Google told advertisers it plans to use IP addresses from users in the EEA, UK and Switzerland for ad measurement and personalization starting on or soon after Aug. 3, 2026.
Google told advertisers June 17 it plans to use IP addresses from users in the European Economic Area, UK and Switzerland for ad measurement and personalization starting on or soon after Aug. 3, 2026.
Google expands IP use
Google receives IP addresses through ad requests, customer tags, software development kits, HTTP calls and data uploads. Web services need those addresses to route traffic, serve pages and deliver ads. The new step changes the purpose: Google plans to use the same network signal to identify devices for ad measurement and personalized ads.
That distinction matters in Europe. Under EU and UK privacy law, advertisers and publishers must treat an IP address as personal data when they can connect it to a person, household or device. Google’s move places IP-derived identifiers inside the consent system that governs ad personalization.
Google’s EU User Consent Policy already tells advertisers and publishers to get valid consent for personalized ads in the EEA, UK and Switzerland. The company’s June 17 notice reminds customers that they carry that compliance duty.
Consent burden shifts to advertisers
Google will register under IAB Europe’s Transparency and Consent Framework for Feature 3, the TCF category that covers device identification from request metadata such as IP addresses and browser information.
IAB Europe says vendors can use Feature 3 to create an identifier from data a device sends during internet access, including an IP address and user-agent string. The TCF treats Feature 3 as a disclosure category. The ad personalization and measurement purposes that rely on it still need a valid legal basis, and personalized advertising in this context requires consent.
That puts publishers, app developers, ad tech vendors and brands in a familiar bind. They need consent messages that explain the IP-based device identification in plain terms. They need consent records that reflect the user’s choice. They need tag setups that prevent Google from receiving personalization signals before the user agrees.
Teams that use Google Ads, Google Analytics, Campaign Manager, Display & Video 360, Search Ads 360, Ad Manager or AdSense should review their consent management platform settings before Aug. 3. Mobile teams should include SDK traffic in that review, since app ad requests carry the same type of network and device metadata.
Google points to privacy technology
Google framed the change around privacy-enhancing technologies, including on-device processing, trusted execution environments and secure multi-party computation.
Those tools can reduce raw data sharing, depending on implementation. With on-device processing, the user’s phone or browser computes some signals before sending a result. With a trusted execution environment, a cloud service runs code inside a hardware-protected area that limits operator access. With secure multi-party computation, companies compute an advertising or measurement result from separate inputs without one company seeing the full dataset.
Those controls do not erase the consent question. If Google or an advertiser uses an IP-derived identifier to measure ads or personalize ads across services, the user still needs a clear choice under the rules Google cites.
Google says some personalization features tied to IP addresses will arrive later this year or early next year. The company said users on Google properties will get a choice about IP-based personalization at that point.
Regulators have warned on fingerprinting
The UK Information Commissioner’s Office criticized Google in December 2024 after the company changed its ads policy to permit fingerprinting in more cases. The regulator told advertisers that fingerprinting can reduce user control because users cannot clear it the way they clear cookies.
Google once made the same point. In 2019, Justin Schuh, then Chrome engineering director, wrote that fingerprinting subverts user choice because users cannot clear their fingerprint. Google reversed course in December 2024 and said advertisers could use IP addresses and other device signals in certain environments, including connected TV.
The new rollout brings that policy shift into regions with stricter consent rules. The ICO advised the UK government May 18, 2026, that some contextual advertising could proceed without consent, but tracking that profiles people across services should keep a consent requirement. IP-based personalization across Google and partner surfaces falls on the side that demands user choice.
Users have limited controls for now
Users can decline nonessential cookies and reject ad personalization prompts on websites and apps that ask for consent. Google account holders can review ad settings in My Ad Center, which controls personalized ads across Google services.
Those controls do not give users the full IP-specific choice Google described for its later rollout. Until Google ships that choice, users in the EEA, UK and Switzerland depend on site and app consent prompts, browser privacy settings, VPNs and Google account ad controls.
A VPN can mask the user’s network address from a website or ad service, but it does not stop all device identification. Browser type, app identifiers, account sign-ins and interaction data can still help ad systems recognize a device or profile. Users who want less tracking should pair IP masking with cookie rejection, limited app permissions and signed-out browsing where practical.
Privacy teams should audit tags now
Security and privacy teams should treat Aug. 3 as a consent enforcement deadline, not a product launch date to watch from the side. The work starts with data mapping.
List the Google tags, SDKs and server-side integrations that collect IP addresses from users in the EEA, UK and Switzerland. Confirm which integrations support consent mode or a TCF signal. Test whether tags fire before consent. Check whether server-side uploads include IP addresses or other device metadata that could support identification.
Legal and product teams should update consent language to mention device identification from network and browser data. Engineering teams should verify that denied consent blocks ad personalization and measurement features that require consent. Marketing teams should prepare for measurement changes if more users reject tracking.
Google’s notice gives advertisers less than seven weeks between June 17 and Aug. 3. Teams with complex tag managers, consent management platforms and mobile SDKs should start with the paths that touch personalized ads, retargeting, conversion measurement and audience building. Those paths carry the greatest consent risk under Google’s own policy and the IAB framework.
Comments
Please log in or register to join the discussion