Google’s policy shift raises key questions about data, targeting, and trust.
In late December, Google made an announcement that took many by surprise. The company will allow advertisers to target audiences using their IP addresses starting next month. This isn’t an insignificant move, and many wonder what it means for the industry. Is it a step towards balancing privacy with advertising effectiveness? Or is it a slippery slope towards invasive tracking?
The Drivers Behind Google’s Announcement
In its announcement, Google cited two reasons to justify its policy switch, beginning with the advances in privacy-enhancing technologies (PETs), including on-device processing, trusted execution environments, and secure multi-party computation. The goal of these tech approaches is to process data more securely, often on the user’s device, and when data is shared, advertisers still protect individual privacy.
The other justification is CTV. In its announcement, Google stated, “Businesses who advertise on CTV need the ability to connect with relevant audiences and understand the effectiveness of their campaigns.”
A third justification we can infer is that Google doesn’t want to fall behind competitors already offering fingerprinting. Anyone who has looked at a website and seen an ad for that brand on Facebook can attest that brands and platforms actively deploy this tactic. With third-party cookies more or less deprecated, Google must be concerned that its advertising clients will jump ship, and it is offering this as a way to keep them.
Many, including the UK’s Information Commissioner’s Office (ICO), are unhappy with Google’s policy shift. In a December blog post, Stephen Almond, the ICO’s executive director of regulatory risk, called it irresponsible. He wrote, “Google itself has previously said that fingerprinting does not meet users’ expectations for privacy, as users cannot easily consent to it as they would cookies. This, in turn, means they cannot control how their information is collected.”
Google addresses this consent concern slightly by updating its policies to require brands to disclose when they use fingerprinting. Although the ICO is correct, there is little users can do about it.
Is Fingerprinting Tracking by Another Name?
Fingerprinting tracks users across platforms by combining device data points — screen settings, browser details, OS info, and IP address — to create a unique identifier that persists even when users opt to block cookies in their browsers.
Fingerprinting isn’t inherently illegal, and collecting non-PII data points, such as browser type, is pretty routine. That said, privacy advocates get nervous when players collect data, including IP addresses, to create probabilistic identifiers for tracking purposes, mainly as consumers cannot prevent it or opt out.
The Age-Old Question: Is an IP Address PII?
Central to the unease is an age-old question: Can an IP address uniquely identify a consumer? GDPR explicitly lists IP addresses as personal data, as do the EU’s Data Protection Directive and the Article 29 Working Party. In the U.S., courts have generally been reluctant to classify IP addresses independently as PII. A 2009 federal district court ruling in Johnson v. Microsoft Corp stated that an IP address identifies a computer, not a person. However, some U.S. agencies have taken a different approach. In 2013, the Federal Trade Commission revised its Children’s Online Privacy Protection Act Rule to include IP addresses as personal information in certain contexts.
However, times have changed, and one can easily make the case that IP addresses don’t reliably connect to individual consumers. For instance, 68% of American adults use VPNs for both personal and professional purposes. VPNs mask their true IP addresses and replace them with those of the VPN servers, making it impossible to identify a VPN user.
Residential IP proxy networks provide access to IP addresses from real residential devices, often rotating them frequently. This means multiple users worldwide could use a single IP address in a short timeframe, once again making it very difficult to tie them to specific consumers.
Many people access the internet via a mobile device, and their IP addresses may change with every session. This is because many mobile carriers use dynamic IP addressing, which assigns IP addresses temporarily from a pool and can change every time a user reconnects to the network. Many ISPs also use dynamic IP allocation, meaning home users may be assigned new IP addresses regularly.
IP Addresses in Advertising
While IP addresses may not, in reality, be that helpful in identifying individual consumers, they are useful to advertisers in many ways. For instance, IP addresses help determine a user’s location (they have a 50% – 75% accuracy rate in predicting a user’s city). Knowing a consumer’s geolocation ensures that the right user sees the right ad content. In some cases, such as in ad campaigns for online gambling, they must know the location to comply with the online gambling laws of the consumers’ jurisdictions.
And as Google noted, CTV is a critical channel for advertisers, and IP addresses can help them measure the impact of their campaigns in this highly fragmented environment.
Finding the Balance Won’t Be Easy
The reality is that IP targeting exists in a gray area — it’s probably not the privacy threat some fear, nor is it the precise targeting tool marketers might wish for.
In today’s world of VPNs and dynamic IPs, these addresses offer legitimate business value for geolocation and CTV measurement while posing less individual privacy risk than commonly assumed. The challenge ahead isn’t whether to use IP targeting but how to implement it responsibly and in ways that maintain consumer trust. After all, GDPR, CCPA, and other consumer data privacy regulations directly result from consumer blowback against relentless tracking. It’s easy to see how an overuse of fingerprinting will lead to more regulations.