UK ICO not happy with Google allowing device fingerprinting

Google Faces ICO Criticism Over “Irresponsible” Shift to Allow Fingerprinting in Ads

Google has announced plans to permit device fingerprinting for its business customers starting February 16, 2025, drawing sharp criticism from the UK’s Information Commissioner’s Office (ICO). This move represents a significant reversal from Google’s 2019 position when the company stated that fingerprinting “subverts user choice and is wrong.”

Device fingerprinting involves building unique user profiles by collecting information about a device’s software and hardware configuration, rather than using traditional tracking methods like cookies. This technology is notably more difficult for users to evade than cookies, as it cannot be cleared from a browser like typical site data.

While Google’s announcement of planned Ad Platform changes avoided explicitly using the term “fingerprinting,” the company indicated it would allow partners to utilize “data signals” including IP addresses, “web beacons … or other identifiers” to create device profiles for ad targeting. Google justified this shift by citing evolving internet usage patterns, particularly highlighting connected TVs as devices that require alternative methods for ad delivery.

The ICO has responded forcefully to this policy change. Stephen Almond, ICO’s Executive Director of Regulatory Risk, stated, “We think this change is irresponsible. Businesses do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.”

The regulatory body emphasized that fingerprinting fails to meet UK privacy standards due to its lack of transparency and its potential to diminish user control over data collection. The ICO has published draft guidance on how data protection law applies to such technologies and announced plans for a consultation to gather industry feedback.

Google’s spokesperson defended the change, stating, “We look forward to further discussions with the ICO about this policy change. We know that data signals like IP addresses are already commonly used by others in the industry today, and Google has been using IP responsibly to fight fraud for years.” The company maintains that users will retain choice regarding personalized ads and emphasized their commitment to responsible data use.

This latest controversy follows Google’s earlier reversal on its promise to eliminate third-party cookies from Chrome. The ICO has warned that businesses considering fingerprinting must meet strict data protection requirements, including providing user transparency, securing explicit consent, ensuring fair processing, and upholding information rights such as the right to erasure.

The ICO continues to engage with Google regarding this policy shift, emphasizing that organizations seeking to implement fingerprinting techniques for advertising must demonstrate compliance with data protection law – a standard the regulator describes as a “high bar to meet.”

FAQs

What is Google’s new user “fingerprinting” plan?

Google plans to introduce a user identification method for business customers that allows tracking and identification of users across different platforms and services. This approach involves creating unique digital identifiers for individual users, which enables more comprehensive tracking and data collection. The plan has raised significant privacy concerns, particularly with regulatory bodies like the UK Information Commissioner’s Office (ICO) who view this as a potential intrusion into user privacy.

Why is the UK Information Commissioner’s Office critical of Google’s fingerprinting approach

The ICO is concerned that Google’s user fingerprinting method could potentially violate data protection principles and infringe on user privacy rights. By creating unique identifiers that track individuals across multiple platforms, the approach might exceed reasonable data collection practices and compromise personal information. The regulatory body is likely to scrutinize the technical details and potential privacy implications of this tracking mechanism before allowing its implementation.

When is Google planning to implement this user fingerprinting feature?

According to the brief report, Google intends to roll out this feature for business customers beginning next year. The specific timeline and full technical details have not been extensively elaborated in the current overview. Businesses and privacy advocates are likely waiting for more comprehensive information about the implementation, scope, and potential opt-out mechanisms.

What potential implications does this user fingerprinting have for individual privacy?

User fingerprinting could potentially create more invasive tracking mechanisms that allow businesses to build comprehensive profiles of individual users across different digital platforms. This approach might enable more targeted advertising, detailed user behavior analysis, and potentially more intrusive data collection practices. Privacy advocates are likely to be concerned about the extent of personal data that could be collected and how it might be used or potentially shared with third parties.

How might this Google feature impact digital privacy regulations?

The proposed user fingerprinting feature could prompt significant discussions and potential regulatory challenges in digital privacy frameworks. Regulatory bodies like the ICO may need to evaluate whether such tracking methods comply with existing data protection laws, potentially leading to new guidelines or restrictions. This development might also inspire similar scrutiny from other international privacy regulators who are increasingly focused on protecting user data and preventing unauthorized tracking.

Scroll to Top