In 2018, Google quietly dropped its Don’t be evil(nowe okno) motto. In 2019, a Google(nowe okno) blog post stated(nowe okno) that fingerprinting(nowe okno) “subverts user choice and is wrong”. On February 16, 2025, marking a spectacular about-face, Google gave its advertisers the go-ahead to use digital fingerprinting to uniquely identify internet users and track their actions across the web.
The move follows Google’s backtracking(nowe okno) on its 2020 promise to make third-party cookies “obsolete”(nowe okno), primarily through its nascent Privacy Sandbox(nowe okno) platform for Chrome. Interestingly, Privacy Sandbox was specifically designed to reduce fingerprinting(nowe okno), with Google stating at the time that “users have even less control when ad tech providers use permanent and immutable identifiers, like those derived based on device fingerprinting, since there’s no central place for users to manage those”.
The UK’s Information Commissioner’s Office (ICO) has heavily criticized(nowe okno) this shift by Google, labeling it “irresponsible”, and “not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected”.
In this article, we’ll look at:
- What is digital fingerprinting?
- Why has Google made this change?
- What can you do about it?
- Final thoughts — Regulation may help
What is digital fingerprinting?
Digital fingerprinting is a way to identify and track you using the unique characteristics of your device and browser. Unlike third-party cookies, which can be deleted or blocked, fingerprinting works by collecting information that’s harder to change.
Learn more about third-party cookies
Crucially for Google, fingerprinting is effective at identifying and tracking the wide variety of modern devices that access the internet outside the browser or app window (and thus without cookies). When you visit a website or interact with an app, fingerprinting allows the website or app developer to collect numerous data points. These include:
- Device Information: Operating system, device type, and hardware specifications.
- Browser Characteristics: Browser type, version, language settings, and installed plugins.
- Network Data: IP address, time zone, and network latency.
- Behavioral Patterns: Typing speed, mouse movements, and browsing habits.
These data points are combined to create a unique “fingerprint” that can identify you across different websites and sessions, even if cookies are disabled, cleared, or not even used by your device. And unlike cookies, fingerprinting is difficult to detect and block, making it harder to manage your privacy online.
Learn more about browser and device fingerprinting(nowe okno)
Why has Google made this change?
In fairness to Google, it has been remarkably upfront(nowe okno) about its motives for reversing its view on fingerprinting:
“The changes reflect advances in privacy-enhancing technologies (such as on-device processing, Trusted Execution Environments, and secure multi-party computation) and the broader range of surfaces on which ads are served (such as Connected TVs and gaming consoles)”.
To put it another way, cookies are no longer as effective at tracking you as they once were. Google’s true customers (advertisers) need more effective ways to invade your privacy so they can can continue to target you with ever more personalized ads.
It’s worth noting that fingerprinting also helps Google and advertisers overcome legal limitations. A good example is Europe’s ePrivacy Directive(nowe okno) (aka the “EU cookie law”), which requires all websites to ask anyone who visits them using an EU IP address for explicit consent before placing cookies on their browser.
What can you do about it?
The sneaky thing about fingerprinting is that it’s hard to detect and even harder to avoid. Browsers that offer add-ons designed to protect your privacy and prevent tracking actually make the browser more unique, meaning it’s more vulnerable to browser fingerprinting.
In our tests(nowe okno), Tor Browser and Brave were the best options for evading browser fingerprinting (although these browsers come with their own drawbacks), but preventing device fingerprinting is all but impossible.
Final thoughts — Regulation may help
Despite being hard to detect or block, digital fingerprinting techniques are not exempt from laws designed to protect internet users’ privacy. Although not directly addressed in the EU’s ePrivacy Directive, fingerprinting probably violates(nowe okno) the GDPR(nowe okno) and is likely to come under increased legal scrutiny, especially with Google’s latest change of heart.
Under the California Privacy Rights Act(nowe okno), fingerprinting is considered a form of cross-context behavioral advertising(nowe okno), meaning that Google will likely need to provide users with a way to opt-out if it’s to remain compliant. And in the UK, the ICO has warned,
“Our response is clear: businesses do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act”.
