Google to Use UK and EU User IP Addresses for Ad Personalization

At a glance:

• Google will begin using UK and EU user IP addresses for ad personalization starting August 3, 2026.
• The change applies to the European Economic Area (EEA), UK, and Switzerland, where IP addresses are classified as personal data under GDPR.
• Advertisers must obtain user consent for this practice, as it triggers regulatory requirements.

What's Changing

Google has long used IP addresses for routing traffic and ad delivery globally. However, the August 3, 2026, rollout marks a shift in purpose: IP addresses will now identify devices for ad measurement and personalization. This aligns with Google's participation in the IAB Europe Transparency and Consent Framework (TCF), specifically Feature 3, which categorizes IP-based device identification. While not a consent step itself, this use requires explicit user consent under UK and EU law, as IP addresses are protected personal data.

The change builds on Google's existing infrastructure. The company receives IP addresses through customer tags, SDKs, HTTP calls, and uploads. These signals are already used to combat spam and fraud. However, repurposing them for personalization in GDPR-regulated regions introduces new compliance challenges. Google emphasizes privacy-enhancing technologies (PETs) like on-device processing and secure multi-party computation to mitigate risks. Yet, critics argue this move undermines user control, especially as IP addresses can enable fingerprinting—a technique tracking devices even when cookies are cleared.

Regulatory Backlash

The UK's Information Commissioner's Office (ICO) has criticized Google's approach. In a statement, the ICO called Google's reversal of its 2019 stance against fingerprinting 'irresponsible.' This reversal occurred in December 2024, when Google lifted its prohibition on advertisers using fingerprinting techniques. The ICO's May 2026 advisory to the UK government further complicates the situation. It proposed allowing non-consent-based advertising based on contextual data rather than user profiling. Google's IP-based personalization, however, falls under the consent-required category, as it involves cross-service tracking.

Google's email to advertisers, sent June 17, 2026, shifts responsibility to them. The company reminds advertisers they must comply with its EU User Consent Policy and obtain valid user consent. This places the burden of legal compliance on third parties, a move that has drawn scrutiny from privacy advocates. The ICO's stance suggests that even if Google implements PETs, the core issue of using IP addresses for profiling remains contentious.

User Controls and Timeline

Users in the UK and EU will not have immediate options to opt out of IP-based personalization. Google plans to introduce a user-facing choice later in its rollout, though no specific date has been announced. Until then, the available controls are limited to declining non-essential cookies, managing consent prompts, and reviewing ad personalization settings via myadcenter.google.com. This delay raises questions about alignment with the ICO's May 2026 guidance, which mandates consent for cross-service profiling. Critics argue that Google's phased approach may delay meaningful user choice, potentially violating GDPR principles.

Historical Context and Industry Implications

Google's shift reflects broader tensions between ad tech innovation and privacy regulation. In 2019, Google's engineering director, Justin Schuh, condemned fingerprinting as inherently problematic, arguing it subverted user choice. The company's 2024 policy reversal marked a strategic pivot, likely driven by competitive pressures in the ad market. Competitors like Meta and Apple have faced similar regulatory challenges, but Google's scale makes its actions particularly impactful. The IAB Europe's TCF framework, while intended to standardize consent, has been criticized for allowing loopholes that prioritize business interests over privacy.

Security and Broader Concerns

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper