The CNIL has penalized Google for advertising practices in Gmail and cookie consent violations impacting over 74 million users in France.
What happened
On September 1, 2025, France’s data protection authority (CNIL) imposed a €325 million fine on Google for two privacy violations: displaying email-like advertisements in Gmail without user consent and placing advertising cookies during Google account creation without valid consent. The investigation stemmed from a 2022 complaint filed by privacy group NOYB and resulted in inspections throughout 2022 and 2023.
The CNIL ruled that inserting ads between emails in Gmail’s “Promotions” and “Social” tabs constituted direct email marketing, requiring explicit user consent under French law. Google failed to obtain this consent.
Going deeper
The CNIL also found that during the Google account creation process, users were nudged toward accepting cookies for personalized advertising without clear or balanced alternatives. Consent was not freely given, nor were users clearly informed that cookie placement was a condition of accessing services.
As a result, Google LLC was fined €200 million and Google Ireland Limited €125 million. Both entities were also ordered to change their practices within six months or face a €100,000 daily penalty. More than 74 million accounts were affected by the cookie violation alone, and over 53 million users were shown the Gmail ads without proper consent.
Despite visual changes to the Gmail ads in April 2023, the CNIL said they remained too similar to real emails and continued to fall under direct marketing rules.
What was said
The CNIL cited a 2021 ruling from the Court of Justice of the European Union (CJEU), which clarified that unsolicited ads in inboxes, even when styled as emails, qualify as direct marketing and require consent. While Google modified its interface and added a more balanced cookie consent button in October 2023, the CNIL said this came too late and did not resolve prior violations.
The CNIL reaffirmed its jurisdiction based on French law, noting that the GDPR’s one-stop-shop mechanism does not apply to cookie enforcement. The regulator also stressed Google France’s part in operations targeting French users, granting it territorial authority under Article 3 of the French Data Protection Act.
FAQs
Why did the CNIL, not another EU regulator, handle this case?
The enforcement fell under France’s ePrivacy rules, not the GDPR, so the “one-stop-shop” mechanism didn’t apply. The CNIL had territorial jurisdiction because the activities targeted users in France.
Do cookie consent violations always fall outside of the GDPR?
Not always. However, cookie use for advertising typically falls under the ePrivacy Directive, which is implemented through national laws, in this case, the French Data Protection Act.
How were the Gmail ads different from regular emails?
The ads appeared in tabs labeled “Promotions” and “Social” and mimicked regular emails. The CNIL said users may not have clearly distinguished them from genuine messages, which qualified the ads as direct marketing.
What steps must Google take to comply?
Google must stop showing Gmail ads without consent and revise its cookie consent process to ensure it is informed, free, and balanced. These changes must be in place within six months.
Has Google been fined by the CNIL before?
Yes. The CNIL fined Google in both 2020 and 2021 for cookie-related violations, which contributed to the regulator’s decision to classify the company’s actions as negligent in this case.
Farah Amod
.jpg)