Privacy concept vector graphic showing a laptop displaying a padlock on its screen superimposed on a shield.
Source: Shutterstock

As Google moves to roll out its long-awaited replacement for third-party tracking cookies, Topics, at the beginning of next year, another type of identifier has entered its crosshairs: IP addresses.

Google is now testing a feature from its Privacy Sandbox initiative called IP Protection, formerly known as ‘Gnatcatcher’, in anticipation of a wider rollout. The proposal for IP Protection dates back to 2021, but initial testing is now being carried out with plans to make the feature opt-in and eventually, the default for all Chrome users.

From an advertising perspective, IP addresses can be highly useful for granular location targeting, allowing marketers to target and measure campaigns at the level of an individual household or workplace; they can also be used as a fallback when other types of identifier, such as cookies or device IDs, are unavailable. Potentially good news in the wake of the cookiepocalypse, you might think.

However, IP addresses have a privacy problem: they lack control on the user side, as users cannot disable them or turn them off (although using a Virtual Private Network, or VPN, to obscure their IP is an increasingly popular choice). Due to this, and the hyper-specific location insight that they can provide, tech companies like Apple and Microsoft have made moves in recent years to prevent IPs being used for tracking or targeting. Now, it’s Google’s turn.

How could IP Protection affect advertising if it becomes the default for all Chrome users, and what should marketers do? We spoke to some clued-in industry experts for their thoughts.

How does IP Protection work?

Andrew Hood, CEO at independent analytics consultancy Lynchpin, summarises IP-based targeting and the proposed function of Google’s IP Protection as follows:

“IP addresses can often be exceptionally strong (and hence potentially invasive) personal identifiers, especially for home users with static IP addresses – for them it’s a permanent, unclearable and unchangeable identifier of the household. Even when IP addresses are dynamic (which might mean you get a new one every few hours or days) they still represent an unclearable persistent identifier for the duration of their assignment.

“The planned IP Protection functionality for Chrome mirrors the Private Relay functionality that already exists in iOS for paid iCloud subscribers. The impact is the same: browser requests to third parties end up being bounced through one or more proxies so that multiple requests from the same user no longer appear to come from the same source IP address, hence preventing IP address being used as any form of user identifier.”

What this looks like on the analytics side, says Hood, is “[an] immediate … reduction in granularity for understanding user location … [And] as the different proxy addresses typically end up being in different locations, users appear to bounce around at a rate that defies any speed of possible travel!

“In practical terms it means geolocation starts to only work at a country level (proxies typically sit within a country to avoid things like legal and/or language customisation breaking) and city level data can no longer be relied upon.”

How severely could Google’s IP Protection rollout impact targeting and measurement?

“It’s unclear to what extent platforms rely on IP addresses for their targeting,” says Wes Parker, Co-Founder and Managing Director at performance agency DemandMore. “However, you’d assume it would be a significant factor in their determination, as platforms state they use multiple factors to determine the location of users.

“Platforms may start to use information such as the last known IP address or the location the user signed up for the platform in place of the current IP address they are using, but this will, of course, be less accurate. Regarding tracking, especially with Google Ads and Facebook Ads moving towards a server-to-server approach and using hashed emails as identifiers, I can’t see masking IP addresses having a significant impact on the accuracy of the measurement.”

“IP addresses are personal information and there would be a strong regulatory argument in most jurisdictions that they shouldn’t be or have been used for measurement or targeting without consent in any case,” notes Hood. “Which means their masking shouldn’t make any difference at all… however if the reality is that IP addresses have been being used covertly as the whole or part of a device fingerprint for measurement, clearly IP Protection is going to put a stop to it, and networks that have been using it will lose the corresponding ability to attribute and re-target as a result.”

Isabelle Baas, Chief Digital, Data & Technology Strategy Officer at media agency Starcom, adds, “Where … advertisers may utilise fingerprinting techniques as either the basis or supplementary way for targeting, they would be impacted by any rollout.

“Since Google’s announcement in 2021 that Chrome would be deprecating third party cookies, we’ve focused our efforts to offer our clients guidance and solutions fit for a privacy age. Fingerprinting was not on our list of acceptable techniques to leverage for targeting or measurement.

“Instead, we’ve partnered with clients to help build and activate their first party data, test consent-based cookieless solutions and invest in strong second party data partnerships. … We would urge any advertiser to vet any technology or partner based on consented privacy by design foundations.”

Will IP Protection entrench Google’s walled garden even further?

The rollout of IP Protection – while it may be a little way down the road, as Product Lead James Bradley acknowledges that Google “want[s] to give the ecosystem time to adjust and provide feedback before the feature is rolled out broadly” – seems beneficial for users and privacy as a whole.

However, it’s difficult to ignore the fact that the agent behind this move is also the biggest player in online advertising. Similar to the way that Google has replaced third-party cookies, a platform-agnostic piece of technology, with a solution that relies on its own browser-side collection of data, IP Protection could serve to further reinforce the ‘walls’ of Google’s advertising ‘garden’.

“Many in the industry believe that since Google’s proposal is to use two proxy servers to route Chrome traffic, one of which being Google’s, that this would in essence allow Google to maintain insight and tracking of users whilst denying third parties the same access to such information,” Baas summarises.

Lynchpin’s Andrew Hood adds, “If Google’s Privacy Sandbox becomes widely adopted, then the functionality within that sandbox for retargeting and conversion tracking without the sharing of individual user identifiers or data becomes the main game in town.

“It will be hard for other parties without Google’s penetration of the browser market to legitimately provide a similar approach in the absence of individual-level identifiers across sites – the demise of third party cookies and IP protection go hand-in-hand in entrenching that position.”

Highlighting the extent of Google’s browser market dominance, Parker points out that while 33% of internet users worldwide already use a VPN according to Forbes, the percentage that use Chrome is around 63% (according to Statista and GlobalStats). “If [IP Protection] became the default, you’d expect it to have a more significant impact … on targeting where platforms use IPs for identifying the location of the user.”

In the wake of this and the disappearance of third-party cookies, how can advertisers maintain visibility over their campaigns?

“Firstly, first party cookies are not going away and users that share their data with you actively and consensually are much easier to track and target,” reminds Hood. “This all just re-emphasises the importance of looking after your first party data strategy and first party analytics.

“For cross-site measurement and targeting, the functionality and gentle roll-out of the Privacy Sandbox in 2024 (and any competitors that emerge from other browser vendors) is the thing to watch. Ultimately the demise of universal individual identifiers – whether they are third party cookies or IP addresses – will happen in tandem with these roll-outs.”