Of these, which are 'personal'?

* Order ID
* Store name (GOG in this case)
* Order total
* Country where order was placed
* SKU code
* Game title
* Category ("game" in this case)
* Cost
* Quantity

Alone, none, but connected to your IP-address, which Google obtains when your browser connects to https://ssl.google-analytics.com/ga.js to load the script, it gives Google these infos:

your current country (it's obtainable via the IP-address),
the fact you are a GOG client,
the name of the game you bought,

which you may consider private.

(edit: spelling)

Yes, you're passing your IP address to Google when you call that script from your browser, but given the sheer number of downloads of that script in any given second, Google's ability to match up an IP address with the dataset sent to GA is extremely limited. Bear in mind that there is a brief delay in real time between connecting to load the script and actually sending the data.

Even if it lasts just milliseconds, other data would have been sent in the meantime that makes identifying which IP belongs to which GA dataset impossible.

I'm still confused as to why google would want this data if it's so useless and unimportant.

I'm also slightly confused about how GA works in general. I thought the reason it keeps showing me adsense ads related to gaming was from info it gets through gog and steam. If what everyone is saying about them not linking the data is correct, then how does this happen, and how does adsense know what you might be interested in? I don't see how it can be search history, as I do plenty of searching on other things, but it's always gaming stuff that they advertise to me.

And no, Im not being sarcastic or rhetorical, I think I may have just misunderstood how it works.

Google is estimated to have over a million servers, processes over a billion searches and twenty-four petabytes (1 thousand million million bytes) of user-generated data per day (source: Wikipedia). If they can handle that, then linking data by IP address should be trivial.
Most broadband users will be on a static (and hence unique) IP address. Even if an IP address is being shared by hundreds of users, individual ones can be picked out by browser fingerprinting.

As for what data Google may link your GOG purchases to, this can include a partial list of websites visited (all those using Google Analytics, Google AdWords or DoubleClick advertising, plus those using other Google content such as Google APIs or a Google search box), details of usage for all other Google services (YouTube, Orkut, GMail, ReCaptcha, Blogger) and personal details (name, address, telephone) if you've ever used Google Checkout.

Even if you haven't used Google's services to such a large extent, future usage could still be linked (i.e. if you pay for something using Google Checkout later on, Google can link previously collected data to your now-known personal details).

GOG's disclosure of purchase information to Google is quite trivial compared to the vast swathe Google picks up from elsewhere, but it is an addition nonetheless from a website that should be holding itself up to higher standards of customer service.

No follow up on this from GOG so I'd just like to check with TheEnigmaticT if he wishes to respond further, or whether those raising concerns about GOG's actions should be taking them elsewhere.

Thanks.

I like to roll around buck-naked in large pools of gelatin while wearing a Tupperware bowl on my head and humming Barbara Streisand. Is Google collecting data on this? Should I be concerned about them blocking my gello supply?

There's no particular reason for him to respond other than as a formality. If GA bothers people that much, there are tutorials around about how to redirect the requests to 127.0.0.1 and be done with it. Works for every site you'll encounter that uses it as well.

If he does not wish to address this issue any further, that's his choice. GOG/CD-Projekt does have to comply with Polish law based on EU directives on data protection, and their current policy in my view fails to comply for the reasons given previously.
I give details in the first post of this thread on how to stop such data transfer (and the hosts file solution you suggest won't work in every situation).

The point however is that the vast majority of GOG's customers will be unaware of this - it is (still) not mentioned anywhere in GOG's privacy policy. So dealing with the cause of the problem (by asking GOG to change their policy) is more appropriate than taking the "I'm all right, pull up the ladder" approach and only covering yourself.

If people don't care enough to know how to deal with the problem, then why on earth should they expect somebody else to do it for them? I mean that's sort of the point, if I'm taking steps to protect myself, I know what's been done, but if I'm expecting GOG to do it for me because I'm that lazy and self entitled, how exactly do I know what other steps I might take?

And no, it doesn't only cover myself, it ultimately covers everybody. If enough people do it then the behavior will stop entirely rather than going site by site by site. Anybody who generally cares about GA will be doing this sort of thing themselves.

Bitching about GOG is really disingenuous as it's hardly the only site which uses GA.

Blocking 0_o ? They're going to find out and... display tailor-made ads for retailers selling gello cheaply and near you. Sinister, isn't it ?

I'd go a step further and say that the problem is psychological in nature and if someone is not bothered by it, they won't be negatively affected in any way (and I dare anyone to disprove this) ;P.

