Short version – if you buy something in a US store with your Mastercard, they tell Google about it. Google then reconciles your purchase with your advertising exposure while logged in with a Google account, and sends a report to advertisers to show how on-line ads drive offline sales.
This is, of course, only in the US. Because in Europe, they’d have had to tell us about it. That’s what Article 14 of the GDPR is for.
I don’t know about you, but that’s way over my creepy stalker threshold.
Of course just because it would be illegal doesn’t mean it’s not happening over here. After all, no-one in Europe would ever covertly acquire and analyse consumer data, would they?
Here’s hoping the ICO actually does some enforcement of Article 14 before anyone else thinks this kind of behaviour is acceptable.
A bigger picture 