Google has announced a significant change to its advertising data practices: beginning August 3, 2026, the company will use IP addresses from users in the United Kingdom, European Economic Area (EEA), and Switzerland for ad measurement and personalization. The policy change is drawing regulatory attention and raising questions about consent, given that Google itself once characterized IP-based device identification as a problematic tracking practice.
What Is Changing
Under the new policy, Google's advertising systems will incorporate IP address signals from users located in:
- United Kingdom (operating under UK GDPR post-Brexit)
- European Economic Area — the 27 EU member states plus Norway, Iceland, and Liechtenstein
- Switzerland — operating under the Federal Act on Data Protection (FADP)
These regions collectively represent some of the world's strongest data protection regimes. The EEA falls under the General Data Protection Regulation (GDPR), which classifies IP addresses as personal data when they can be used to identify individuals. UK GDPR carries equivalent provisions. Switzerland's revised FADP aligns closely with GDPR standards.
IP addresses will be used for ad measurement (attributing conversions to ad exposures) and personalization (serving ads based on inferred interests and demographic signals derived from location and browsing behavior).
The Reversal of Google's Earlier Position
The policy change is particularly notable given Google's own prior statements on IP-based tracking. Google had previously described using IP addresses to identify specific devices as "wrong" — language that reportedly appeared in internal documents and was cited in privacy research. The company has long positioned itself as moving toward more privacy-preserving advertising through initiatives like the Privacy Sandbox, which aimed to replace third-party cookies with less individually identifiable alternatives.
Critics argue the new policy contradicts that narrative. If IP addresses can be used to personalize ads — especially combined with other signals available to Google through its vast ecosystem of services — the privacy protections of the Privacy Sandbox initiative appear significantly weakened.
Regulatory Landscape
The UK's Information Commissioner's Office (ICO) is reportedly weighing new consent rules that could affect how companies like Google use passive signals such as IP addresses for advertising. The timing of Google's announcement — ahead of any new consent framework from the ICO — raises questions about whether the company is moving to establish the practice before new restrictions could limit it.
Under current GDPR and UK GDPR interpretations:
- IP addresses are personal data when an organization can use them to identify an individual
- Processing personal data for advertising requires either explicit consent (Legitimate Interest is contested for ad personalization) or a valid legal basis
- Data subjects in the EU and UK have the right to object to processing for direct marketing purposes
Google's Consent Mode framework, already widely deployed, gives publishers and advertisers tools to model conversions when users decline cookies. Whether IP-based signals fall within or outside the scope of Consent Mode will likely be a focal point for regulators.
Privacy Implications for Users
For ordinary users, the practical impact depends on how Google implements the change and what consent mechanisms are surfaced. Key considerations:
Account users vs. non-account users: Signed-in Google users already provide substantial personal data through their accounts. The IP change primarily affects the advertising layer for non-signed-in or consent-declined users — precisely the population that chose not to share data, or assumed they weren't being profiled.
VPN usage: IP addresses are easily masked with VPNs and privacy-focused browsers. The change will likely accelerate interest in IP-masking tools among privacy-conscious users in the affected regions.
Fingerprinting risk: IP addresses alone offer limited precision, but combined with browser characteristics, time zones, and behavioral signals, they contribute to fingerprinting profiles that can persistently track users across sessions without cookies.
What Users Can Do
Users in the UK and EEA who are concerned about this change can take several steps:
- Review Google's ad personalization settings via your Google Account or the Ad Settings dashboard — you can opt out of personalized ads, though IP signals for measurement may still apply
- Use a VPN to mask your real IP address from Google's ad infrastructure
- Consider privacy-focused browsers like Firefox with enhanced tracking protection, Brave, or Tor Browser for sensitive browsing
- Submit data subject rights requests under GDPR or UK GDPR if you want to understand what data Google holds about you and request deletion
The change takes effect August 3, 2026. Regulatory responses from the ICO and EU data protection authorities are expected in the weeks and months following implementation.
Source: BleepingComputer