreement from consumers.
According to the Office of the Privacy Commissioner of Canada “This purchase information
could potentially be shared and linked with information held by loyalty card companies, data
brokers, or marketers (OPC, 2016).” Therefore, for retail merchants it does not infringe customer
privacy by sharing credit card information, however it is unethical since there is no explicit
consent (legal but unethical).
Additionally, sharing credit card and data information has brought a lot of concern
towards customers. In fact, advocacy groups claim that many people aren’t aware that their data
is being analyzed. Even Though Google has established custom encryption technology to protect
privacy, they need to create awareness and work hand in hand with their customers. Google
should make sure that customers understand what sharing data implies. Nowadays, customers are
forced to give their consent through a digital platform, however this is often disregarded and
customers consent to the terms and conditions without knowing the implications. Hence, Google
and other companies need to obtain customers' consent differently and be proactive to eliminate
these doubts.
To add on, Google refuses to explain the functionally of its new system called “
double-blind encryption” and share which companies are using credit card information on behalf
of Google. This business practice creates a lot of uncertainty for customers. In today’s world, the
average consumer likes to stay informed and very interconnected with technology. This type of
unethical practice will make consumers lose trust and loyalty. As a matter of fact, consumers will
worry about fraud and identity theft since it is very unclear who has access to that data. Thus,
Google should start informing the average user to increase customer retention.

Question #3: Discuss how organizations that want to link Online Search Data and Offline
Purchase Data ensure that they do so ethically and legally? (5 marks). Discuss 2 strategies
customers can use to safeguard their online search data from being tracked by companies
like google (5 marks)
Organizations that want to link Online Search Data (OSD) and Offline Purchase Data
(OPD) can do so ethically and legally should they abide by specific guidelines and regulations.
Primarily, these companies should be focused on obtaining consent from the customer to collect
and distribute their information. As discussed in the course, an unethical use of information
systems is when organizations collect information on customers without their knowledge or
consent. It is also illegal (and unethical) to share and sell this information to other organizations
without the customer’s consent. The ethics of lengthy terms and agreements customers are
expected to agree to without reading can be questioned, so perhaps to counteract this, terms and
conditions of what linking OSD and OPD entails can be more clearly (and briefly) explained to
the customer (which would be both ethical and legal). In Canada, it is necessary for
private-sector organizations to comply with PIPEDA, The Personal Information Protection and
Electronic Documents Act. As explained earlier, this act essentially regulates and protects any
factual or subjective information about an identifiable individual (Office of the Privacy
Commissioner of Canada, 2019). Linking OSD and OPD would fall under the category of
information regulated/protected by PIPEDA, so it would be critical for organizations to comply
with this act. Among the many different tactics possible for having one’s personal information be
safe on the internet there are a couple that stand out among the bunch. A firewall and a VPN are
most commonly used by the populus to achieve information security. Though there are free
versions of a firewall such as Macfee and free VPNs such as Proton VPN it is highly
recommended to invest in them with a monthly subscription. A firewall allows the user of the
device in question to access the internet, database or network with protection from outside
hackers and information thieves. The firewall blocks outside access to your information while
allowing the flow of your processes to be safe and secure. A VPN is an abbreviation to Virtual
Private Network. As the pandemic began to roll out, governments and organizations began to
implement VPNs more commonly as more people were working online and accessing the
database in question from their home. This would make it possible for outsiders to gain access to
classified files not publicly published. A VPN is commonly referred to as a path to navigate the
internet without the possibility of your location or information being taken. The government of
Canada has made it a requirement to activate your VPN when accessing the governmental
database. Firing up the VPN allows the employees to meet in a virtual space without the worry of
anything being leaked. The management of important files and information is now made safe for
organizations due to the development and implementation of VPNs. The above stated tools are
made to protect customers from information theft, malware and hackers.
 References

Office of the Privacy Commissioner of Canada. (September 1, 2016). Electronic and digital
payments and privacy. Government of Canada.
https://www.priv.gc.ca/en/privacy-topics/technology/mobile-and-digital-devices/02_05_d
_68_dp/

Ohiomah, A. (2022). Week 4 - E-Business & E-commerce. University of Ottawa.

https://uottawa.brightspace.com/d2l/le/content/276898/viewContent/4316719/View

Oromoni, A. (2021, October). Accepting contractual terms after choosing not to read its
conditions is legally binding: Ont CA. Law Time News. Retrieved from
https://www.lawtimesnews.com/

Liao, S. (2018, August 30). Google reportedly bought MasterCard data to link online ads with
offline purchases. The Verge. Retrieved February 15, 2022, from
https://www.theverge.com/2018/8/30/17801880/google-mastercard-data-online-ads-offline-
purchase-history-privacy

Ethical challenges in online research ... - sage journals. (n.d.). Retrieved February 15, 2022, from
https://journals.sagepub.com/doi/full/10.1177/1747016116650720

Knight, S. (2018, August 31). Google allegedly paid MasterCard millions for data to link online
ads with offline purchases. TechSpot. Retrieved February 15, 2022, from
https://www.techspot.com/news/76231-google-allegedly-paid-mastercard-millions-data-li
nk-online.html
 Personal Ethics Statement Concerning Telfer School Assignments

Group Assignment:

By signing this Statement, I am attesting to the fact that I have reviewed not only my own work, but the
work of my colleagues, in its entirety.

I attest to the fact that my own work in this project meets all of the rules of quotation and referencing in
use at the Telfer School of Management at the University of Ottawa, as well as adheres to the fraud
policies as outlined in the Academic Regulations in the University’s Undergraduate Studies Calendar
Academic Fraud Webpage.

To the best of my knowledge, I also believe that each of my group colleagues has also met the rules of
quotation and referencing aforementioned in this Statement.

I understand that if my group assignment is submitted without a signed copy of this Personal Ethics
Statement from each group member, it will be interpreted by the Telfer School that the missing student(s)
signature is confirmation of non-participation of the aforementioned student(s) in the required work.

Lilli Dowling 2022-02-12

Signature Date

Dowling, Lilli 300105387

Last Name, First Name Student Number

Amelia Nielsen 2022-02-13

Signature Date

Amelia, Nielsen 300210087

Last Name, First Name Student Number

M.Z 2022-02-13
Signature Date

Zhou, May May 300147238

Last Name, First Name Student Number

D.D 2022-02-13
Signature Date

Diaz, Daniela 300126507

Shahd Zagallai 2022-02-14
Signature Date

Zagallai, Shahd 300147777

Last Name, First Name Student Number

George Guirguis 2022-02-14

Signature Date

George Guirguis 300174455

Last Name, First Name Student Number