Google fined €325 million by French regulator for Gmail ads and cookie violations

French data protection authority finds tech giant displayed advertisements between emails without consent and violated cookie requirements.

Google fined €325 million by French regulator for Gmail ads and cookie violations

France's data protection authority CNIL imposed a combined fine of €325 million on Google on September 1, 2025, for displaying advertisements between Gmail users' emails without their consent and for placing advertising cookies during account creation without valid consent. The penalty includes €200 million against Google LLC and €125 million against Google Ireland Limited.

The enforcement action follows a complaint filed by privacy organization None Of Your Business (NOYB) on August 24, 2022. According to CNIL, the investigation revealed that Google inserted advertising messages in the form of emails among genuine messages in the "Promotions" and "Social" tabs of Gmail's messaging service, affecting more than 53 million users who illegally saw advertisements displayed in these tabs.

CNIL's investigation found that Google's cookie consent mechanism failed to meet legal requirements under Article 82 of the French Data Protection Act. The violations occurred during Google account creation, where users faced an imbalanced choice between accepting personalized advertising cookies or generic ones.

The investigation revealed that until October 2023, users selecting "express personalization" needed only two clicks to accept personalized advertising cookies, while rejecting them required navigating through six clicks across multiple screens. This disparity violated the requirement that consent mechanisms must provide equal accessibility for both accepting and rejecting cookies.

According to CNIL's findings, the consent-gathering mechanism "distorted the expression of choice by favoring consent to the deposit of cookies enabling personalised advertising, thereby altering the freedom of choice." The restricted committee noted that when a controller offers users different options with consequences for personal data processing, the expression methods must be equivalent in terms of actions required.

Beyond the mechanical imbalance, CNIL determined that users were never explicitly informed that creating a Google account necessitated cookie deployment for advertising purposes. The investigation found that information provided to users incentivized choosing personalized advertising over generic options, with extensive promotion of personalized benefits while generic advertising received minimal explanation.

Email advertising violations

The second major violation concerned Google's display of advertisements within Gmail inboxes. CNIL found that advertisements appeared between private emails in the "Promotions" and "Social" tabs, resembling genuine email messages in size, format, and placement. These advertisements were distinguished only by minor visual elements such as green "advertisement" labels and the absence of timestamps.

The ruling relied heavily on a November 25, 2021 judgment by the Court of Justice of the European Union (CJEU), which established that displaying advertising messages in email inboxes constitutes "use of email for direct marketing purposes" requiring explicit user consent. According to the CJEU decision, advertisements appearing in spaces normally reserved for private emails must follow the same legal regime as direct email marketing.

CNIL's restricted committee found that users who activated Gmail's "smart features" to organize emails into three tabs saw advertising messages inserted between their private communications without consent. The practice affected users who had chosen generic advertising during account creation, demonstrating that even users who attempted to limit personalization were still subjected to unwanted commercial messages in their inboxes.

Visual modifications proved insufficient

Google implemented visual changes to Gmail advertisements in April 2023, modifying the appearance to reduce confusion with genuine emails. The modifications included changing the color of "advertisement" labels from green to black, adding advertiser logos, and implementing different sizing for advertisement entries.

However, CNIL determined these changes were inadequate. The restricted committee noted that regardless of visual distinctions, advertisements remained inserted in spaces normally reserved for private emails, continuing to hinder users' access to their genuine correspondence. According to the ruling, users still needed to read advertisement titles and actively delete unwanted promotional content to access their private communications.

The decision emphasized that technical or visual differences between advertisements and emails are irrelevant when advertisements appear in inbox locations typically reserved for personal correspondence. CNIL stated that such placement creates "likelihood of confusion between those two categories of messages which may lead the user who clicks on the line corresponding to the advertising message to be redirected against his will."

Advertise on ppc land

Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.

Learn more

Market position and financial impact

CNIL's penalty calculation considered Google's dominant market position in online advertising. The restricted committee noted that Google holds a "central position in the online advertising market" and operates the "second most widely used email service in the world." The investigation found that companies generate most profits in contextual advertising and targeted advertising segments, where cookies play crucial roles.

The financial assessment revealed that more than 74 million accounts were affected by cookie violations, while 53 million individuals illegally viewed advertisements in Gmail tabs. These figures only encompassed users residing in France, indicating the violations' massive scope within a single jurisdiction.

