The French data protection authority (CNIL) has dealt a heavy blow to Google, imposing a €325 million ($378 million) fine for breaching cookie consent regulations and displaying ads inside Gmail without proper user approval. This penalty marks yet another chapter in the ongoing battle between regulators and Big Tech over digital privacy and consumer rights.
Following investigations conducted between 2022 and 2023, CNIL determined that Gmail’s “Promotions” and “Social” tabs displayed targeted advertisements without explicit user consent. These practices violated Article L. 34-5 of the French Postal and Electronic Communications Code (CPCE) and Article 82 of the French Data Protection Act, which mandate that companies obtain clear, prior consent before placing cookies or serving ads based on tracking data.
According to CNIL, the scope of the breach was massive. Over 74 million Gmail accounts were impacted in France alone, with 53 million users exposed to ads they never agreed to receive. Regulators emphasized that Google’s failure to inform users when creating new accounts was a serious violation of transparency and consent obligations.
The watchdog further noted that Google’s conduct showed negligence, especially given the company’s history of repeated infractions. In recent years, Google has faced multiple fines in France for cookie-related issues, including €100 million in 2020, €150 million in 2021, and €170 million in 2022 for making it unnecessarily difficult for users to refuse tracking cookies.
Beyond cookie violations, Google has a long track record of regulatory clashes in Europe. Past penalties include $2.72 billion (2017) for search bias, $1.7 billion (2019) for anti-competitive advertising practices, €220 million (2021) for favoring its services, and $11.3 million (2021) for aggressive data collection. This latest fine adds to the mounting pressure on the tech giant to reform its compliance strategy.
In its statement, CNIL reinforced its stance: while companies have made progress in cookie compliance, regulators remain vigilant against practices such as cookie walls—forcing users to accept tracking as a condition for service. The watchdog also issued a €150 million fine to Shein’s Irish subsidiary for similar cookie-related breaches, sending a clear signal that enforcement will remain strict across all digital platforms.
Conclusion: This landmark ruling highlights a growing trend in European data protection enforcement. By penalizing Google once again, French regulators underscore the importance of user consent, transparency, and accountability in digital advertising practices. For global tech companies, the message is unmistakable: failure to comply with data privacy laws will result in escalating financial and reputational consequences.
