In this Tech Insight, we look at Google’s controversial decision to allow advertisers to use device fingerprinting, exploring what the technology involves, why it has sparked concern, and what it means for users, businesses, and regulators.
A Policy Reversal
In February 2025, Google quietly updated its advertising platform rules, allowing companies that use its services to deploy a tracking method known as ‘device fingerprinting’. The change came with little fanfare but has quickly become one of the most debated privacy developments of the year.
Until now, fingerprinting was explicitly prohibited under Google’s policies. The company had long argued it undermined user control and transparency. In a 2019 blog post, Google described it as a technique that “subverts user choice and is wrong”. But five years later, the same practice is being positioned as a legitimate tool for reaching audiences on platforms where cookies no longer work effectively.
According to Google, the decision reflects changes in how people use the internet. For example, with more users accessing content via smart TVs, consoles and streaming devices, environments where cookies and consent banners are limited or irrelevant, fingerprinting offers advertisers a new way to track and measure campaign effectiveness. The company says it is also investing in “privacy-enhancing technologies” that reduce risks while still allowing ads to be targeted and measured.
However, the reaction from regulators, privacy campaigners and some in the tech community has been far from supportive.
What Is Fingerprinting?
Fingerprinting is a method of identifying users based on the technical details of their device and browsing setup. Unlike cookies, which store data on a user’s device, fingerprinting collects data that’s already being transmitted as part of normal web use.
This includes information such as:
– Browser version and type.
– Operating system and installed fonts.
– Screen size and resolution.
– Language settings and time zone.
– Battery level and available plugins.
– IP address and network information.
Individually, none of these data points reveals much but, when combined, they can create a unique “fingerprint” that allows advertisers or third parties to recognise a user each time they go online, often without them knowing, and without a way to opt out.
Also, because it happens passively in the background, fingerprinting is hard to block. Even clearing cookies or browsing in private mode won’t prevent it. For privacy advocates, that’s a key part of the problem.
How Fingerprinting’s Being Used
With third-party cookies disappearing and users browsing through everything from laptops to smart TVs, fingerprinting essentially offers a way for advertisers to maintain continuity, even when cookies and consent banners can’t keep up.
Advertisers use it to build persistent profiles that help with targeting, measurement, and fraud detection. In technical terms, it’s a highly efficient way to link impressions and conversions without relying on traditional identifiers.
Why Critics Are Alarmed
Almost immediately after Google’s announcement, a wave of criticism followed. For example, the UK’s independent data protection regulator, the Information Commissioner’s Office (ICO), called the move “irresponsible” and said it risks undermining the principle of informed consent.
In a December blog post, Stephen Almond, Executive Director of Regulatory Risk at the ICO, warned: “Fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected.”
The ICO has published draft guidance explaining that fingerprinting, like cookies, must comply with existing UK data laws. These include the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). That means advertisers need to demonstrate transparency, secure user consent where required, and ensure users understand how their data is being processed.
The problem, critics say, is that fingerprinting makes this nearly impossible. The Electronic Frontier Foundation’s Lena Cohen described it as a “workaround to offering and honouring informed choice”. Mozilla’s Martin Thomson went further, saying: “By allowing fingerprinting, Google has given itself — and the advertising industry it dominates — permission to use a form of tracking that people can’t do much to stop.”
Google’s Justification
Google insists that fingerprinting is already widely used across the industry and that its updated policy simply reflects this reality. The company has argued that IP addresses and device signals are essential for preventing fraud, measuring ad performance, and reaching users on platforms where traditional tracking methods fall short.
In a statement, a Google spokesperson said: “We continue to give users choice whether to receive personalised ads, and will work across the industry to encourage responsible data use.”
Criticism From Privacy Campaigners
However, privacy campaigners argue that the decision puts business interests above users. They point out that fingerprinting isn’t just harder to detect, but it’s also harder to control. For example, unlike cookies, there’s no pop-up, no ‘accept’ or ‘reject’ button, and no straightforward way for users to opt out.
Pete Wallace, from advertising technology company GumGum, said the change represents a backwards step: “Fingerprinting feels like it’s taking a much more business-centric approach to the use of consumer data rather than a consumer-centric approach.”
Advertisers Welcome the Change
Unsurprisingly perhaps, within the advertising industry, many welcomed Google’s decision because as the usefulness of cookies declines, brands are looking for alternative ways to reach users, especially across multiple devices.
