ProBackend
ad formats monetization
1 hour ago5 min read

Google's IP Address Pivot: What Ad Personalization Means for EU Privacy Compliance

Google notified advertisers it will use IP addresses for ad measurement and personalization across the EEA, UK, and Switzerland starting August 3, 2026 — a move that reverses its prior fingerprinting ban and puts compliance pressure on every advertiser operating in Europe.

Google Is Using Your IP Address Now

Here's the thing about privacy that nobody likes to hear: companies don't ask permission first. They notify you after they've already decided what's coming.

That's exactly what Google did on June 17, 2026. Advertisers across the European Economic Area, the UK, and Switzerland got an email telling them that starting August 3, Google will begin using IP addresses for ad measurement and personalization. Not routing traffic. Not fighting fraud. Personalization.

The distinction matters more than you'd think, because under GDPR and the UK's data protection regime, an IP address is personal data. And using it to identify a device for advertising purposes triggers consent requirements that most advertisers haven't been preparing for.

I've been tracking this space since Google's Chrome team called fingerprinting "wrong" back in 2019. Justin Schuh, then the engineering director, wrote that fingerprinting subverts user choice because users can't clear it the way they can clear cookies. Fair point. Then in December 2024, Google reversed that stance entirely and dropped its prohibition on fingerprinting for advertisers. The UK's Information Commissioner's Office called the reversal "irresponsible" within a day.

We're now living with that decision.

Google Is Using Your IP Address Now

What Actually Changes on August 3

Let me be clear about what's shifting and what isn't.

Google already receives IP addresses from nearly every request. Customer tags, SDKs, HTTP calls, uploads — the data has been flowing for years. The infrastructure exists. The pipelines are built.

What changes on August 3 is the purpose. Those same IP addresses will now be used to identify devices for measurement and ad personalization. That's the use case that triggers consent requirements under UK and EU law.

Google is also registering under the IAB Europe Transparency and Consent Framework (TCF) for Feature 3: "Identify devices based on information transmitted automatically." This is the mechanism for distinguishing a device from the data it sends — including that IP address you thought was anonymous.

Here's where it gets interesting from a compliance angle: Feature 3 isn't itself a consent step. It attaches to the personalization purposes, which require user consent rather than legitimate interest. So advertisers can't just wave their legitimate interest card and move on.

The company frames this around privacy-enhancing technologies — on-device processing, trusted execution environments, secure multi-party computation. Some of these features won't arrive until later this year or early next year, at which point Google says it will let users on its own properties make a choice about IP-based personalization.

But "later" isn't "now." And the data collection starts August 3.

What Actually Changes on August 3

The Fingerprinting Reversal Nobody Forgets

Let's talk about the elephant in the room: Google used to think this was wrong.

In 2019, its own engineering leadership published a clear statement that fingerprinting was harmful because users couldn't opt out the way they could with cookies. That wasn't a half-measure. That was a principled stance backed by the company that built Chrome.

Then December 2024 came, and Google dropped its fingerprinting ban for advertisers. The ICO responded within twenty-four hours, calling the reversal "irresponsible." That's not diplomatic language. That's a regulator drawing a line.

The timing of Google's current announcement makes this even more awkward. On May 18, 2026 — just two weeks before this advertiser notification — the ICO published advice to the UK government on changing consent rules for online advertising.

The ICO's preferred approach would allow some advertising without consent only when it's based on the context being viewed, not a person's activity over time. IP-based personalization across surfaces sits squarely on the consent-required side of that line.

The ICO has stressed that nothing has changed yet and existing rules still apply. But Google's rollout is clearly moving in the opposite direction of what regulators want to see.

Compliance Burden Shifts to Advertisers

Here's where this gets personal for security and compliance teams.

Google's customer email pushes the compliance burden directly onto advertisers. The message is clear: you remain bound by Google's EU User Consent Policy, and you must obtain valid consent from users in the affected regions. The company isn't taking responsibility for your compliance posture.

This matters because most advertisers don't have the same visibility into user consent that Google has. If you're running ads across Google's properties and you haven't built robust consent management for the EEA, UK, and Switzerland, you're now exposed.

The practical implications are significant:

  • Consent management platforms need to handle IP-based identification as a distinct purpose
  • Privacy policies must be updated to reflect the new data use
  • User consent flows need to capture permission for device identification via IP
  • Audit trails must demonstrate valid consent was obtained before ads run

For organizations using Microsoft 365 or other enterprise platforms, this also intersects with broader data governance questions. If your ad tech stack pulls user data through 365-connected services, you need to verify that consent flows are consistent across all touchpoints.

The cloud security incident response playbook angle here is worth noting: when consent is missing, you're not just in a compliance violation. You're exposed to regulatory action, user complaints, and potential data subject access requests that could surface the gap quickly.

What Users Can Actually Do Right Now

The user-facing choice over IP-based personalization won't arrive until later in Google's rollout. Until then, the controls are familiar:

Decline non-essential cookies and consent prompts when they appear. Review your ad personalization settings under your Google account at myadcenter.google.com.

But let's be honest: these controls are fragmented and incomplete. The ICO's May advice would keep consent mandatory for cross-service profiling, but Google's rollout is moving forward regardless. Whether that squares with regulatory expectations is the question nobody's answering clearly.

For security teams, this creates a monitoring challenge. You can't just rely on cookie consent mechanisms anymore. IP-based identification operates at a different layer, and most consent management platforms weren't built to handle it.

The bottom line: if you're advertising in Europe, start auditing your consent flows now. August 3 is closer than it feels.

More blogs