Google will use UK and EU IP addresses for ad tracking
Key Takeaways
- Google will repurpose IP addresses for ad measurement and personalization in the UK, EU, and Switzerland starting August 3, 2026
- The move reverses Google's 2019 stance against fingerprinting, which the UK's ICO called 'irresponsible' when announced in December 2024
- Users won't get an opt-out choice until later in the rollout, and advertisers bear the compliance burden under Google's EU User Consent Policy
Google has notified advertisers it will begin using IP addresses for ad measurement and personalization across the European Economic Area, the UK, and Switzerland on or shortly after August 3, 2026. The company already receives these addresses to route traffic and deliver ads. What changes is the purpose: those same addresses will now identify devices for behavioral advertising, a use that triggers consent requirements under UK and EU law.
This isn't a technical shift. It's a policy shift. Google has used IP signals for advertising in other regions for years, citing spam and fraud prevention. But in jurisdictions covered by GDPR, an IP address is personal data, and using one to identify a device is a building block of fingerprinting, the practice of tracking users when cookies are blocked or cleared.
Why is Google changing its stance on IP tracking?
Google's reversal is striking because the company once took the opposite view. In 2019, Justin Schuh, then Chrome's engineering director, wrote that fingerprinting subverts user choice and is wrong because users cannot clear it the way they clear cookies. That was Google's public position for five years.
In December 2024, Google dropped its prohibition on fingerprinting for advertisers. The UK's Information Commissioner's Office responded within a day, calling the reversal "irresponsible." Now, eight months later, Google is operationalizing that policy shift in the regions with the strictest data protection rules.
How does this conflict with UK regulatory advice?
The timing creates a collision. On May 18, 2026, the ICO published advice to the UK government on changing consent rules for online advertising. Its preferred approach would allow some advertising without consent only where it's based on the context being viewed, not a person's activity over time. Consent would remain mandatory for tracking that profiles people across services.
IP-based personalization across surfaces sits squarely on the consent-required side of that line. The ICO has stressed that nothing has changed yet and existing rules still apply. But Google's rollout proceeds anyway, pushing the compliance burden onto advertisers through its EU User Consent Policy.
Google frames the change around privacy-enhancing technologies, listing on-device processing, trusted execution environments, and secure multi-party computation. Some personalization features won't arrive until later this year or early next. At that point, Google says it will let users on its own properties make a choice about IP-based personalization.
What can users do before the opt-out arrives?
The user-facing choice won't arrive until later in Google's rollout. Until then, the available controls are the familiar ones: declining non-essential cookies and consent prompts, and reviewing ad personalization settings under your Google account at myadcenter.google.com.
- Decline non-essential cookies when prompted
- Review and adjust settings at myadcenter.google.com
- Consider privacy-focused browsers that limit IP exposure
- Use a VPN to mask your actual IP address from Google's services
Whether these measures square with the ICO's May advice, which would keep consent mandatory for cross-service profiling, is the question Google's rollout now raises. The company is betting that advertisers will handle consent, and that regulators won't act before the new privacy-enhancing features arrive.
What does this mean for advertisers?
Google's customer email explicitly pushes compliance responsibility onto advertisers. They remain bound by Google's EU User Consent Policy and must obtain valid consent from users in the affected regions. The company is also registering under the IAB Europe Transparency and Consent Framework for Feature 3, which covers identifying devices based on automatically transmitted information.
Feature 3 isn't a consent step itself. It attaches to personalization purposes that require user consent rather than legitimate interest. Advertisers relying on Google's ad ecosystem will need to ensure their consent mechanisms cover this new data use, or risk being on the wrong side of GDPR enforcement.
Community reactions on Reddit's r/technology and r/privacy forums have been sharply negative, with users describing the move as a "hypocritical reversal" of Google's past privacy rhetoric. Many are discussing potential legal challenges from European regulators and recommending privacy-focused browsers and VPNs as immediate countermeasures.
Logicity's Take
Google is essentially daring regulators to act. By announcing the change now but delaying the user opt-out, the company creates a window where 450 million users are tracked by default. If the ICO or EU data protection authorities don't intervene before August 3, Google will have established a precedent that IP-based device identification is acceptable under current rules. The compliance burden shift to advertisers is a shield: if enforcement comes, Google can point to its consent policy while advertisers face the fines.
Frequently Asked Questions
When does Google start using IP addresses for ad personalization in the UK and EU?
Google will begin using IP addresses for ad measurement and personalization in the EEA, UK, and Switzerland on or shortly after August 3, 2026.
Is using IP addresses for ad tracking legal under GDPR?
IP addresses are classified as personal data under GDPR. Using them for device identification and ad personalization requires valid user consent, which is why this change triggers compliance obligations for advertisers.
Can I opt out of Google's IP-based ad personalization?
Not immediately. Google says the user-facing choice will arrive later in the rollout. Until then, you can decline cookies, adjust settings at myadcenter.google.com, or use a VPN to mask your IP address.
Why did the UK ICO call Google's fingerprinting policy irresponsible?
When Google dropped its prohibition on fingerprinting for advertisers in December 2024, the ICO responded within a day, calling it irresponsible because fingerprinting tracks users in ways they cannot clear or control, unlike cookies.
Are advertisers responsible for obtaining consent under this new policy?
Yes. Google's notification explicitly states that advertisers remain bound by its EU User Consent Policy and must obtain valid consent from users in affected regions.
Need Help Implementing This?
If your business operates in the UK, EU, or Switzerland and relies on Google's ad ecosystem, now is the time to audit your consent mechanisms. Contact a data protection specialist to ensure your privacy policies and consent flows cover IP-based device identification before August 3.
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
