The French data protection authority (CNIL) has fined Google €325 million for breaching EU privacy and ePrivacy rules. The penalty comes after investigations confirmed that Gmail users in France received unsolicited advertising emails disguised as regular messages, without providing valid consent.
Why Google Was Fined
The ruling follows a 2022 complaint by the privacy rights group noyb (None of Your Business). CNIL inspections revealed two major violations:
Spam Ads in Gmail Inboxes – Google displayed advertisements in the form of emails within Gmail’s “Promotions” and “Social” tabs. Since these ads appeared like genuine emails, they were considered direct marketing without consent, violating Article L.34-5 of the French Postal and Electronic Communications Code.
Cookie Consent Breach – Until October 2023, users creating Google accounts were steered toward accepting advertising cookies. Refusing cookies was deliberately harder, meaning consent was neither “freely given” nor “informed” as required under Article 82 of the French Data Protection Act.
The fine was split between Google (€200 million) and Google Ireland (€125 million). The violations impacted 74 million accounts, with 53 million users directly exposed to the disguised ads.
What Customers Need to Know
Consent Is Key – Under EU law, companies cannot send marketing emails or place advertising cookies on user devices without explicit consent.
Transparency Required – Businesses must provide clear and balanced choices for users to accept or reject cookies during account setup.
Right to Privacy – Any advertising disguised as personal communication (such as “emails” in Gmail) is considered a breach of privacy.
Future Compliance – CNIL has ordered Google to stop showing ads between Gmail messages without prior consent and to ensure valid cookie consent during account creation within six months. Failure to comply will cost €100,000 per day in penalties.
A Pattern of Privacy Violations
This is not Google’s first fine from CNIL:
€150 million in December 2021 for cookie consent issues
€50 million earlier for unclear privacy notices and lack of legal basis for personalized ads
The latest decision underscores CNIL’s stance that repeated negligence will result in stronger sanctions, especially for tech giants dominating digital advertising markets.
Why This Matters for Users
For Gmail users, this case highlights how privacy regulators are strengthening protections against hidden advertising tactics. Customers can now expect greater transparency when using email and online services in France and across the EU. It also serves as a warning that your inbox and data cannot be used for marketing without your clear approval.
Baburajan Kizhakedath
