Google reversed its fingerprinting ban — and killed Privacy Sandbox. Here's what online tracking looks like now.

The story that was supposed to happen: Google would deprecate third-party cookies, force the industry to adopt Privacy Sandbox alternatives, and the web would become more private. The story that actually happened: Google reversed its ban on fingerprinting in February 2025, officially discontinued Privacy Sandbox in April 2025, never completed the cookie phase-out it had promised repeatedly since 2020, and by 2026 online tracking is more technically sophisticated and harder for users to block than it was when this story started.

Understanding what happened requires separating three distinct threads that got tangled together in the coverage: the fate of third-party cookies, the fate of Privacy Sandbox, and the rise of fingerprinting as the successor tracking method. They're related but not the same story.

What happened to third-party cookies

Third-party cookies — the mechanism that allows an ad network to recognize you across different websites where its ads appear — were supposed to die in Chrome by 2022. That deadline slipped to 2023, then 2024, then Q4 2025. In April 2025, Google confirmed it would not implement a universal phase-out of third-party cookies in Chrome. Instead, it would maintain the existing cookie controls in Chrome settings and give users a one-time prompt to configure their preferences.

This is not a technical victory for third-party cookies. Safari and Firefox have blocked cross-site tracking by default for years, and those browsers collectively account for roughly 35% of global web traffic. Chrome's decision not to deprecate means third-party cookies persist in the browser used by 65% of the web — but the ad industry had already been adapting to their eventual death, and many of those adaptations turned out to be fingerprinting-based.

The practical outcome: third-party cookies still work in Chrome, but their reach is limited by consent frameworks, the fact that many users ignore or dismiss cookie banners, and the ongoing erosion of their effectiveness as identity resolution infrastructure shifts to other methods.

Privacy Sandbox: the alternative that didn't materialize

Privacy Sandbox was Google's attempt to replace third-party cookie functionality with privacy-preserving alternatives. The flagship proposals — Topics API (interest-based advertising without individual tracking), Attribution Reporting API (measuring ad conversions without cross-site data) — were designed to let the ad ecosystem function without individual cross-site identifiers.

Privacy Sandbox was officially discontinued in April 2025. The stated reasons: low adoption from websites and the ad tech industry, regulatory pressure from the UK's Competition and Markets Authority (which had concerns about whether Privacy Sandbox primarily served Google's ad business rather than the broader ecosystem), and the practical reality that without the mandated cookie deprecation forcing migration, there was no compelling reason for the industry to adopt incomplete alternatives.

The ICO in the UK maintained that Privacy Sandbox still required explicit user consent for tracking purposes — meaning Privacy Sandbox didn't actually solve the consent problem, it just moved where consent was required. With that regulatory ruling, the business case for adopting Privacy Sandbox largely evaporated.

The fingerprinting reversal: what changed and what it means

Browser fingerprinting — creating a unique identifier for a device by combining characteristics like GPU rendering behavior, installed fonts, screen resolution, timezone, battery status, and hundreds of other signals — has been technically possible for years. Google had previously classified fingerprinting as a violation of its advertising policies, putting it in the same category as practices that circumvent user privacy controls.

In February 2025, Google reversed that policy. Fingerprinting is now permitted within Google's advertising products, with Google citing privacy-enhancing technologies as the justification. In practice, this means fingerprinting went from a technique that advertisers used quietly and deniably to one that is openly deployed and officially sanctioned by the world's largest digital advertising company.

The technical state of fingerprinting in 2026 is sobering. Modern fingerprinting systems combine over 100 device and browser signals. AI-powered analysis of those signals achieves identification accuracy of up to 99.78% on mobile devices. Even with JavaScript disabled, canvas fingerprinting, font enumeration, and behavioral signals can identify users with 94.2% uniqueness. The technique works in private browsing mode, survives cookie deletion, and persists across browser updates because the underlying hardware and software configuration changes slowly.

The UK ICO maintains that fingerprinting requires explicit user consent under GDPR — a position that creates legal tension with Google's permitted-use policy. But enforcement of that tension depends on regulators having both the resources and the technical capacity to audit fingerprinting deployments at scale, which is substantially harder than auditing cookie use.

Polymorphic fingerprinting: why blocking is getting harder

Traditional fingerprinting can be partially defeated by anti-detect browsers — tools that spoof browser characteristics, present fabricated canvas renders, and manipulate other fingerprinting signals to create a misleading device profile. Privacy-focused browsers like Brave and Firefox implement some fingerprinting resistance by design.

Polymorphic fingerprinting, which emerged in 2026, changes the adversarial dynamic. Rather than using static JavaScript that fingerprinting-blocking tools can identify and intercept, polymorphic fingerprinting dynamically alters the code used to collect signals — changing function names, execution order, and data transformation patterns on each request. Server-side coherence validation then checks whether the fingerprint pattern matches expected behavior, flagging inconsistencies that suggest spoofing. Anti-detect browsers that succeed in blocking one fingerprinting implementation find themselves re-identified because the spoofed signals are internally inconsistent in ways the server can detect.

The arms race between fingerprinting and fingerprinting resistance has always existed. Polymorphic fingerprinting represents a genuine advancement in the fingerprinting side's capabilities, not just an incremental improvement.

What's actually replacing cookies: the industry's real answer

The ad tech industry's real response to the cookie's limited future is not any single Google-endorsed API — it's a combination of approaches that collectively reduce dependence on any one tracking mechanism:

First-party data: Data collected directly from users who have explicitly provided it — email addresses, purchase history, declared preferences. This data is highly accurate and consent-compliant but limited to brands that have direct relationships with users.

Unified ID 2.0 (UID 2.0): An open-source framework that creates anonymized, encrypted identifiers from email addresses with user consent. The publisher asks for an email; UID 2.0 turns it into a pseudonymous ID that can be used for targeting without exposing the raw email to advertisers. Adoption is growing but requires user action (providing an email) that most browsing doesn't involve.

Data clean rooms: Secure computation environments where multiple parties can analyze their combined datasets without sharing raw user data. A brand can bring first-party customer data; a publisher can bring logged-in user data; the clean room finds the overlap and measures campaign effectiveness without either party seeing the other's raw records.

Contextual advertising: Targeting based on the content of the page being viewed rather than the history of the user viewing it. A user reading a car review gets car ads regardless of their browsing history. Lower precision than behavioral targeting, but no cross-site tracking required.

None of these fully replaces the precision of behavioral targeting using cross-site tracking. That precision is gone for the users who block cookies, use Safari, or are covered by GDPR consent requirements. For the users who aren't — the majority — fingerprinting is the default identifier in a world where cookie-based alternatives have largely failed to launch.

What users can actually do

Practically: use Firefox or Brave rather than Chrome, both of which have more aggressive fingerprinting resistance built in. Enable strict tracking protection (Firefox) or fingerprinting shields (Brave). Use a VPN to obscure your IP, which is one of the strongest fingerprinting signals. Understand that private browsing mode prevents local tracking (saved history, cookies) but does not prevent fingerprinting — the device characteristics are the same regardless of the browsing mode.

No consumer tool completely defeats modern fingerprinting. What fingerprinting resistance does is make you part of a larger group that looks the same — which limits behavioral targeting even if it can't eliminate device identification entirely. The privacy gap between a fingerprinting-resistant browser and a default Chrome installation is real and significant.