Starting 4 August, users in the European Economic Area, the United Kingdom, and Switzerland will have their IP addresses made available to third-party advertisers through a platform that has, until now, restricted that data to basic traffic routing and regional ad display. The change, confirmed by the tech giant behind the world's dominant advertising infrastructure, represents one of the most significant reversals on user privacy that the digital advertising industry has seen in years. For millions of users who assumed their browsing habits remained relatively opaque, the shift demands attention.
What IP Addresses Actually Reveal - and Why That Matters Under the Law
An IP address is not merely a technical label. Under the General Data Protection Regulation, which governs data handling across the EU and, through its UK equivalent, continues to apply in Britain post-Brexit, an IP address qualifies as personal data. That classification carries real legal weight: any entity wishing to process it for advertising purposes must first obtain valid, freely given, specific, and informed consent from the user.
The practice being expanded here falls within what regulators describe as "fingerprinting" - a method of tracking that identifies a device, and by extension its user, across different websites and sessions without relying on cookies. Unlike cookies, which users can delete, a device's IP address cannot be erased by the person it identifies. That asymmetry is precisely what makes IP-based profiling more invasive than conventional cookie tracking. Regulators have long treated fingerprinting with particular suspicion for this reason: it builds persistent behavioural profiles that users cannot meaningfully interrupt.
The UK's Information Commissioner's Office has already signalled its unease. When the broader shift away from fingerprinting restrictions was first announced in 2024, the ICO characterised the reversal as "irresponsible" - an unusually direct criticism from a regulator typically measured in its public language. The ICO's 2026 guidance, published just weeks before this latest development, reiterated that cross-site behavioural profiling continues to require explicit consent. The timing could hardly be less comfortable for the advertiser ecosystem now being asked to absorb these new tracking capabilities.
A Consent Framework With Built-In Gaps
Rather than obtaining consent itself, the platform is placing that obligation on individual advertisers, instructing them to comply with its EU User Consent Policy and to secure valid agreement from users before deploying IP-based targeting. On paper, this is a defensible legal architecture. In practice, it distributes compliance responsibility across thousands of advertisers of varying size, sophistication, and good faith.
Consent interfaces - the cookie banners and permission prompts most users encounter daily - have a documented history of being designed to steer users toward acceptance rather than genuine informed choice. Regulators in France, Ireland, and the Netherlands have each taken enforcement action against misleading consent mechanisms in recent years. The concern now is that adding another layer of data collection to an already opaque consent ecosystem will further erode the meaningful choice that GDPR was designed to protect.
Current opt-out tools remain limited to existing cookie and ad personalisation settings - controls that were not built with IP-based tracking in mind and do not address it directly. Users who believe they have already restricted ad profiling may not realise that a new vector has opened that falls outside those controls entirely.
How a VPN Restores Some Degree of Control
A virtual private network works by routing a user's internet traffic through a remote server, replacing their real IP address with one belonging to that server. Websites, advertisers, and tracking scripts see the VPN server's address rather than the user's actual location or device. This directly undermines IP-based profiling: if the address observed by a third party belongs to a shared server used by thousands of people, it cannot be used to build an individual behavioural profile.
Established providers including NordVPN, Surfshark, and Proton VPN offer features specifically designed to reduce tracker exposure beyond IP masking. These include dedicated tools - marketed under names such as ThreatProtection, CleanWeb, and NetShield - that block known tracking domains, suppress intrusive cookie prompts, and substitute alternative identifiers. Some providers have also begun integrating anti-fingerprinting protections at the browser extension level. Windscribe, for instance, has built such functionality into its Chrome and Edge extensions, while Mullvad developed an entire browser around fingerprinting resistance.
Free VPNs, among them ProtonVPN Free, Windscribe Free, and Privado VPN Free, offer meaningful protection for users unwilling or unable to pay for a subscription. The trade-offs are real, however: free tiers typically restrict the number of available servers, which can reduce connection speed and limit the geographic flexibility that makes a VPN useful. For users primarily concerned with blocking IP-based ad tracking in everyday browsing, a reputable free tier may still be sufficient.
Browser choice also matters. Mozilla Firefox incorporates built-in tracker blocking, a free proxy option, and fingerprinting protections - making it a practical first line of defence for users who are not ready to adopt a VPN. Using a privacy-oriented browser alongside a VPN produces a more robust barrier than either tool alone.
The Broader Shift This Represents
What makes this moment significant is not simply the technical change, but what it signals about the trajectory of digital privacy commitments made by large advertising platforms. As recently as 2019, fingerprinting was publicly characterised as wrong - a practice that undermined user autonomy. Within five years, that position has reversed completely. The commercial logic is not difficult to follow: as third-party cookies are phased out under regulatory and browser-level pressure, the advertising industry has intensified its search for alternative identifiers. IP addresses are persistent, widely available, and difficult for users to control. They are, from an advertiser's perspective, an attractive substitute.
For users in the EEA, the UK, and Switzerland, the practical response is straightforward: treat IP address exposure as a genuine privacy risk rather than an abstract technical concept, review existing ad personalisation settings with the understanding that they may not cover IP-based tracking, and consider whether a VPN or a privacy-first browser belongs in your regular toolkit. The regulatory framework that should protect you is still in place - but its enforcement depends on regulators moving faster than the advertising ecosystem is currently moving around it.