For example, Jon Halvorson, Global VP at Mondelez International, said: “This update opens up more opportunities for the ecosystem in a fragmented and growing space while respecting user privacy.”
Trade bodies such as the IAB Tech Lab and Network Advertising Initiative echoed the sentiment, saying the update enables responsible targeting and better cross-device measurement.
That said, even among advertisers, there’s an awareness that the use of fingerprinting must be handled carefully. Some fear that if it is abused or poorly implemented, it could invite regulatory action, or worse, further erode user trust in the online ad industry.
Legal Responsibilities Under UK Law
For UK companies using Google’s advertising tools, the policy change doesn’t mean fingerprinting is suddenly risk-free. While Google’s own platform rules now allow the practice, UK data protection law still applies, and it’s strict.
For example, organisations planning to use fingerprinting must ensure their tracking methods are:
– Clearly explained to users, with full transparency.
– Proportionate to their purpose, and not excessive.
– Based on freely given, informed consent where applicable.
– Open to user control, including rights to opt out or request erasure.
The ICO has warned that fingerprinting, by its very nature, makes it harder to meet these standards. The fact that it often operates behind the scenes and without user awareness means that it may not be providing the level of transparency required under the UK GDPR and PECR is a significant challenge.
Therefore, any business using fingerprinting for advertising will need to demonstrate that it is not only aware of these rules, but fully compliant with them. Regulators have already signalled their willingness to act where necessary, and given Google’s influence, this policy change is likely to come under particular scrutiny.
The Reputational Risks Are Real
It should be noted, however, that while it’s effective, fingerprinting comes with serious downsides, especially for businesses operating in sensitive or highly regulated sectors. For example, since users often don’t know it’s happening, fingerprinting can undermine trust, even when it’s being used within legal boundaries.
For industries like healthcare, finance, or public services, silent tracking could prove more damaging than the data is worth. If customers feel they’ve been tracked without consent, the backlash, whether legal, reputational or both, can be swift.
Fragmentation Across the Ecosystem
Another practical challenge is that fingerprinting isn’t supported equally across platforms. While Google has now allowed it within its ad systems, others have gone in the opposite direction.
For example, browsers like Safari, Firefox and Brave actively block or limit fingerprinting. Apple in particular has built its privacy credentials around restricting such practices. This means advertisers relying heavily on fingerprinting could see patchy results or data gaps depending on the devices or browsers their audiences are using.
Part of a Broader Toolkit
It’s worth remembering here that fingerprinting isn’t the only tool on the table. Many ad tech providers are combining it with alternatives such as :
— Contextual targeting : Showing ads based on the content you’re looking at (e.g. showing travel ads on a travel blog).
— First-party data : Information a company collects directly from you, like your purchase history or website activity — not from third parties.
— On-device processing : Data is analysed on your phone or computer, never sent to a central server.
— Federated learning : Your device trains a model (like for ad targeting or recommendations), and only anonymised updates are shared — not your personal data.
Therefore, rather than replacing cookies outright, fingerprinting may end up as just one option in a mixed strategy, and used selectively where consent is hard to obtain, or where traditional identifiers are unavailable.
What Does This Mean for Your Business?
For UK businesses, the reintroduction of fingerprinting within its advertising ecosystem may offer more stable tracking across devices and platforms, especially as third-party cookies continue to decline. However, the use of such techniques also brings legal and reputational risks that cannot be delegated to Google or any external platform.
Organisations that advertise online, whether directly or through agencies, should now assess how fingerprinting fits within their broader compliance obligations under UK data protection law. The Information Commissioner’s Office has made it clear that fingerprinting is subject to the same principles of transparency, consent, and fairness as other tracking methods. Simply using a tool because it is technically available does not make its use lawful.
Beyond legal considerations, there’s also a growing risk to customer trust. For example, if users discover that they are being tracked through methods they cannot see, manage or decline, the damage to a brand’s credibility could be significant, particularly in sectors where data sensitivity is high. For many organisations, the question may not just be whether fingerprinting can improve ad performance, but whether it aligns with the expectations of their audience and the values they wish to uphold.
This change also places pressure on advertisers, platforms, and regulators to clarify the boundaries of responsible data use. For some, fingerprinting may form part of a wider privacy-aware strategy that includes contextual targeting or consent-based identifiers. For others, it may prove too opaque or contentious to justify. Either way, businesses will need to make informed decisions, and be ready to explain them.
