Google allows advertisers to fingerprint you for even better tracking

Google has announced a change to its advertising policies that will allow advertisers to use digital fingerprinting starting February 16, 2025.

Why it is important: digital fingerprinting uses signals, like the IP address, location, language, used software, or operating system, to identify devices and users on the Internet.

Numerous digital fingerprinting techniques exist, some even capable of cross-browser fingerprinting.

Tip: you can test your browser’s anti-fingerprinting protections, or lack therefor, on the EFF’s Cover Your Tracks webpage.

This tracking technique works well with other methods, but may also stand on its own. It offers several advantages over cookies, but only to the trackers:

Information may be collected without user consent or the user even knowing that it is collected.
The data is stored remotely, not on the user’s device.
Unlike cookies, which can be deleted easily at any time, digital fingerprint data cannot.

Google announced the change on its Google Marketing Platform Help support website. According to Google, the updated policies “clarify the activities that we prohibit to better protect the ads ecosystem from harmful activities, while being less prescriptive with partners in how they target and measure ads”.

The UK’s Information Commissioner’s Office was one of the first to react to Google’s announcement stating that “businesses do not have free rein to use fingerprinting as they please”.

It highlighted that Google was against fingerprinting of users in 2019 stating back then that it subverted user choice and that it was wrong.

What changed? Google’s stance is that two advertising ecosystem shifts have happened in recent time.

Advances in privacy-enhancing technologies.
Rise of ad-supported devices and platforms.

Privacy-enhancing technologies, short PETs, include on-device processing, trusted execution environments, or secure multi-party computation. Google says that advancements “are unlocking new ways for brands to manage and activate their data safely and securely”.

The big policy shift is only hinted at in the main support article. A single sentence in the middle of the text provides it: “The policy also updates the requirements for our partners on the use of data signals.”.

The updated policy itself is not linked on that page. You can open it here.

When you compare the current policy to the new, you will notice several changes. For users, an important change is listed under “Identifying users and user consent”.

Previously, Google did not allow advertisers to pass any information to it that

Google could use or recognize as personally-identifiable information.
permanently identifies a particular device (such as a mobile phone’s unique device identifier if such an identifier cannot be reset).

The second rule has been removed in the new policy. In other words, advertisers may identify users based on the devices that they use and may pass the information to Google for tracking purposes.

What can you do about it?

Content blockers work against many forms of fingerprinting as well.
Some browsers, for example Brave and Firefox, come with fingerprinting defenses that make it harder for companies to track you using fingerprints.

Now it is your turn. Do you use protections against fingerprinting in your browsers, apps and devices? Are you worried about the policy change? Feel free to leave a comment down below.

Summary