France’s CNIL sanctions Google for privacy breaches linked to Gmail ads and invalid cookie consent, reinforcing EU rules on data protection.

Google has been fined €325 million by France’s CNIL for Cookie Consent Violations. The case shows how strict the EU is about protecting user privacy. The fine was announced on 1 September 2025 and targets practices around Gmail ads and cookie use during account setup.

The issue started after a complaint by the privacy NGO NOYB in 2022. Inspections revealed two key problems: ads inserted inside Gmail without user approval and cookies placed during sign-up without valid consent. Both actions broke French and EU rules, which require clear and free user choice.

This case is important because it involves millions of users in France and shows that even big tech firms must respect privacy laws. The CNIL also highlighted that Google’s dominant role in online advertising makes compliance even more critical. For users, the ruling underlines the right to control personal data and to decide whether or not to accept cookies easily and transparently.

Privacy Missteps Leading to the Fine

France’s CNIL opened an investigation into Google after a complaint by the privacy NGO NOYB. The case focused on Google’s handling of consent when it came to Gmail ads and the use of cookies during account creation. Regulators found that users were not properly informed and their choices were not respected. This meant consent was not valid under French law, a core requirement under the EU’s ePrivacy Directive.

The problem was twofold: first, advertisements were inserted into Gmail inboxes without asking users. Second, cookie settings pushed people toward accepting personalized ads. These practices created an uneven situation where rejecting cookies was harder than accepting them, undermining the idea of free choice. Both issues clearly fall under Cookie Consent Violations.

What makes this case striking is that Google had already been fined in 2020 and 2021 for similar breaches. The CNIL noted this pattern as an aggravating factor, which contributed to the high penalty. The lesson here is clear: repeated mistakes in handling user consent will attract stronger sanctions.

Ads Inside Gmail and User Confusion

One of the most visible issues was the way ads were displayed inside Gmail. Google placed promotional content directly into the “Promotions” and “Social” tabs, where users normally expect personal emails. To the average user, these ads looked like regular messages, blurring the line between genuine communication and advertising.

• Promotions tab ads — mixed with personal messages
• Social tab ads — blending with notifications from contacts
• Lack of clear labeling — making it hard to tell ads apart from real emails

This approach violated Article L.34-5 of the French Postal and Electronic Communications Code, which requires prior consent for commercial prospecting by email. Even after visual changes in 2023, the CNIL concluded that ads were still not sufficiently distinguished. For users, the effect was misleading: when opening Gmail, they could not be sure if a message came from a contact or from Google’s advertising system.

For further details, you can read the official CNIL announcement on its website.

Cookie Consent Violations During Account Setup

The CNIL also examined how cookies were managed during account creation. Users faced screens that encouraged them to accept personalized advertising cookies, while refusing was less straightforward. In practice, this pushed people into choices they might not have freely made. Consent, according to EU law, must be freely given and informed. Here, it was neither.

Google added a button in 2023 to allow rejecting cookies with one click. However, regulators found that the information provided was still incomplete. Users were not told clearly how their data would be used or what rejecting cookies meant for their access to services. This imbalance kept the consent invalid, showing that small adjustments were not enough to fix the root problem.

The case highlights why Cookie Consent Violations are more than just a technical detail: they directly affect user control and trust. Without full transparency, people cannot truly decide what happens to their personal data. On our site, you can also explore how digital safety and privacy affect everyday internet use.

The Scale and Impact of the Breaches

The CNIL emphasized the scale of Google’s practices. More than 74 million accounts in France were affected by invalid cookie consent, and about 53 million individuals received Gmail ads without proper approval. Numbers like these show that privacy violations at big tech companies impact entire populations, not just small groups.

Beyond the raw figures, the authority underlined that Google’s global dominance in online advertising gives it even greater responsibility. When a company plays such a central role, failing to respect privacy rules risks undermining public trust across the internet. This case is not just about money—it is about principles of transparency and fairness in digital services.

Repeated sanctions also point to a pattern. Google had already been penalized for similar issues, meaning this was not a one-off mistake. For regulators, this reinforced the need to send a strong message: ignoring consent rules is not an option.

Sanctions and Compliance Orders

The €325 million fine was not the only consequence. CNIL also issued a compliance order that forces Google to change its practices. The company has six months to stop inserting ads into Gmail without prior consent and to ensure that advertising cookies are placed only after valid approval during account setup. If Google fails to meet these conditions, it faces an additional daily fine of €100,000.

This enforcement action shows how European regulators combine financial penalties with practical requirements. The idea is not only to punish, but also to push companies toward compliance. For Google, the challenge is clear: adapt systems quickly and ensure that consent is real, not just a formality.

Other companies should see this as a warning. Regulators are watching, and failing to take consent seriously can result in both financial and reputational costs.

Broader Strategy and Global Implications

The CNIL’s action is part of a wider strategy started in 2019 to improve compliance with cookie rules. It involves issuing guidance, inspecting major online services, and sanctioning those who fall short. The message is consistent: users must have genuine choice and clear information before their data is collected.

• Guidance — explaining how to implement fair consent mechanisms
• Inspections — checking compliance in high-traffic services
• Sanctions — applying fines when companies ignore rules

Looking beyond France, this case reflects a global trend. Regulators in many countries are tightening rules on data privacy and online advertising. At the same time, Google is facing large antitrust fines in the EU, showing that both privacy and competition issues are under intense scrutiny. Together, these pressures highlight a new reality: digital giants must meet higher standards if they want to maintain user trust and operate freely in global markets. For deeper context, see BBC Technology coverage on similar privacy fines.

What this means for you

In short, France’s CNIL fined Google €325 million because it mixed ads with emails in Gmail and made cookie choices unfair during account setup. These Cookie Consent Violations affected millions of people and showed that even the biggest tech companies must follow the same rules as everyone else. The fine is not just about money—it is about making sure users have the power to say yes or no in a clear way.

What can you do right now? Take a moment to check the privacy settings on your email, browser, and apps. Look for options to manage cookies and advertising preferences. Saying “no” when you want to is your right, and it helps keep your online space more under your control. It only takes a few clicks but makes a big difference in how your data is used.

And here’s the reassuring part: you don’t need to be a tech expert to protect yourself. Regulators are stepping in to make the rules fairer, and simple habits—like reviewing settings—put you in charge. Think of it as choosing what kind of mail you want to receive at home. You decide what comes in. That’s how the internet should work too.

Disclaimer: This article is for informational purposes only and does not represent legal advice. For detailed guidance on data protection, consult the official resources of the European Data Protection Board.