According to CNIL's analysis, Google's parent company Alphabet Inc. generated approximately $350 billion in global revenue in 2024. The restricted committee applied competition law principles to determine fines based on the economic unit's total capacity, treating Google LLC, Google Ireland Limited, and their parent company Alphabet as a single undertaking for penalty calculation purposes.

The decision represents one of CNIL's largest financial penalties to date, reflecting the authority's intensified enforcement approach toward major technology companies. The ruling noted that Google had previously been sanctioned by CNIL on two occasions in 2020 and 2021 for cookie-related violations, establishing a pattern of negligence.

CNIL rejected Google's arguments that the fine amount was disproportionate and that users were not harmed since Google's main services remain accessible without accounts. The restricted committee determined that the violations were "of proven seriousness" given their intrusive nature and the fundamental privacy rights at stake.

The enforcement action includes ongoing compliance requirements beyond the immediate financial penalty. Google must cease displaying advertisements between emails without prior consent and ensure valid consent for advertising cookies during account creation. Non-compliance will result in daily penalties of €100,000 per day after a six-month implementation period.

Technical implementation challenges

The investigation revealed complex technical architectures underlying Google's advertising systems. CNIL found that Google's Discovery service implemented advertisements uniformly across Gmail services worldwide, while "smart features" were disabled by default for European Economic Area users but enabled globally for others.

The decision-making structure within Google's organization showed significant involvement from Google LLC in European operations despite Google Ireland Limited serving as the primary controller for EEA users. CNIL determined both entities exercise joint responsibility for processing operations, with Google LLC maintaining substantial influence over European data processing decisions through internal governance structures.

According to technical documentation provided during inspections, Google's advertising ecosystem reaches more than two million websites, videos, and applications globally, connecting with over 90% of internet users worldwide. This extensive infrastructure demonstrates the scale at which cookie violations and unauthorized email advertising occurred.

Broader regulatory context

The penalty emerges amid heightened European scrutiny of American technology companies' data practices. France has recently taken enforcement action against multiple companies for cookie consent violations, including a €50 million fine against Orange in December 2024 for similar email advertising practices.

The decision aligns with CNIL's broader enforcement pattern targeting deceptive cookie consent mechanisms. In December 2024, the authority issued formal notices to multiple website publishers for using dark patterns in cookie banners that made rejecting cookies more difficult than accepting them.

European regulators have increasingly coordinated privacy and competition enforcement. The French Competition Authority recently imposed a €150 million fine on Apple for anticompetitive aspects of its App Tracking Transparency framework, demonstrating how privacy mechanisms can create unfair market advantages.

Publication and appeals process

CNIL has made the full decision publicly available on its website and on Légifrance, the French government's legal publication platform. The decision will allow company identification by name for two years from publication date, after which the companies will be anonymized in public records.

Google may appeal the decision to the French Council of State within four months of notification. The companies have not yet publicly announced their intention regarding potential appeals, though they actively contested CNIL's findings throughout the investigation and sanctioning procedure.

The six-month compliance timeline begins from formal notification of the decision to both Google entities. During this period, Google must implement technical and procedural changes to ensure valid consent collection for advertising cookies and eliminate unauthorized email advertising in Gmail inboxes.

Timeline

  • August 24, 2022: None Of Your Business files complaint with CNIL regarding Gmail advertising without consent
  • September 29, 2022: CNIL launches formal investigation into Gmail email service and Google account creation process
  • October-November 2022: CNIL conducts online monitoring missions and on-site inspections at Google France offices
  • April 19, 2023: CNIL expands investigation to cover cookie practices during Google account creation
  • April 2023: Google implements visual changes to Gmail advertisements to reduce confusion with emails
  • October 2023: Google modifies account creation process to allow easier rejection of personalized advertising cookies
  • July 2024: CNIL serves violation report to Google entities detailing proposed sanctions
  • June 26, 2025: CNIL's restricted committee holds hearing with Google representatives
  • September 1, 2025: CNIL imposes €325 million combined fine on Google LLC and Google Ireland Limited
  • Related contextFrench regulators have intensified cookie enforcement with updated guidelines published July 4, 2025
  • Related contextEuropean privacy authorities continue targeting tech giants with recent rulings on Google services across multiple jurisdictions

Summary

Who: France's data protection authority CNIL imposed penalties on Google LLC (€200 million fine) and Google Ireland Limited (€125 million fine) following a complaint by privacy organization None Of Your Business.

What: The enforcement action addresses two major violations: displaying advertisements between Gmail emails without user consent, affecting 53 million users, and implementing biased cookie consent mechanisms during Google account creation that favored accepting personalized advertising over alternatives.

