Google has begun notifying advertisers that it will begin using IP addresses for ad targeting and personalization across the European Economic Area (EEA), the UK and Switzerland on or before 3 August 2026.
IP addresses are received by Internet services for almost every request, and the practice is common throughout the world. But doing it in the UK and EU, where IP addresses are controlled by personal data, is new.
What is changing
Google already finds these IP addresses to route traffic and deliver ads, via customer tags, SDKs, HTTP calls and uploads.
What is the intended change on 3 August: the same addresses will be used to target devices for targeting and personalizing ads, which is a use that triggers consent requirements under UK and EU law.
Google will also register under the IAB Europe Transparency and Consent Framework (TCF) Feature 3, “Identify devices based on automatically transmitted information.”
Under the hood, Feature 3 is a way to isolate a device from the data it automatically sends, including its IP address.
It is not a consent step in itself: it adheres to personalization purposes, which require user consent rather than legitimate interest.
The company is planning a change in terms of privacy-enhancing technologies, or PETs, the inclusion of on-device processing, trusted operating conditions and secure multi-party computing.
Other personalization features won’t arrive until later this year or early next year, at which point Google says it will allow users on its sites to make choices about IP-based personalization.
Why is it important
Google has used IP signals in advertising elsewhere in the world for a while to fight spam and fraud, and maintained that IP is already common throughout the ad ecosystem.
The EEA, UK and Switzerland are different, however, because an IP address is personal data under the GDPR, and using one to identify a device is a building block for fingerprinting, the practice of tracking a device when cookies are blocked or deleted.
Google itself once took that view.
In 2019, Chrome’s then-director of engineering Justin Schuh wrote that fingerprinting overrides user choice and is wrong, because users can’t delete it the way they can delete cookies.
Google rescinded that status in December 2024, easing its ban on fingerprinting advertisers.
The UK’s Information Commissioner’s Office (ICO) called the change “irresponsible” during the day.
The time is now the unpleasant part. On May 18, 2026, the ICO published advice to the UK government on changing internet advertising consent rules.
Its preferred approach would allow certain advertising without consent only when it is based on the content viewed, not a person’s activity over time, and would keep consent mandatory for tracking people’s profiles across all services.
IP-based personalization in all environments sits on the permission-required side of that line.
The ICO stressed that nothing has changed yet and the existing rules still apply.
Google’s customer email pushes the onus of compliance onto advertisers, reminding them that they remain bound by the EU User Consent Policy and must obtain valid consent from users in affected regions.
What users can do
User-facing choices over IP-based personalization won’t come until later in Google’s rollout.
Until then, the controls available are the usual ones: rejecting non-essential cookies and consent instructions, and reviewing the ad personalization settings under your Google account at myadcenter.google.com.
Whether that is consistent with May’s ICO advice, which would keep consent mandatory for identifying profiles for various jobs, is a question raised by Google’s release now.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
