Google’s Fingerprinting Policy Shift Sparks Privacy Concerns

Google’s recent decision to allow device fingerprinting for advertising purposes has triggered alarm among privacy advocates, regulators, and businesses alike.

What Is Device Fingerprinting?

Device fingerprinting is a sophisticated tracking method that collects various data points from a user’s device (e.g. screen size, browser type, language settings, battery level, and time zone) to create a unique digital profile. Unlike cookies, which users can clear or block, fingerprinting operates behind the scenes, offering far fewer opportunities for user control.

When combined with IP address data, fingerprinting allows advertisers to track users across multiple platforms and devices without explicit consent. This makes it a particularly powerful tool for targeted advertising but raises serious questions about transparency and user choice.

Google’s Policy Change

Effective from 16 February 2025, Google’s new policy will allow advertisers using its platform to deploy fingerprinting techniques. This marks a stark reversal from the company’s previous stance. For example, in a 2019 blog post, Google had unequivocally stated that fingerprinting “subverts user choice and is wrong.”

Critics argue that this change in Google’s policy threatens user privacy. However, Google claims it reflects necessary adaptations to changing technology trends and shifts in user behaviour.

As more people access content through devices like smart TVs and gaming consoles, traditional data collection methods (e.g. third-party cookies) are becoming less effective. Google argues that fingerprinting will enable advertisers to reach users across a fragmented digital landscape while maintaining privacy safeguards through privacy-enhancing technologies (PETs) like on-device processing and secure multi-party computation.

Google maintains that these technologies will offer new ways for advertisers to operate on emerging platforms without compromising user privacy.

The ICO and Privacy Campaigners Respond

The UK’s Information Commissioner’s Office (ICO) has criticised the decision, calling it a “threat to user control and transparency.” According to Stephen Almond, the ICO’s Executive Director of Regulatory Risk, fingerprinting reduces users’ ability to control how their data is collected and processed. In a December 2024 blog post, Almond labelled Google’s policy shift as “irresponsible,” stating: “Fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected.”

The ICO also warned businesses that deploying fingerprinting techniques would not exempt them from adhering to the UK’s stringent data protection laws, including the requirement to obtain clear user consent and offer transparent information on data usage.

Privacy organisations have echoed these concerns. For example, the Electronic Frontier Foundation has argued that Google’s new policy highlights a shift in focus from prioritising user privacy to maximising business profits. They’ve also raised concerns about how fingerprinting could expose users’ sensitive information to data brokers and surveillance entities.

A Business-Centric Shift?

The advertising technology sector appears divided on Google’s decision. For example, Pete Wallace of GumGum, an ad tech company specialising in contextual advertising, has been quoted as describing the policy shift as a “business-centric approach to the use of consumer data.”

“Fingerprinting sits in a grey area,” Wallace said. “While it offers advertisers powerful targeting capabilities, it simultaneously erodes consumer privacy. This inconsistency is detrimental to the industry’s previous attempts to put user privacy at the forefront.”

Some businesses, however, see fingerprinting as a necessary evolution to replace third-party cookies, which are being phased out by most major browsers. As traditional tracking methods diminish, fingerprinting could become the go-to strategy for advertisers seeking to maintain high levels of ad personalisation and effectiveness.

What About Businesses, Advertisers, and the Public?

For businesses and advertisers, Google’s policy shift could offer new opportunities to refine audience targeting and improve ad performance across platforms. The ability to collect detailed user profiles without relying on cookies could be a game-changer for marketers struggling with the limitations imposed by recent privacy regulations.

However, this comes at a potential cost. Organisations using fingerprinting must still comply with data protection laws such as the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). For example, companies will need to demonstrate that they have obtained meaningful user consent and are transparent about their data practices—standards that many privacy experts believe will be difficult to meet given the covert nature of fingerprinting.

For the public, the implications are more concerning. Unlike cookies, fingerprinting is harder to detect and nearly impossible to block using conventional browser settings. This reduces individuals’ ability to manage their digital footprints, potentially exposing them to more invasive tracking by advertisers, data brokers, and even surveillance agencies.

According to the ICO’s draft guidance, businesses will need to provide clear information about fingerprinting and ensure that users can exercise their data rights, including the right to erasure. However, privacy campaigners argue that even with these measures, true user control is unlikely to be restored.

Google’s Defence

In response to the backlash, Google insists that its use of fingerprinting will adhere to strict privacy standards, leveraging PETs to anonymise data and prevent user re-identification. The company highlights its use of techniques like on-device processing to ensure that sensitive information never leaves the user’s device unless necessary.

Google claims that these measures will allow advertisers to reach their audiences effectively while safeguarding user privacy.

The tech giant also argues that fingerprinting is already widely used across the digital advertising ecosystem and that its new policy merely formalises existing practices while setting a higher bar for privacy.

Ongoing Developments and Industry Implications

As the February 2025 implementation date approaches, the debate around Google’s policy change is likely to intensify. The ICO has pledged to engage further with Google and provide updated guidance for businesses on how to lawfully implement fingerprinting techniques.

The advertising industry, privacy advocates, and regulators will, no doubt, be monitoring the effects of this shift closely, with the broader question remaining, i.e. will the industry’s drive for better ad targeting ultimately undermine the fundamental rights of internet users to control their personal information?

What Does This Mean For Your Business?

Google’s shift in policy towards enabling device fingerprinting for advertising presents a complex dilemma at the intersection of technological innovation, business interests, and individual privacy rights. While the company is defending its decision as an evolution of tracking methods, the concerns raised by regulators, privacy advocates, and sections of the advertising industry can’t be dismissed lightly.

On one hand, fingerprinting offers advertisers a powerful tool to maintain personalisation and relevance in a post-cookie world. For businesses, this represents an opportunity to sustain revenue streams, particularly as users increasingly consume content across diverse devices and platforms. Google’s assurances about deploying privacy-enhancing technologies (PETs) such as on-device processing and secure multi-party computation offer some degree of comfort that sensitive data will be handled with greater care than before.

However, these reassurances do little to address the core issue, i.e. the lack of meaningful user control. Unlike cookies, which users can manage or block, fingerprinting operates invisibly, making it nearly impossible for individuals to opt out without significant technical expertise. This shift risks undermining the principles of transparency and consent that underpin data protection laws such as the GDPR. The criticisms voiced by the ICO and privacy organisations are valid and highlight the tension between commercial interests and the fundamental rights of users to control their personal information.

The challenge ahead for regulators, therefore, will be ensuring that the use of fingerprinting remains within the bounds of legal and ethical standards. While Google’s policy formalises practices already in use, it simultaneously sets a precedent that could normalise more intrusive forms of tracking under the guise of innovation.