Google fined €325 Million by French regulator over ads and cookies

France’s CNIL fined Google €325 million for showing Gmail ads without consent and setting cookies improperly during account creation. The ruling affects tens of millions of French users and requires Google to change its practices or face further penalties.
Google fined €325 Million by French regulator over ads and cookies

France’s data protection watchdog, the CNIL, has fined Google €325 million for placing advertisements in Gmail inboxes without user consent and for setting cookies during the creation of Google accounts without properly informing users. The penalty follows investigations triggered by a 2022 complaint from privacy group NOYB (None Of Your Business).

What the CNIL found

The CNIL’s inspections between 2022 and 2023 focused on Gmail and Google account sign-ups. They found two major breaches:

  1. Ads in Gmail without consent
    • Gmail users who enabled ‘smart features’ to sort their inbox into tabs like Primary, Promotions, and Social were shown advertising messages that looked like regular emails.
    • These ads appeared without user consent, which violates French law on electronic communications.
    • Even though Google adjusted the look of these ads in 2023 to make them easier to spot, the CNIL ruled they still counted as direct marketing by email, and therefore required explicit consent.
  2. Cookies without informed consent
    • When creating a Google account, users were steered toward accepting cookies for personalised ads rather than generic ones.
    • Until October 2023, refusing these cookies was harder than accepting them, and users were not clearly told that accessing Google services required cookie placement.
    • This meant consent was not freely given or fully informed, breaching France’s Data Protection Act.

Penalties and orders

  • Google LLC was fined €200 million, while Google Ireland Limited was fined €125 million.
  • The companies have six months to fix the issues:
    • Stop displaying ads in Gmail without prior consent.
    • Ensure account-creation cookies are based on valid, informed consent.
  • If they fail, both firms face €100,000 in daily penalties.

The CNIL emphasised that the breaches affected a huge number of users in France: over 74 million Google accounts, with 53 million Gmail users exposed to ads in their inbox tabs.

Context and past violations

Google is a dominant player in online advertising, and Gmail is the world’s most-used email service. The CNIL noted Google had already been sanctioned in 2020 and 2021 for cookie-related violations, making these new breaches a sign of negligence.

The CNIL also clarified that this case falls under the ePrivacy Directive, not the GDPR. That gave it direct jurisdiction, since the practices targeted French users and involved Google’s French operations.

Why this matters

This ruling underscores the importance of user consent in online advertising. For consumers, it highlights how ads and cookies can be embedded into services in ways that are not always transparent. For civil society, the decision reinforces the push for stronger enforcement of privacy rights against powerful tech firms and greater accountability in how digital services operate.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top