In August 2019, Justin Schuh, Director of Chrome Engineering at Google, published a post outlining Google's rationale for Privacy Sandbox — a suite of APIs designed to replace third-party cookies. The post addressed fingerprinting directly. "Unlike cookies," Schuh wrote, "users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong." Google also stated in a May 2019 blog post that it did not "use fingerprinting for ads personalization because it doesn't allow reasonable user control and transparency. Nor do we let others bring fingerprinting data into our advertising products."
This was not a minor footnote in a product blog. It was a foundational statement of principle. Google, which at the time controlled roughly 65% of global digital ad spending, had drawn a line: the tracking infrastructure that the advertising industry had built on cookies was acceptable. The tracking infrastructure that operated without cookies — through browser configurations, canvas renderings, font lists, and hardware characteristics — was not. Users could clear a cookie. They could not clear a fingerprint.
The privacy community's response was precise: Google had not reduced the industry's surveillance capacity. It had moved that capacity into a space with fewer legal obligations.
The statement aged poorly. By December 2024, Google had begun quietly reversing the policy it had spent five years defending.
Browser fingerprinting is the practice of collecting discrete attributes from a user's browser and device configuration to create a unique identifier for that user — without placing any file on their device. Where a cookie is a physical object you can find and delete, a fingerprint is an emergent property of your hardware and software configuration at the moment you loaded the page.
The technique is not theoretical. A 2025 study by researchers from Texas A&M University and Johns Hopkins University — presented at the ACM Web Conference (WWW 2025) in Sydney, April 28–May 2 — developed a framework called FPTrace to test whether fingerprinting was actually in use for ad targeting, not merely present as code that might serve other purposes. The methodology was direct: they altered browser fingerprints in controlled browsing sessions while maintaining IP addresses, then observed what happened to advertising system behavior. The findings were unambiguous. HTTP tracking chains dropped by approximately 83% when fingerprints were altered. Syncing events between trackers fell by approximately 53%. Total HTTP records generated by trackers dropped by approximately 65%.
Critically, tracking persisted even when users cleared their cookies. The fingerprint continued to function as an identifier regardless of cookie state. A separate study scanning the top 10,000 websites found that 68.8% were running some form of fingerprinting script. Canvas fingerprinting — a technique that exploits the HTML5 Canvas API to generate unique render patterns based on GPU and font configurations — was found on 14,371 websites in a Princeton study of one million sites.
The Electronic Frontier Foundation first documented the practical viability of fingerprinting at scale in January 2010, when it launched Panopticlick, an experiment that ultimately tested approximately 500,000 browsers. The findings: 84% had unique configurations, and only 1% had fingerprints seen more than twice. EFF re-launched the tool in 2020 as Cover Your Tracks with enhanced detection capabilities.
On December 18–19, 2024, Google notified the advertising industry of a coming change to its advertising platform policies. The announcement received minimal coverage. On February 16, 2025, the policy change took effect. Google removed its prohibition on device fingerprinting and IP address use for ad targeting and measurement across its advertising ecosystem — encompassing Chrome, connected TV, mobile, and gaming platforms.
The stated rationale, from a Google spokesperson speaking to AdExchanger: "We updated our platform policies to reflect new privacy-enhancing technologies that mitigate risks and support the emergence of new channels like connected TV." This framing positioned the reversal as an advancement in privacy protection, not a retreat from it.
The industry's response was welcoming. Jon Halvorson, Mondelēz International's media and relationship Chief Marketing Officer, said the update "opens up more opportunities for the ecosystem in an increasingly fragmented and growing space while respecting user privacy." Leigh Freund, President of the Network Advertising Initiative, called it an opportunity to "responsibly enable private protective cross-device measurement." Tony Katsur, then-CEO of IAB Tech Lab, said the update provided "opportunities for the ad ecosystem to deliver better consumer experiences while mitigating privacy risks." The Advertising Association, the Association of Online Publishers, and the IAB UK all issued statements that were broadly supportive or neutral.
The privacy community's response was precise: Google had not reduced the industry's surveillance capacity. It had moved that capacity into a space with fewer legal obligations.
