Google fingerprinting: Dodging privacy to enable ads?

Google first postponed its plan to phase out third-party cookies, delayed the deprecation again for 2025, and finally cancelled plans altogether in July 2024. However, other browsers have stuck to their privacy guns and have already deprecated third party cookies.

Through that journey, marketers have been facing uncertainty about the future of third-party cookies and scrambling for solutions to the problem of delivering customized online ads in the post-cookie world.

One technique that has evolved for obtaining online behavior data without relying on cookies is browser fingerprinting.

What is fingerprinting?

Browser fingerprinting is a “set of tools and techniques that can capture data through a web user’s browsing activity. Browser fingerprinting gathers information related to a user’s operating system, browser type, screen resolution, time zone, keyboard layout, and more.” Fingerprinting uses this information to create a unique ID – a fingerprint – for each user. It is also possible to use similar techniques to fingerprint devices, and even to connect identities across devices.

The way browser fingerprinting works is to gather together information about browser type/version, IP address, time zone, and other factors to the point that the combination of facts are unique enough to definitively identify a user – not by name, perhaps, but certainly as a unique individual against which a company can build a robust profile.

While none of the data points are unique to the browser in question, the possibility of two individuals with the exact same combination of data points is unlikely. In fact, the Electronic Frontier Foundation (EFF) published a study in 2010 that showed how browser fingerprinting can, indeed, uniquely identify most users. The fingerprint remains consistent across website visits and so becomes a way to persistently identify a web visitor. This allows a business to build profiles and use these profiles, including online behaviors associated with each unique identity, to hyper-personalize its online experiences and ads without third-party cookies.

What’s the privacy problem with fingerprinting?

The privacy problem with browser fingerprinting is that fingerprinting usually occurs invisibly to the web visitor, and with no choice. Most consumers are accustomed to seeing cookie banners offering either an opt-in or opt-out choice for cookies. There are also some browser-supported universal choices for third-party cookies, eliminating the requirement for users to make cookie choices on a website-by-website basis.

For example, the Global Privacy Control, or GPC, is a standard through which a user can express their privacy preferences once in a browser, and the browser communicates those preferences to each website the user visit. Fingerprinting, on the other hand, occurs without similar user transparency and control. The user typically does not have any idea that the tracking is occurring, and they have no way to say no.

Regulators and privacy advocates have long warned the marketplace of the privacy dangers of fingerprinting techniques. For example, in 2015 the World Wide Web Consortium (W3C) came out strongly against fingerprinting, calling it a “blatant violation of the human right to privacy.”

There is also some discussion about whether fingerprinting as it exists today meets compliance standards with laws like the GDPR, which require a sound legal basis and transparency about data collection and uses. The EFF has argued that fingerprinting may violate the GDPR and the ePrivacy Directive. In one white paper on the subject, the EFF points to Article 20 Working Party analysis that arrives at a decision that device fingerprinting is covered by the ePrivacy Directive and so requires consent. Even though that guidance specifically refers to device fingerprinting, the EFF proposes that the same logic applies to browser fingerprinting.

Even large players in the browser space have responded to privacy criticisms of fingerprinting by taking measures to combat fingerprinting-based tracking. Apple’s Safari has masked IP address from known trackers since 2021, for example. Given that IP address is a common data point that ad tech companies use for fingerprinting, this Apple action is at least a partial measure to combat fingerprinting for ad-related tracking. Mozilla also has taken measures to prevent tracking. Example. Even Google, a company that relies on monetization of online behavior, announced in late 2023 its measures to mask IP addresses in an attempt to mitigate privacy concerns related to device fingerprinting.

Google’s move towards fingerprinting in 2025

However, recent events show the love-hate relationship that Google has with tracking, privacy concerns, and fingerprinting. Closely following its announcement that it will abandon third-party cookie deprecation altogether, Google announced in December 2024 that it will loosen limitations on fingerprinting. Though Google cites the evolution of Privacy Enhancing Technologies (PETs) as a set of safeguards that tip the balance in favor of privacy while allowing more flexibility for online advertisers, not everyone agrees.

The United Kingdom’s (UK’s) data protection authority, the Information Commissioner’s Office (ICO), almost immediately followed Google’s December announcement with a statement of its own, pointing out Google’s own 2019 position that fingerprinting “subverts user choice and is wrong” and the fact that Google’s relaxation of fingerprinting restrictions represents a “U-turn.”

The ICO goes on to call Google’s decision irresponsible and talks to future guidance related to existing privacy law as applied to fingerprinting techniques. Specifically, the ICO statement challenges advertising companies to “demonstrate how they are complying with the requirements of data protection law. These include providing users with transparency, securing freely-given consent, ensuring fair processing and upholding information rights such as the right to erasure.”

The privacy controversy over Google’s recent decision to allow for browser fingerprinting is not the first time that Google has faced privacy fire. However, taken in context of Google’s step back from third-party cookie deprecation and the U-turn from its initial stance on browser fingerprinting, the new Google fingerprinting stance does make privacy leaders wonder about the company’s current privacy commitment.

Especially given the company’s advertising revenue-driven business model, it may not come as a surprise that Google has a significant incentive to enable user tracking in pursuit of advertising dollars. Perhaps the next iteration of fingerprinting technologies will somehow allow for increased notice, consent, and general consumer understanding. Until then, browser (and device) fingerprinting practices remain an area of privacy ethics and compliance concern, and Google’s recent decision only provides an additional tracking mechanism without commensurate privacy controls.