Google to use UK and EU user IP addresses for ad personalization
Starting August 3, 2026, Google will use IP addresses from users in the UK, EEA, and Switzerland for ad measurement and personalization. This change involves using IP addresses as personal data under GDPR to identify devices for advertising purposes, which requires user consent in these regions. Google has notified advertisers and will register under the IAB Europe Transparency and Consent Framework for this purpose. The UK Information Commissioner's Office (ICO) has expressed concerns about this practice, emphasizing that existing consent rules remain in effect. User controls for IP-based personalization will be introduced later in the rollout, with current options limited to cookie and consent prompt management.
AI Analysis
Technical Summary
Google plans to begin using IP addresses from users in the UK, EEA, and Switzerland for ad measurement and personalization starting August 3, 2026. While IP addresses are routinely collected globally for routing and ad delivery, using them to identify devices for personalization in these regions is new and regulated under GDPR as personal data. This practice is linked to device fingerprinting, which Google previously opposed but reversed in December 2024. The UK ICO has criticized this reversal and recently advised stricter consent rules for online advertising, requiring consent for tracking that profiles users across services. Google places the compliance responsibility on advertisers to obtain valid consent under its EU User Consent Policy. User-facing controls for IP-based personalization will be available later, with current user options limited to declining cookies and managing ad settings.
Potential Impact
The use of IP addresses for ad personalization in the UK, EEA, and Switzerland introduces new privacy considerations because IP addresses are personal data under GDPR. This practice enables device identification and profiling, potentially increasing tracking capabilities beyond cookie-based methods. It may conflict with regulatory expectations around user consent for profiling and cross-service tracking. The change could affect user privacy and compliance obligations for advertisers operating in these regions. However, no direct exploitation or attack vector is described, and no known exploits are reported.
Mitigation Recommendations
Patch status is not applicable as this is a policy and data usage change rather than a software vulnerability. Google requires advertisers to obtain valid user consent for IP-based personalization under its EU User Consent Policy. Users can mitigate privacy impacts by declining non-essential cookies, managing consent prompts, and adjusting ad personalization settings at myadcenter.google.com. The user-facing choice for IP-based personalization will be introduced later in the rollout. Organizations should monitor vendor communications and regulatory guidance to ensure compliance.
Google to use UK and EU user IP addresses for ad personalization
Description
Starting August 3, 2026, Google will use IP addresses from users in the UK, EEA, and Switzerland for ad measurement and personalization. This change involves using IP addresses as personal data under GDPR to identify devices for advertising purposes, which requires user consent in these regions. Google has notified advertisers and will register under the IAB Europe Transparency and Consent Framework for this purpose. The UK Information Commissioner's Office (ICO) has expressed concerns about this practice, emphasizing that existing consent rules remain in effect. User controls for IP-based personalization will be introduced later in the rollout, with current options limited to cookie and consent prompt management.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Google plans to begin using IP addresses from users in the UK, EEA, and Switzerland for ad measurement and personalization starting August 3, 2026. While IP addresses are routinely collected globally for routing and ad delivery, using them to identify devices for personalization in these regions is new and regulated under GDPR as personal data. This practice is linked to device fingerprinting, which Google previously opposed but reversed in December 2024. The UK ICO has criticized this reversal and recently advised stricter consent rules for online advertising, requiring consent for tracking that profiles users across services. Google places the compliance responsibility on advertisers to obtain valid consent under its EU User Consent Policy. User-facing controls for IP-based personalization will be available later, with current user options limited to declining cookies and managing ad settings.
Potential Impact
The use of IP addresses for ad personalization in the UK, EEA, and Switzerland introduces new privacy considerations because IP addresses are personal data under GDPR. This practice enables device identification and profiling, potentially increasing tracking capabilities beyond cookie-based methods. It may conflict with regulatory expectations around user consent for profiling and cross-service tracking. The change could affect user privacy and compliance obligations for advertisers operating in these regions. However, no direct exploitation or attack vector is described, and no known exploits are reported.
Mitigation Recommendations
Patch status is not applicable as this is a policy and data usage change rather than a software vulnerability. Google requires advertisers to obtain valid user consent for IP-based personalization under its EU User Consent Policy. Users can mitigate privacy impacts by declining non-essential cookies, managing consent prompts, and adjusting ad personalization settings at myadcenter.google.com. The user-facing choice for IP-based personalization will be introduced later in the rollout. Organizations should monitor vendor communications and regulatory guidance to ensure compliance.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/google-to-use-uk-and-eu-user-ip-addresses-for-ad-personalization/","fetched":true,"fetchedAt":"2026-06-17T21:05:46.849Z","wordCount":949}
Threat ID: 6a330c2af198dc38c10960f1
Added to database: 6/17/2026, 9:05:46 PM
Last enriched: 6/17/2026, 9:05:55 PM
Last updated: 6/17/2026, 10:10:13 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.