In much the same way as Google decided not to kill off third-party cookies in Chrome, the company’s recent announcement of a more relaxed stance on fingerprinting has certainly raised some eyebrows.
With the ad policy update, which came into force in February, Google has adopted a more lenient approach to how advertisers, vendors and publishers can attempt to track users across digital mediums, such as CTV and game consoles, by creating a digital fingerprint for identifying individual devices.
In announcing this update, Google cited advancements in Privacy Enhancing Technologies (PETs) that make this device tracking more viable and secure than it was before. This stance has come full circle with the move to use IP addresses within DV360’s connected TV offering.
Yet many in the industry see Google’s fingerprinting reversal as an irresponsible move due to privacy concerns, particularly in regions with strict data regulations.
Here’s why:
How does fingerprinting work?
Fingerprinting is a technique used to identify users across the web, combining various signals and identifiers, such as IP addresses, to link users across browsers and devices. It’s mainly used in ad targeting, cross-session and device tracking, and fraud detection.
Yet, unlike cookies, which users can delete or block within their browser settings, fingerprinting operates server-side, making it a persistent tracking mechanism. (The ability to get around browser limitations is why server-side ad management is gaining steam – see the IAB Tech Lab’s new server-side framework.)
Web-based fingerprinting normally uses some form of JavaScript and HTTP requests to capture different signals. The fingerprint is then stored in a server where it is enriched or maintained over time.
For mobile apps, rather than collecting data through server integrations, there is more emphasis on collecting data on the device where a mobile Software Development Kit (SDKs) can capture the signals.
When fingerprinting is applied in ad tech, analytics tools may infer certain metrics from a fingerprint, like sessions or conversions.
Furthermore, alternative ID solutions can take a probabilistic approach with fingerprinting to build up an ID graph, which works on the idea of stitching together different touch points to a known user. There are plenty of solutions that already employ this tactic.
On the flip side, a fingerprint can also be used to spot fraudulent/bad actors and aid in their removal, which is a valuable use case for fraud prevention and bot detection.
Why is fingerprinting considered negative?
Fingerprinting is controversial, in large part, because of its reliance on IP address tracking.
Any use of personal data in advertising raises the need for user consent to comply with legal standards. Certain countries – and certain US states, including California – consider IP addresses to be personal data.
While PETs can play a role in how a fingerprint is defined and shared, the broader ethical question about device tracking and user consent remains the elephant in the room.
The lack of control of how data is collected, and how consent is given, has led regulatory bodies and major tech companies like Google (on the Chrome side) and Apple to take measures to limit or regulate fingerprinting in their browsers.
Notably, Google Chrome’s Privacy Sandbox proposal for IP Protection continues to progress forward. Google has published a list of masked domains that will receive a masked IP address that is different from the user’s actual IP address if accessed in a third-party context, mainly to avoid the possibility of unconsented fingerprinting. This list even includes Google’s own ad tech domains.
Yet the challenge is that it is nearly impossible to police a fingerprint. There is limited oversight of how fingerprinting is used and which third parties gain access to the data, as well as how to even spot whether a fingerprint exists. This makes it difficult to regulate, even though it can be subject to strict regulatory laws.
While fingerprinting is generally a probabilistic method that may use some deterministic variables (such as IP addresses) for input, there is an ethical concern that it may lead to excessive tracking and profiling of individuals without their knowledge.
This can create compliance risks for businesses using this technique, which is why it is quite rare for a vendor or company to admit they are fingerprinting.
And, given those challenges and Google Chrome’s previous attempts to crack down on fingerprinting, it makes the Google Ads team’s apparent reversal on the issue all the more baffling.
What is the future of fingerprinting?
It remains to be seen how this change to Google’s ad policy will disrupt how its ad tools are used going forward. The timing of the update, however, seems to coincide with Google wanting to be more competitive in CTV where it has been weaker compared to other platforms.
It’s likely that Google Chrome and Android will continue to prevent fingerprinting through the Privacy Sandbox IP Protection proposal. In a similar manner, Apple has already taken precautions to prevent fingerprinting on Safari and iOS.
But Google’s Ads team appears to be saying fingerprinting is fair game for CTV, as long as the data is properly collected and protected. And it joins other vendors in the CTV space who employ the same tactics.
Fragmentation within Google’s policies aside, don’t be surprised if data regulators continue to pay close attention to how vendors implement fingerprinting in their products, particularly in relation to consent.
To prepare for the future, advertisers should evaluate whether their vendors are using fingerprinting in their services or solutions. And if they are, then they need to ask for transparency, including the signals collected and the methodology used.
With the primary concern around privacy, organizations must prioritize compliance and risk management by involving legal and security teams to assess regulatory risks and ensure alignment with evolving data privacy laws.
Despite Google’s changes, fingerprinting remains a contentious practice. Ultimately, the question should always be whether fingerprinting will bring enough value to justify the ethical conundrum and legal scrutiny that comes with it.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Kepler and AdExchanger on LinkedIn.
For more articles featuring Jonathan D’Souza-Rauto, click here.
