I’m Alan Chapell. Over the past 20+ years, I’ve been outside privacy counsel to hundreds of digital media companies. I write a monthly syndicated report called The Chapell Regulatory Insider, and I’m also a regulatory analyst for The Monopoly Report.

The latest Monopoly Report podcast! I spoke with Martin Thomson of Mozilla. We discuss the W3C Attribution API, a spec that many in the research community believe is deserving of far more scrutiny than it is currently receiving.

Google is bringing that process we all used to call fingerprinting to Europe.

The Fall and Rise of Fingerprinting

For a decade, Google told anyone who would listen that browser fingerprinting was bad. Google’s rationale at the time was that fingerprinting tech lacked sufficient user privacy controls. Then, in 2025, after the Privacy Sandbox collapsed, the company reversed course and blessed probabilistic identifiers inside its own ecosystem. We are now watching the next phase of that policy shift.

And, dare I say, this policy shift is kind of ironic.

Effective Aug. 3, 2026, Google is launching "IP-based measurement and personalization" for AdSense publishers in the EEA, UK, and Switzerland. I haven’t seen a ton of coverage of this new offering to date. An overview of the program is available here and here.

What Actually Changes on Aug. 3

Google has always received IP addresses as a network byproduct for routing, fraud prevention, and ad delivery. Under the IAB Europe Transparency and Consent Framework (TCF), those count as non-consent purposes. That changes now. Under the new policy, Google will also use IPs for device identification, measurement, and personalization. Those are different purposes, and they carry both legal and TCF framework related obligations. For example:

  • GDPR Requirements: Under GDPR Article 5(1)(b) (i.e., purpose limitation), new uses trigger a fresh legal-basis requirement.

  • TCF Requirements: The IAB TCF requires that data features appear in the Consent Management Platform (CMP) interface. Accordingly, Google will add Feature 3, "Identify devices based on information transmitted automatically," to its IAB Europe registration.

Accordingly, anyone running a third-party CMP supporting Adsense must surface Feature 3 in Google's vendor entry before August 3 or risk understated-disclosure exposure and limited-ads degradation (not to mention legal liability).

PETs are rearing their head

Google is also relying on privacy-enhancing technologies (PETs) as the mitigation. Nothing wrong with that. PETs are all the rage right now in the ads privacy community. So under this new policy, Google will rely on on-device processing, Trusted Execution Environments (TEEs), and secure multi-party computation (MPC). There are a few additional components to this that are worth noting:

  • Liability: Publishers are responsible for obtaining consent for Google’s use of these data points as per EU data protection law and Google's EU User Consent Policy.

  • Opt-out Irony: There is also no dedicated user opt-out at launch. Google reportedly won't ship user-level IP-personalization controls until late 2026 or early 2027. In other words, after railing for over a decade that fingerprinting should be prohibited because it failed to offer user privacy controls, Google has opted to ship a fingerprinting tool that [checks notes] fails to offer privacy controls.

  • Sequencing: These PETs engage after Google receives the IP address.

What’s Google’s Plan?

Irony aside, I’ve started to think about Google’s longer term plan. I suspect that Google’s use of PETs are designed as a liability shield in that they potentially enable Google to:

  • Continue to impose consent and other requirements on publishers with respect to the input data.

  • Take less responsibility for its own processing of those inputs and potentially even claim it is no longer processing personal data with respect to the output data (i.e., because it is aggregated and anonymized).

  • Make it more difficult for regulators to understand the data flows (and potentially, more difficult to enforce against Google). The days of “slam dunk” penalty after a regulator or plaintiff locates a Google cookie or sees a Google pixel fire without proper consent appear to be at an end.

  • Shield itself from CIPA liability (should Google choose to bring this process into the U.S.)

It’s a pretty smart strategy.

What About Cookies?

One other question might come to mind. Specifically, is this how Google finally kills the third-party cookie? I don’t think so.

Why not?

  • Antitrust Liability: In my view, outright deprecation is now an antitrust liability Unilaterally killing third-party cookies in Chrome is precisely the Chrome-leveraging move the DOJ remedies phase, the UK CMA, and the EU Commission are awaiting.

  • Sandbox Lessons Learned: Also, one of Google’s biggest mistakes with respect to the Sandbox was announcing a date to sunset cookies before it had a viable replacement. (Yeah, I’ll concede that there was a chicken-and-egg thing happening.) The market panicked, and perhaps even revolted, the CMA stepped in, and Google had to retreat. The lesson Google absorbed was not "cookies are fine." Rather, it was "build the replacement first." IP-based measurement is that replacement.

  • Better, Faster: And this replacement has a bunch of additional features: (a) It works across browsers, (b) it survives at least the current wave of Safari and Firefox blocking, (c) it functions in-app, and (d) it lives at the network layer Google controls rather than the browser-storage layer that regulators and rival browsers keep attacking.

  • Asymmetric Obsolescence: In that light, the smarter play is not killing the cookie. Rather, the smart move is making the cookie irrelevant to Google while leaving it standing for everyone else. Call it asymmetric obsolescence. Google migrates its own value onto a rail competitors cannot reach—IP at the network layer, authenticated first-party signals on its O&O—and lets the open web keep running on aging cookie and UID infrastructure that degrades a little more each year. Google does not need to sunset the cookie. It needs to stop needing it. This policy shift is exactly how they stop needing it.

Chapell’s Take: Broadly speaking, Google is engineering a position where it keeps the one form of interoperability it needs (ingestion) as it exits the one that carries the exposure (open-web ad serving).

________________________________________________________________________

If there’s an area that you want to see covered on these pages, if you agree or disagree with something I’ve written, if you want to tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.

Be in the rooms defining the future of advertising and brand building.

There’s no better place to discuss where advertising is headed than the city that helped lay its foundations. This fall, Marketecture Live is setting its clocks to Central Time and convening in the heart of brand building: Chicago.

The Windy City has long been a hub for world-class brand work, commerce, and innovation. Now, it serves as the backdrop for conversations shaping AI, retail media, connected TV, creator marketing, and the future of consumer engagement.

Meet the first wave of speakers and secure your seat at chicago.marketecturelive.com.

Reply

Avatar

or to participate

Keep Reading