Google Said Fingerprinting Was Wrong—Now They Let Advertisers Do It Anyway

In 2019, Google took a clear stance on device fingerprinting: "Users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong."

On December 19, 2024, Google quietly reversed course. Starting February 16, 2025, organizations using Google's advertising products can now employ fingerprinting techniques to track users across the web. The UK's Information Commissioner's Office called the decision "irresponsible."

What Fingerprinting Actually Collects

Unlike cookies, which store data on your device and can be cleared, fingerprinting builds a unique identifier from your device's characteristics. The technique combines dozens of data points including your operating system, browser type and version, installed plugins, screen resolution, timezone, language settings, and IP address.

When combined, these signals create a profile so unique that researchers report fingerprinting can identify individual users with over 99% accuracy. The identifier persists across browsing sessions, private modes, and even different browsers on the same device.

The critical difference from cookies: you cannot clear a fingerprint. There is no "delete fingerprint" button. Clearing your browser data does nothing. The moment you visit a site using fingerprinting, you can be immediately re-identified based on your device's characteristics alone.

Why Google Changed Its Mind

Google spent years trying to deprecate third party cookies while preserving its advertising revenue. The Privacy Sandbox initiative promised a cookie-less future with privacy preserving alternatives. That effort largely stalled.

The company now justifies fingerprinting by citing connected TVs, gaming consoles, and app environments where cookies do not work. Google also points to "advancements in Privacy Enhancing Technologies" that supposedly make fingerprinting more palatable.

Critics are not convinced. The ICO noted that fingerprinting "relies on signals that you cannot easily wipe" and "is not transparent and cannot easily be controlled." In other words, the fundamental problems Google identified in 2019 remain unchanged.

The Compliance Nightmare

For businesses, Google's policy shift creates significant legal exposure. Under GDPR, any information linked to an identifiable individual counts as personal data—and the combination of browser characteristics that enables fingerprinting clearly qualifies.

The ICO explicitly warned that organizations deploying fingerprinting must obtain freely given consent, provide transparency about data collection, ensure fair processing, and honor information rights including the right to erasure. The agency described meeting these requirements as "a high bar."

California's privacy laws add another layer. CCPA allows consumers to opt out of fingerprinting, with penalties reaching $7,988 per intentional violation. The California Privacy Protection Agency is actively investigating violations across industries.

UK regulators confirmed that January 2025 guidance treats fingerprinting identically to cookies under PECR. Organizations cannot circumvent consent requirements simply by switching tracking technologies.

How This Affects Your Inbox

Email tracking pixels already use fingerprinting-adjacent techniques. When you open an email containing a tracking pixel, the sender logs your IP address, device type, operating system, and email client. Combined with the timestamp of when you opened the message, this data can identify you across sessions.

Google's policy change signals a broader industry shift toward fingerprinting as the default tracking method. As cookies become less reliable, advertisers will increasingly rely on device characteristics to build profiles—and email remains one of the easiest channels to collect that data.

The tracking pixel in a marketing email does not ask for consent. It does not notify you when it fires. It simply reports back to a server that you opened the message, along with everything it can learn about your device.

How to Protect Yourself

Fingerprinting is harder to block than cookies, but not impossible. Privacy focused browsers like Brave, Firefox, and Safari include anti-fingerprinting protections that obscure or randomize the signals advertisers collect. Browser extensions can provide additional protection.

A VPN masks your IP address, removing one of the key data points from your fingerprint. Keeping your browser updated ensures you have the latest privacy protections. Some users disable JavaScript entirely, though this breaks most modern websites.

The most effective strategy is to blend in rather than stand out. Unique browser configurations make fingerprinting easier. Using common browsers with default settings, combined with privacy tools, makes you harder to distinguish from millions of other users.

For email specifically, blocking remote images prevents tracking pixels from loading. Tools like Gblock automatically detect and neutralize spy pixels in Gmail, stopping the surveillance before it starts.

What Happens Next

The ICO has launched a consultation on storage and access technologies, with updated guidance expected soon. Regulatory enforcement against fingerprinting is anticipated to increase over the next 12 to 24 months, particularly in regions that emphasize user consent.

Google's reversal reflects a broader truth about the advertising industry: when given a choice between user privacy and tracking capabilities, the incentives always favor surveillance. The company that once called fingerprinting "wrong" now considers it acceptable—because the alternative would cost them advertising revenue.

For users, the lesson is clear. Privacy protections that depend on corporate goodwill are not protections at all. The only reliable defense is taking control yourself.