Google has begun notifying advertisers that it will start using IP addresses for ad measurement and personalization across the European Economic Area (EEA), the UK and Switzerland on or shortly after August 3, 2026.
IP addresses are received by online services on nearly every request, and the practice is routine across much of the world. But doing it in the UK and EU, where an IP address is regulated personal data, is new.
What’s changing
Google already receives these IP addresses to route traffic and deliver ads, through customer tags, SDKs, HTTP calls and uploads.
What changes on August 3 is the purpose: the same addresses will be used to identify devices for measurement and ad personalization, which is the use that triggers consent requirements under UK and EU law.
Google will also register under the IAB Europe Transparency and Consent Framework (TCF) for Feature 3, “Identify devices based on information transmitted automatically.”
Under the framework, Feature 3 is the method for distinguishing a device from the data it sends automatically, including the IP address.
It is not a consent step in itself: it attaches to the personalization purposes, which require user consent rather than legitimate interest.
The company frames the change around privacy-enhancing technologies, or PETs, listing on-device processing, trusted execution environments and secure multi-party computation.
Some personalization features will not arrive until later this year or early next, at which point Google says it will let users on its own properties make a choice about IP-based personalization.
Why it matters
Google has used IP signals in advertising elsewhere in the world for a while to fight spam and fraud, and maintained that IP is already common across the ads ecosystem.
The EEA, the UK and Switzerland are different, however, because an IP address is personal data under GDPR, and using one to identify a device is a building block of fingerprinting, the practice of tracking a device when cookies are blocked or cleared.
Google itself once took that view.
In 2019, its then Chrome engineering director Justin Schuh wrote that fingerprinting subverts user choice and is wrong, because users cannot clear it the way they can clear cookies.
Google reversed that stance in December 2024, dropping its prohibition on fingerprinting for advertisers.
The UK’s Information Commissioner’s Office (ICO) called the reversal “irresponsible” within a day.
The timing now is the awkward part. On May 18, 2026, the ICO published advice to the UK government on changing the consent rules for online advertising.
Its preferred approach would allow some advertising without consent only where it is based on the context being viewed, not a person’s activity over time, and would keep consent mandatory for tracking that profiles people across services.
IP-based personalization across surfaces sits on the consent-required side of that line.
The ICO has stressed that nothing has changed yet and existing rules still apply.
Google’s customer email pushes the compliance burden onto advertisers, reminding them they remain bound by its EU User Consent Policy and must obtain valid consent from users in the affected regions.
What users can do
The user-facing choice over IP-based personalization will not arrive until later in Google’s rollout.
Until then, the available controls are the familiar ones: declining non-essential cookies and consent prompts, and reviewing the ad personalization settings under your Google account at myadcenter.google.com.
Whether that squares with the ICO’s May advice, which would keep consent mandatory for cross-service profiling, is the question Google’s rollout now raises.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
