Google to Use IP Addresses for Ad Personalization in UK and EU Starting 2026

Google has notified advertisers that it will begin using IP addresses from users in the UK, European Economic Area (EEA), and Switzerland for ad measurement and personalization starting on or shortly after August 3, 2026. This change represents a significant shift in how location data is processed under privacy regulations that treat IP addresses as personally identifiable information. While IP addresses are routinely collected by online services to route traffic and deliver content, using them specifically for tracking and ad targeting has historically been contentious, particularly in regions with strict data protection laws. Google’s move underscores the growing reliance on alternative identifiers as third-party cookies face increasing restrictions across the digital advertising ecosystem.

The timing of this announcement coincides with heightened scrutiny from regulators, including the UK Information Commissioner’s Office (ICO), which is in the process of finalizing new consent rules for digital advertising. It also follows years of debate within the industry about the ethics and legality of using IP addresses for tracking. As recently as 2019, Google’s then-director of Chrome engineering argued that fingerprinting—using device characteristics like IP addresses to track users—was inherently problematic because it circumvented user controls such as clearing cookies. However, the company reversed its stance in late 2024, signaling a broader industry pivot toward alternative tracking methods that comply with evolving privacy laws while still enabling personalized advertising.

Why IP Addresses Are Now Central to Google’s Ad Strategy in the UK and EU

IP addresses have long been part of the internet’s infrastructure, serving as digital identifiers that help route data between devices and servers. When a user in the UK or EU visits a website or interacts with an ad, the site or ad tech provider receives their IP address, which can reveal approximate geographic location and network details. While this information has traditionally been used for routing and fraud prevention, Google is now repurposing it for ad measurement and personalization in regions where such use triggers explicit consent requirements under privacy laws like GDPR and the UK Data Protection Act.

This shift is not just technical but legal. Under GDPR, an IP address is classified as personal data because it can be linked to an individual, either directly or through additional information. Using an IP address to identify a device for advertising purposes—especially when combined with other signals—falls under the category of profiling, which requires clear user consent. Google’s decision to formalize this practice in the UK and EU reflects both the inevitability of tracking in a post-cookie world and the need to align with regional regulations that prioritize user control over data.

How Consent and the IAB Europe Framework Fit Into the Change

Google’s plan to use IP addresses for ad personalization is not happening in a regulatory vacuum. The company has registered under the IAB Europe Transparency and Consent Framework (TCF), specifically under Feature 3, which covers “identify devices based on information transmitted automatically.” This feature is designed to support tracking methods that rely on signals like IP addresses, device types, or user agents—data points that are automatically transmitted during online interactions. However, it is important to note that Feature 3 itself does not constitute consent. Instead, it enables the personalization purposes that do require consent from users.

The TCF operates on a layered consent model, where users are presented with choices about how their data is used for advertising. When an IP address is used to identify a device for personalization, that activity is tied to specific consent purposes, such as “ad personalization” or “measurement.” Users must be given clear information about what these purposes entail and the ability to opt in or out. This aligns with the principle that tracking should not occur without explicit user agreement, particularly in contexts where the data involved is considered sensitive under privacy laws.

The Technical Backbone: Privacy-Enhancing Technologies Behind the Shift

Google frames its move toward IP-based personalization as part of a broader strategy to adopt privacy-enhancing technologies (PETs). These technologies aim to balance the need for personalized advertising with the protection of user privacy. Among the PETs mentioned by Google are on-device processing, trusted execution environments (TEEs), and secure multi-party computation (SMPC). These methods allow for data to be processed in ways that minimize exposure while still enabling targeted advertising.

On-device processing, for example, involves analyzing user data directly on their device rather than sending it to a server, reducing the risk of large-scale data exposure. Trusted execution environments create isolated areas within a device’s hardware where sensitive operations can be performed securely, shielding them from potential breaches. Secure multi-party computation enables multiple parties to collaboratively analyze data without ever exposing the raw data itself. While these technologies are still evolving, they represent a forward-looking approach to advertising that could mitigate some of the privacy concerns raised by IP-based tracking.

The Broader Context: Why Google Reversed Its Stance on Fingerprinting

Google’s pivot on IP-based tracking is striking when considering its historical position. In 2019, the company’s Chrome engineering director criticized fingerprinting as a practice that “subverts user choice” because users cannot easily clear or opt out of such tracking the way they can with cookies. At the time, Google positioned fingerprinting as a workaround that undermined the transparency and control users expected from digital advertising. However, the digital advertising landscape has shifted dramatically since then. The phasing out of third-party cookies in Chrome, combined with stricter enforcement of privacy laws, has forced the industry to explore alternative methods for ad targeting and measurement.

By late 2024, Google had abandoned its opposition to fingerprinting, acknowledging that the practice was becoming an industry standard in regions where cookies were no longer viable. This reversal reflects a pragmatic response to market realities: without cookies, advertisers and platforms need new ways to deliver relevant ads and measure their effectiveness. IP addresses, despite their limitations and privacy implications, offer a readily available signal that can approximate user identity without requiring additional tracking mechanisms. For Google, this shift is not just about maintaining ad revenue but also about ensuring that its advertising ecosystem remains functional in a privacy-first world.