When: The final decision was issued September 1, 2025, following an investigation that began August 24, 2022, with violations occurring from the implementation of Gmail advertising features through October 2023 for cookie issues.

Where: The violations affected users located in France accessing Google services, with CNIL asserting territorial jurisdiction over cookie deployment and email advertising targeting French residents through Google's French establishment.

Why: CNIL determined Google violated Article 82 of the French Data Protection Act regarding cookie consent and Article L. 34-5 of the French Electronic Communications Code concerning electronic prospecting, with the authority emphasizing that obtaining valid user consent is fundamental to protecting privacy rights in digital communications.

PPC Land explains

CNIL (Commission Nationale de l'Informatique et des Libertés): France's independent data protection authority serves as the primary regulatory body overseeing privacy compliance within French territory. Established under French data protection legislation, CNIL possesses investigative powers, enforcement capabilities, and the authority to impose substantial financial penalties on organizations violating privacy regulations. The authority operates through various formations, including a restricted committee responsible for sanctioning procedures, and maintains jurisdiction over cookie deployment and electronic prospecting activities affecting French residents.

Cookies: Small data files stored on users' devices by websites and online services to track behavior, store preferences, and enable targeted advertising functionality. In Google's case, cookies deployed during account creation served advertising purposes by collecting user data to personalize promotional content across Google services. French and European regulations require explicit user consent for most cookie deployments, particularly those used for advertising purposes rather than essential website functionality.

Gmail: Google's email service represents the world's second-largest messaging platform, requiring Google account creation for access. The investigation revealed Gmail's "smart features" organized user inboxes into three tabs - Main, Promotions, and Social - with advertisements inserted between genuine emails in the latter two categories. Gmail's integration with Google's broader advertising ecosystem made it a focal point for both cookie violations during account setup and unauthorized email advertising within user inboxes.

Consent: The legal foundation for lawful personal data processing under European privacy regulations, requiring that user agreement be freely given, specific, informed, and unambiguous. Google's violations centered on consent mechanisms that were neither free (due to biased interface design favoring acceptance) nor informed (lacking clear explanation of advertising cookie necessity). Valid consent mechanisms must provide equally accessible options for both accepting and rejecting data processing activities.

Advertising: The commercial practice of promoting products or services, which in Google's context involves displaying promotional content across its service ecosystem. The investigation found Google inserted advertisements resembling genuine emails within Gmail inboxes and deployed cookies to enable personalized advertising targeting. Google's advertising revenue model, generating hundreds of billions annually, relies heavily on user data collection through cookies and targeted promotional content delivery.

Google account: The user authentication system providing access to Google's service ecosystem, including Gmail, YouTube, Google Search, and other platforms. Account creation processes were central to CNIL's investigation, as users faced biased choices between personalized and generic advertising options. The account creation pathway failed to clearly inform users that accepting any advertising cookies was mandatory for service access, violating informed consent requirements.

Violations: Legal infractions of privacy regulations, specifically Article 82 of the French Data Protection Act regarding cookie consent and Article L. 34-5 concerning electronic prospecting. CNIL identified systematic violations affecting millions of users through both biased consent collection mechanisms and unauthorized email advertising display. The violations demonstrated pattern behavior given Google's previous sanctions in 2020 and 2021 for similar cookie-related infractions.

Investigation: CNIL's comprehensive examination of Google's practices involved online monitoring, on-site inspections at Google France offices, technical analysis, and extensive documentation review. The investigation process spanned nearly three years, beginning with NOYB's complaint in August 2022 and concluding with the September 2025 penalty decision. Investigators analyzed both technical implementations and user interface designs to determine legal compliance failures.

Fine: The €325 million financial penalty imposed jointly on Google LLC (€200 million) and Google Ireland Limited (€125 million) represents one of CNIL's largest enforcement actions to date. Fine calculation considered Google's market dominance, global revenue scale, number of affected users, and previous violations. The penalty amount reflects both punitive and deterrent objectives, designed to ensure compliance costs exceed potential profits from illegal data processing activities.

Users: Individual persons whose personal data and privacy rights were violated through Google's unauthorized practices, numbering over 74 million accounts for cookie violations and 53 million for email advertising exposure. Users faced deceptive interface designs that encouraged accepting personalized advertising while making rejection unnecessarily complex. The decision emphasizes that protecting user privacy rights remains paramount regardless of the technological complexity or commercial interests involved in digital service provision.