Google has begun notifying advertisers that it will start using IP addresses for ad measurement and personalization across the European Economic Area (EEA), the UK and Switzerland on or shortly after August 3, 2026.
IP addresses are received by online services on nearly every request, and the practice is routine across much of the world. But doing it in the UK and EU, where an IP address is regulated personal data, is new.
What's changing
Google already receives these IP addresses to route traffic and deliver ads, through customer tags, SDKs, HTTP calls and uploads.
What changes on August 3 is the purpose: the same addresses will be used to identify devices for measurement and ad personalization, which is the use that triggers consent requirements under UK and EU law.
Google will also register under the IAB Europe Transparency and Consent Framework (TCF) for Feature 3, "Identify devices based on information transmitted automatically."
Under the framework, Feature 3 is the method for distinguishing a device from the data it sends automatically, including the IP address.
It is not a consent step in itself: it attaches to the personalization purposes, which require user consent rather than legitimate interest.
Google's email notification sent June 17, 2026 to advertisers (BleepingComputer)
The company frames the change around privacy-enhancing technologies, or PETs, listing on-device processing, trusted execution environments and secure multi-party computation.
Some personalization features will not arrive until later this year or early next, at which point Google says it will let users on its own properties make a choice about IP-based personalization.
Why it matters
Google has used IP signals in advertising elsewhere in the world for a while to fight spam and fraud, and maintained that IP is already common across the ads ecosystem.
The EEA, the UK and Switzerland are different, however, because an IP address is personal data under GDPR, and using one to identify a device is a building block of fingerprinting, the practice of tracking a device when cookies are blocked or cleared.
Google itself once took that view.
In 2019, its then Chrome engineering director Justin Schuh wrote that fingerprinting subverts user choice and is wrong, because users cannot clear it the way they can clear cookies.
Google reversed that stance in December 2024, dropping its prohibition on fingerprinting for advertisers.
The UK's Information Commissioner's Office (ICO) called the reversal "irresponsible" within a day.
The timing now is the awkward part. On May 18, 2026, the ICO published advice to the UK government on changing the consent rules for online advertising.
Its preferred approach would allow some advertising without consent only where it is based on the context being viewed, not a person's activity over time, and would keep consent mandatory for tracking that profiles people across services.
IP-based personalization across surfaces sits on the consent-required side of that line.
The ICO has stressed that nothing has changed yet and existing rules still apply.
Google's customer email pushes the compliance burden onto advertisers, reminding them they remain bound by its EU User Consent Policy and must obtain valid consent from users in the affected regions.
What users can do
The user-facing choice over IP-based personalization will not arrive until later in Google's rollout.
Until then, the available controls are the familiar ones: declining non-essential cookies and consent prompts, and reviewing the ad personalization settings under your Google account at myadcenter.google.com.
Whether that squares with the ICO's May advice, which would keep consent mandatory for cross-service profiling, is the question Google's rollout now raises.
Ax Sharma is a security researcher and journalist focused on malware analyses and cybercrime investigations. His expertise includes open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5 (UK), Fortune, WIRED, among others, Ax is an active community member of the OWASP Foundation and the Canadian Association of Journalists (CAJ).
Comments
h64y93zf - 2 minutes ago
Wow, thanks Google. Really appreciate you leaking our IP addresses to advertisers after dropping your own ban on fingerprinting. Opt-out later, right? You already have the data anyway, so why not start using it now.
And this is exactly why we can't trust these companies with children's biometric data. If Google can't resist monetizing and exploiting whatever data they get their hands on, why would they suddenly develop ethics when it comes to kids photos and government IDs? Don't hand over children's biometric data to companies that have already shown they'll flip their own safety policies the moment it's profitable.
<small>Source: Bleeping Computer</small>
