Google fingerprinting: Dodging privacy to enable ads?
Posted: January 9, 2025
Google first postponed its plan to phase out third-party cookies, delayed the deprecation again for 2025, and finally canceled plans altogether in July 2024. However, other browsers have stuck to their privacy guns and have already deprecated third-party cookies.
Through that journey, marketers have been facing uncertainty about the future of third-party cookies and scrambling for solutions to the problem of delivering customized online ads in the post-cookie world.
One technique that has evolved to obtain online behavior data without relying on cookies is browser fingerprinting.
What is fingerprinting?
Browser fingerprinting is a “set of tools and techniques that can capture data through a web user’s browsing activity.”
Some of the types of information typically involved in fingerprinting include:
- Browser information: User agent string, installed plugins, supported fonts, language settings, and screen resolution.
- Device information: Operating system, hardware configurations, and GPU details.
- Network information: IP address, time zone, and HTTP headers.
- Behavioral data: Mouse movements, typing patterns, and interactions.
Fingerprinting uses this information to create a unique ID – a fingerprint – for each user. It is also possible to use similar techniques to fingerprint devices and even to connect identities across devices.
While none of the data points are unique to the browser in question, the possibility of two individuals with the exact same combination of data points is unlikely. In fact, the Electronic Frontier Foundation (EFF) published a study in 2010 that showed how browser fingerprinting can, indeed, uniquely identify most users. The fingerprint remains consistent across website visits and so becomes a way to persistently identify a web visitor.
This allows a business to build profiles and use these profiles, including online behaviors associated with each unique identity, to hyper-personalize its online experiences and ads without third-party cookies.
Why do companies engage in fingerprinting?
Fingerprinting is often used to:
- Track users for targeted advertising.
- Prevent ad fraud by identifying bots or duplicate impressions.
- Enable cross-device tracking by linking a user’s activity across devices.
Unlike cookies, which (to some extent) can be turned on or off via a user’s browser, people can struggle to prevent fingerprinting.
While some browsers and devices come with privacy-enhancing technologies designed to disguise the user’s unique characteristics, businesses are finding new ways to circumvent these sorts of measures.
What’s the privacy problem with fingerprinting?
The privacy problem with browser fingerprinting is that fingerprinting usually occurs invisibly to the web visitor, and with no choice. Most consumers are accustomed to seeing cookie banners offering either an opt-in or opt-out choice for cookies. There are also some browser-supported universal choices for third-party cookies, eliminating the requirement for users to make cookie choices on a website-by-website basis.
For example, the Global Privacy Control, or GPC, is a standard through which a user can express their privacy preferences once in a browser, and the browser communicates those preferences to each website the user visits. Fingerprinting, on the other hand, occurs without similar user transparency and control. The user typically does not have any idea that the tracking is occurring, and they have no way to say no.
Regulators and privacy advocates have long warned the marketplace of the privacy dangers of fingerprinting techniques. For example, in 2015 the World Wide Web Consortium (W3C) came out strongly against fingerprinting, calling it a “blatant violation of the human right to privacy.”
There is also some discussion about whether fingerprinting as it exists today meets compliance standards with laws like the GDPR, which require a sound legal basis and transparency about data collection and uses. The EFF has argued that fingerprinting may violate the GDPR and the ePrivacy Directive. In one white paper on the subject, the EFF points to Article 20 Working Party analysis that arrives at a decision that device fingerprinting is covered by the ePrivacy Directive and so requires consent. Even though that guidance specifically refers to device fingerprinting, the EFF proposes that the same logic applies to browser fingerprinting.
Even large players in the browser space have responded to privacy criticisms of fingerprinting by taking measures to combat fingerprinting-based tracking. Apple’s Safari has masked IP address from known trackers since 2021, for example. Given that IP address is a common data point that ad tech companies use for fingerprinting, this Apple action is at least a partial measure to combat fingerprinting for ad-related tracking. Even Google, a company that relies on monetization of online behavior, announced in late 2023 its measures to mask IP addresses in an attempt to mitigate privacy concerns related to device fingerprinting.
Google’s move towards fingerprinting in 2025
However, recent events show the love-hate relationship that Google has with tracking, privacy concerns, and fingerprinting. Closely following its announcement that it will abandon third-party cookie deprecation altogether, Google announced in December 2024 that it will loosen limitations on fingerprinting. Though Google cites the evolution of Privacy Enhancing Technologies (PETs) as a set of safeguards that tip the balance in favor of privacy while allowing more flexibility for online advertisers, not everyone agrees.
The UK’s Information Commissioner’s Office (ICO) published a blog post on the day of Google’s announcement titled Our response to Google’s policy change on fingerprinting.
In the post, Stephen Almond, the ICO’s Executive Director of Regulatory Risk, argues that “fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected.”
“…there should be no doubt around any business’s obligations when it comes to fingerprinting and privacy… Businesses must give users fair choices over whether to be tracked before using fingerprinting technology, including obtaining consent from their users where necessary.”
The ICO refers readers to its Guidance on cookies and local storage, where the regulator classifies fingerprinting as a type of “storage and access technology” and states:
“You must tell users about any storage and access technologies you use and explain what they do. You must obtain prior consent to the UK GDPR standard for their use, unless an exemption applies.”
The ICO goes on to call Google’s decision irresponsible and talks to future guidance related to existing privacy law as applied to fingerprinting techniques. Specifically, the ICO statement challenges advertising companies to “demonstrate how they are complying with the requirements of data protection law. These include providing users with transparency, securing freely-given consent, ensuring fair processing and upholding information rights such as the right to erasure.”
So although fingerprinting might not directly violate Google’s terms of service, it will continue to violate the law unless proper notice is provided and opt-in consent is obtained.
The privacy controversy over Google’s recent decision to allow for browser fingerprinting is not the first time that Google has faced privacy fire. However, taken in context of Google’s step back from third-party cookie deprecation and the U-turn from its initial stance on browser fingerprinting, the new Google fingerprinting stance does make privacy leaders wonder about the company’s current privacy commitment.
Especially given the company’s advertising revenue-driven business model, it may not come as a surprise that Google has a significant incentive to enable user tracking in pursuit of advertising dollars. Perhaps the next iteration of fingerprinting technologies will somehow allow for increased notice, consent, and general consumer understanding. Until then, browser (and device) fingerprinting practices remain an area of privacy ethics and compliance concern, and Google’s recent decision only provides an additional tracking mechanism without commensurate privacy controls.