So if someone isn't checking their Internet connection constantly for unexpected activity and isn't examing the HTML source of every webpage then it's their fault if a website they visit divulges data without their consent?

Taking that reasoning to its logical conclusion would mean treating murder by blaming the victims for not learning self defense, rather than the perpetrator.
That position is both hopelessly optimistic and disproven by the recent history of tracking techniques. Marketeers' response to people using tools to restrict (or clear) cookies has been to use other techniques like Javascript cookies, Flash local storage or browser fingerprinting (the last allowing user tracking without storing any data locally).
So in your view, having other sites doing a similar thing makes it right? (along similar lines, pickpocketing shouldn't be complained about because "plenty of others" do it).

Most sites using GA don't send user purchase details to Google, responsible sites using GA disclose such usage in their privacy policy (GOG don't mention GA at all in theirs) and since this is a GOG forum, it is more appropriate to discuss GOG's online behaviour rather than that of other websites.

Ignoring objectionable behaviour (which you seem to be advocating here) is pretty much guaranteed to make things worse, not better. Ironically, we have the example of DRM as an example of this, where measures taken by the largest publishers are getting more, not less, restrictive.

Absolutely it's their fault. And don't give me any of this victims bullshit. The internet is not private property, and whining about people being able to track you makes about as much sense as going to a mall and being surprised that security knows where you are and can find you.

And no, that's not taking it to it's logical conclusion, that's creating a strawman because you don't know how to argue.
If it's hopelessly optimistic it's because most people genuinely don't care and don't bother to look into it enough to care. If people cared enough to stop giving them money they would eventually have to figure out a less sociopathic way of earning their rent.

The fact that most people don't care is probably an indication of why that hasn't changed.

Oh, please, don't give me that bullshit right there. This isn't objectionable behavior this is how they're going about measuring site performance.

I'm personally a huge fan of privacy, but at some point it gets to be absolutely ridiculous. They've already responded to the complaint and explained the situation. The fact that you don't believe them is a completely separate matter.

Didn't you bother reading the first post (and thread title for that matter). This isn't about tracking - it's about GOG posting details of transactions carried out to Google. So to take your shopping mall analogy, it's more like a store passing copies of every receipt to security so they can see what you're buying.
The fact is that most people don't know this is happening. That is why I started this thread, to give those who bother to read it enough knowledge to make an informed choice - and to give GOG a chance to put their side in. Your posts seem to be missing that - and the feedback from others concerned.

As for not giving money, I've certainly cut back my spending on GOG as a result - I'm probably only going to do future orders if needed to confirm this is still occurring.
At this point, it's your ability to make an argument that's going down the drain. If GOG want to measure their performance, they've got their own business accounts to look at. There's no need to be passing order details to any third party.
Your viewpoint here strongly suggests you don't even understand what privacy is.

Umm, they do that here and they did that back at home. Security is capable of seeing what's put in the bag everywhere I've ever lived. And often takes a look just to make sure.

No, the point of this thread is trolling. They've already put their piece in and you're stirring it up again. If you don't believe what you've been told, then fine, but they have made their statement.

Also, the geotracking has been known for quite some time. It's something that they added about the time that TW2 came out and it was quite publicized at that point. And an entire thread devoted to it or something along those lines.

I used to work security in a building with social security and that information your referencing isn't PII.When it comes to privacy Personally Identifiable Information is really all the matters. If you're doing things in public people are going to see you and the internet is very much a public place to be where any number of people could and do watch you.

I take it the term Content Delivery Network doesn't mean anything to you. Unless I'm greatly mistaken GOG uses a CDN to actually deliver the files as that's more efficient and reliable than having them try to do it in house and have servers of their own on 6 out of the 7 continents to worry about.

And yes, because of that they do indeed need a third party to measure the performance. The order details you mention in the first post are mostly things that have obvious connection to monitoring the reliability and stability of their service.

I understand what privacy is, but I also live in the real world where people might see me doing things. Right now I have no privacy anywhere except in my own apartment as I'm one of 2 white people in this particular 10 mi radius. The internet is not your house, people can and do observe what you're doing, being purposefully obtuse doesn't change the fact that there are any number of people watching your packets at any time.

I truly do appreciate privacy, but I'm not batshit insane either. None of the things you've listed in the initial post represent any loss of privacy as you'd have to have access to GOG's records to know what they mean.

The posts you've placed in this thread literally represent a greater loss of privacy than the entire set of game order transactions GOG has.

But, whatever, I have better things to do with my time and energy to waste on you.