The CNIL has penalized Google for advertising practices in Gmail and cookie consent violations impacting over 74 million users in France.
On September 1, 2025, France’s data protection authority (CNIL) imposed a €325 million fine on Google for two privacy violations: displaying email-like advertisements in Gmail without user consent and placing advertising cookies during Google account creation without valid consent. The investigation stemmed from a 2022 complaint filed by privacy group NOYB and resulted in inspections throughout 2022 and 2023.
The CNIL ruled that inserting ads between emails in Gmail’s “Promotions” and “Social” tabs constituted direct email marketing, requiring explicit user consent under French law. Google failed to obtain this consent.
The CNIL also found that during the Google account creation process, users were nudged toward accepting cookies for personalized advertising without clear or balanced alternatives. Consent was not freely given, nor were users clearly informed that cookie placement was a condition of accessing services.
As a result, Google LLC was fined €200 million and Google Ireland Limited €125 million. Both entities were also ordered to change their practices within six months or face a €100,000 daily penalty. More than 74 million accounts were affected by the cookie violation alone, and over 53 million users were shown the Gmail ads without proper consent.
Despite visual changes to the Gmail ads in April 2023, the CNIL said they remained too similar to real emails and continued to fall under direct marketing rules.
The CNIL cited a 2021 ruling from the Court of Justice of the European Union (CJEU), which clarified that unsolicited ads in inboxes, even when styled as emails, qualify as direct marketing and require consent. While Google modified its interface and added a more balanced cookie consent button in October 2023, the CNIL said this came too late and did not resolve prior violations.
The CNIL reaffirmed its jurisdiction based on French law, noting that the GDPR’s one-stop-shop mechanism does not apply to cookie enforcement. The regulator also stressed Google France’s part in operations targeting French users, granting it territorial authority under Article 3 of the French Data Protection Act.
The enforcement fell under France’s ePrivacy rules, not the GDPR, so the “one-stop-shop” mechanism didn’t apply. The CNIL had territorial jurisdiction because the activities targeted users in France.
Not always. However, cookie use for advertising typically falls under the ePrivacy Directive, which is implemented through national laws, in this case, the French Data Protection Act.
The ads appeared in tabs labeled “Promotions” and “Social” and mimicked regular emails. The CNIL said users may not have clearly distinguished them from genuine messages, which qualified the ads as direct marketing.
Google must stop showing Gmail ads without consent and revise its cookie consent process to ensure it is informed, free, and balanced. These changes must be in place within six months.
Yes. The CNIL fined Google in both 2020 and 2021 for cookie-related violations, which contributed to the regulator’s decision to classify the company’s actions as negligent in this case.