In late December, right before the holidays, Google announced a policy change that elicited both cheers and jeers.
Starting on February 16, Google said it will no longer prohibit fingerprinting for companies that use its advertising products.
Oh, how times have changed.
From no way to okay
Fingerprinting identifies a device by combining multiple signals into one digital ID: screen size, browser type, OS type, battery level, language settings, screen resolution, keyboard plugins, IP address and hundreds of other data points.
In 2019, Justin Schuh, Google’s director of Chrome engineering, called fingerprinting an “opaque” technique and highlighted Google’s plans to “more aggressively” block it.
“Unlike cookies, users cannot clear their fingerprinting,” Schuh wrote at the time, “and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”
Fast-forward to now, and not “unlike cookies” – in fact, just like cookies – Google is executing an unexpected U-turn. (Yeah, yeah, I know, some of you predicted the third-party cookie deprecation reversal, but I was still surprised; sue me. 😭)
A Google spokesperson explained the company’s fingerprinting change to AdExchanger like so: “We updated our platform policies to reflect new privacy-enhancing technologies that mitigate risks and support the emergence of new channels like connected TV.”
In other words, rather than a blanket prohibition on businesses using IP addresses (a key ingredient in any device fingerprint) for ad targeting and measurement, Google will be less strict about it, as long as the data is handled securely and safely.
‘Opportunities’
Advertisers and ad trade groups are predictably pleased with Google’s about-face on fingerprinting.
- Jon Halvorson, global SVP of consumer experience and digital commerce at Mondelēz: “This update opens up more opportunities for the ecosystem in an increasingly fragmented and growing space while respecting user privacy.”
- Leigh Freund, president and CEO of the Network Advertising Initiative: “This update will open new opportunities to help us responsibly enable private protective cross-device measurement.”
- And Tony Katsur, CEO of the IAB Tech Lab: “This update provides opportunities for the ad ecosystem to deliver better consumer experiences while mitigating privacy risks.”
Sensing a theme here.
Privacy advocates, meanwhile, are a mix of horrified and cynically unsurprised. And privacy attorneys are pragmatic as usual.
Google’s policy change doesn’t change reality, said Daniel Rosenzweig, founder of boutique law firm DBR Data Privacy Solutions.
“While allowing IP-based ad targeting appears to signal a shift from previous approaches, the legal fundamentals haven’t changed much in my view,” Rosenzweig said. “Most privacy laws still classify identifiers used for device fingerprinting, like IP address, as personal data.”
The Information Commissioners Office, the UK’s data protection authority, put an even finer point on it.
On December 19, the day after Google told clients about its fingerprinting update, the ICO’s executive director of regulatory risk, Stephen Almond, published a post calling the change “irresponsible” and warning businesses that they don’t “have free reign to use fingerprinting as they please.”
“Like all advertising technology,” Almond writes, fingerprinting “must be lawfully and transparently deployed – and if it is not, the ICO will act.”
The fine print
Which begs the question: Is there even a way to “lawfully and transparently” deploy fingerprinting?
“Theoretically, yes,” said Cillian Kieran, CEO and co-founder of privacy compliance startup Ethyca. But “in practice, it’s nearly impossible.”
And therein lies the rub.
One of the main issues with fingerprinting from a privacy perspective is that there’s no way for people to know it’s happening, let alone opt out.
It’s a little hard to achieve transparency and trust “when the underlying technology is designed to work behind the scenes,” Kieran said.
“Fingerprinting is built on opacity; it’s about collecting data quietly without the user realizing it,” he said. “Making that process transparent would require a radical rethinking of how it’s deployed and what the day-to-day user experience is.”
But the issue with fingerprinting is perhaps even simpler than that, according to Arielle Garcia, chief operating officer of Check My Ads, which is that it’s a loophole to maintain the status quo of online data collection and ad tracking.
Because if there’s transparency and consent, who needs fingerprinting?
“If and when people are knowingly willing to be tracked, fingerprinting and other probabilistic methods are basically irrelevant,” Garcia said. “This is inherently a workaround to offering and honoring informed choice.”
🙏 Thanks for reading – especially at the tail end of the first full week back at work since the holidays. This will be me in a few hours. I’m beat, but I love getting feedback. As always, feel free to drop me a line at [email protected] with any comments, suggestions, hot takes or cat videos.