What This Means for Advertisers, Publishers, and Users

For advertisers, Google’s move introduces both opportunities and challenges. On the one hand, IP-based personalization could help maintain the effectiveness of ad campaigns in the UK and EU, where third-party cookies are being phased out. Advertisers may find that using IP addresses, combined with other signals, allows them to continue delivering targeted ads to users in these regions. On the other hand, the requirement for explicit user consent introduces complexity. Advertisers will need to ensure that their consent management platforms are robust and that users are clearly informed about how their data is being used. Failure to comply with consent requirements could result in regulatory action or reputational damage.

Publishers, who rely on ad revenue, will also need to adapt. Many publishers use Google’s ad tech stack, including tools like Google Ad Manager and Google Ads. As Google integrates IP-based tracking into these platforms, publishers will need to update their privacy policies and consent mechanisms to align with the new requirements. This may involve working with consent management providers to ensure that users are properly informed and that their choices are respected across all ad interactions. Publishers should also monitor how user behavior changes in response to consent prompts, as opt-out rates could impact ad performance and revenue.

For users in the UK and EU, the change means greater transparency about how their data is used for advertising. While some may appreciate the additional control over their privacy, others may find consent prompts intrusive or confusing. The effectiveness of IP-based personalization will depend on how well users understand the choices presented to them. If consent rates are low, advertisers may struggle to deliver relevant ads, leading to less effective campaigns. Conversely, if users opt in at high rates, the practice could become a de facto standard for tracking in these regions. Users should take the time to review consent notices and understand what they are agreeing to, particularly when it comes to data being used for ad targeting.

The Regulatory Landscape: How Authorities Are Responding

The timing of Google’s announcement raises questions about regulatory preparedness. The UK ICO is in the process of finalizing new consent rules for digital advertising, and the EU has long maintained strict standards under GDPR. Both jurisdictions have emphasized that tracking should not occur without clear user consent, particularly when it involves personal data like IP addresses. Google’s move to formalize IP-based tracking under the IAB Europe TCF suggests an attempt to align with these expectations, but it remains to be seen how regulators will respond to the widespread adoption of such methods.

Regulators have historically been skeptical of tracking techniques that circumvent user controls. The ICO, for example, has warned that fingerprinting can be a form of covert tracking, which is prohibited under UK data protection laws unless users are fully informed and have given their consent. Similarly, the European Data Protection Board (EDPB) has emphasized that profiling activities must be transparent and provide users with meaningful choices. Google’s decision to register under the TCF’s Feature 3 may help it demonstrate compliance, but it does not absolve the company of its responsibility to ensure that consent is freely given and informed.

What to Watch Next: Industry Trends and User Behavior

Several developments are worth monitoring as Google’s IP-based personalization rollout approaches. First, the adoption of privacy-enhancing technologies will be critical. If on-device processing and other PETs prove effective, they could reduce the privacy risks associated with IP-based tracking while still enabling personalized advertising. Advertisers and tech providers should closely track the performance of these technologies and their impact on ad effectiveness.

Second, user behavior will play a decisive role in the success of this transition. If users widely opt out of IP-based personalization, advertisers may need to explore other targeting methods, such as first-party data strategies or contextual advertising. Conversely, if consent rates are high, IP-based tracking could become a standard practice in the UK and EU, setting a precedent for other regions. Publishers and advertisers should prepare for both scenarios by diversifying their targeting approaches and ensuring they have robust consent management systems in place.

Finally, regulatory scrutiny is likely to intensify as IP-based tracking becomes more widespread. Authorities may issue guidance or enforcement actions to clarify how such methods should be used in compliance with privacy laws. Advertisers and tech companies should stay informed about these developments and be prepared to adjust their practices as needed. Proactive engagement with regulators and industry groups, such as IAB Europe, could help shape a more predictable and user-friendly framework for digital advertising in the post-cookie era.

Practical Takeaways for Businesses and Users

For businesses operating in the UK and EU, the most immediate action is to review and update consent management processes. Ensure that users are clearly informed about how their IP addresses may be used for ad personalization and provide straightforward opt-in and opt-out mechanisms. Work with legal teams to assess compliance with GDPR, the UK Data Protection Act, and other relevant regulations. Additionally, explore the use of privacy-enhancing technologies to minimize privacy risks while maintaining ad effectiveness.

Users in the UK and EU should take the time to understand the consent notices they encounter on websites and apps. Pay attention to what data is being collected and how it will be used for advertising. If you prefer not to be tracked via your IP address, look for options to opt out or adjust your privacy settings. Keep in mind that while opting out may limit the relevance of ads you see, it could also reduce the amount of personal data shared with advertisers and ad tech providers.

As the digital advertising ecosystem continues to evolve, the use of IP addresses for tracking is likely to become more common. While this shift presents challenges, it also offers an opportunity to rethink how advertising can be both effective and privacy-conscious. By staying informed and adaptable, businesses and users alike can navigate this transition with greater confidence and control.