The UK Information Commissioner's Office issued a statement on December 19, 2024, calling Google's decision "irresponsible." The ICO noted that UK data protection law — specifically PECR and GDPR — does not permit fingerprinting for ad targeting without explicit user consent, regardless of what Google's policy manual says. The ICO quoted Google's own 2019 statement directly: "We think this subverts user choice and is wrong." The implication was not subtle. The French CNIL issued a parallel warning, stating that EU regulations require consent for personalized ad tracking and that fingerprinting cannot legally bypass this requirement.
Lena Cohen, EFF Staff Technologist, was direct in a February 2025 statement to the BBC: "By explicitly allowing a tracking technique that they previously described as incompatible with user control, Google highlights its ongoing prioritisation of profits over privacy." She added that "the same tracking techniques that Google claims are essential for online advertising also expose individuals' sensitive information to data brokers, surveillance companies, and law enforcement." Mozilla distinguished engineer Martin Thomson observed that Google had "given itself — and the advertising industry it dominates — permission to use a form of tracking that people can't do much to stop." Pete Wallace, then-CTO of GumGum, described the change as taking "a much more business-centric approach to the use of consumer data rather than a consumer-centric approach."
EFF updated Privacy Badger — its browser extension with millions of active users — to specifically block fingerprinting trackers and to opt users out of Google's Privacy Sandbox APIs. The tool was already blocking third-party cookies. The fingerprinting scripts required a separate response.
What is structurally significant about this reversal is not the technical change itself — fingerprinting was in widespread use before Google permitted it; the company was not the primary enforcer of anti-fingerprinting norms — but what the permission represents within a concentrated market. Google processes an estimated 65% of global digital ad spend. When Google changes a policy governing what its ad ecosystem will accept, it effectively sets the industry's operating parameters.
The cookies were not a neutral tracking substrate. They were a regulated one. GDPR, CCPA, and other privacy frameworks had established that cookies required consent, that users had the right to delete them, and that their use constituted personal data processing under EU and California law. Fingerprinting operates in a genuinely different regulatory space — not because the data collected is less sensitive, but because no consent mechanism exists for it. Users cannot accept or reject a fingerprint request. The browser does not ask. There is nothing to clear.
Google's 2019 position was, in retrospect, a way of maintaining regulatory distance from the most legally exposed tracking mechanism the industry had developed while continuing to operate the tracking infrastructure that was already regulated. When the regulated infrastructure became untenable — when Safari and Firefox blocked third-party cookies, when regulatory penalties accumulated, when the industry's own public position on privacy became politically untenable — Google moved to the unregulated alternative. The company did not reduce surveillance. It moved it to a lower legal ground.
Google positioned the reversal as an advancement in privacy protection. The privacy community received it as the elimination of a constraint, not the introduction of one.
The "privacy-enhancing technologies" framing deserves specific attention. Google cited advances in PETs as justification for permitting fingerprinting. This refers specifically to its own Privacy Sandbox APIs — Topics API, Protected Audience API — which are designed to run within Chrome rather than relying on external tracking mechanisms. The structure of the argument is that because Google has built alternative tracking infrastructure inside Chrome, Chrome can now accept the older tracking infrastructure that the alternatives were designed to replace. The PETs are real. The Privacy Sandbox APIs exist and are in active development. But the PETs operate in parallel with fingerprinting, not in place of it.
The industry accepted Google's reframing. The trade press covered the policy change accurately: Google had reversed a long-standing prohibition on a tracking technique. The company's own prior statements about why that technique was unacceptable were available to anyone who looked. Most people did not look. The ICO's direct quotation of Google's 2019 statement received significantly less coverage than the original policy change.
What remains is the surveillance infrastructure, now operating at full capacity, in a configuration that offers users fewer legal protections than the one Google spent five years saying was unacceptable. The mechanisms are the same. The legal obligations are less. The market position is unchanged — Google still processes the majority of global digital ad spend, now with broader technical capacity to track users across devices and contexts without explicit consent.
The 2019 statement was not a lie. Google did, in August 2019, believe that fingerprinting was a surveillance mechanism that subverted user choice. The company also believed, correctly, that maintaining that position was compatible with operating the largest digital advertising infrastructure in the world. When that compatibility ended, the position changed. The infrastructure remained.