Google Fined €325 Million by France Over Gmail Ads and Cookie Violations

France’s data protection watchdog CNIL has imposed a €325 million fine on Google for violating European privacy laws by displaying advertising content in Gmail without valid user consent and by failing to comply with cookie consent regulations. The decision, announced in early September 2025, highlights the growing scrutiny faced by major tech platforms over how they handle personal data in the European Union.

This is one of CNIL’s largest fines to date and underscores the regulator’s ongoing efforts to enforce the ePrivacy Directive and the General Data Protection Regulation (GDPR) against even the most powerful digital companies.

Gmail Ads Without Consent

The CNIL investigation centered around Gmail’s “Promotions” and “Social” tabs, where Google displayed promotional content designed to resemble ordinary emails. According to CNIL, these advertising messages were not only unsolicited but also formatted to appear indistinguishable from user-generated emails. This lack of transparency created confusion and undermined users’ control over their inboxes.

More importantly, these ads were delivered without users giving prior, informed consent a fundamental requirement under EU privacy law. CNIL concluded that Google had failed to obtain valid legal basis to process user data for targeted advertising within Gmail, particularly for newly created accounts. An estimated 50 to 60 million users were affected by the practice (Euractiv).

Cookie Policy Violations

In addition to the issue with Gmail ads, CNIL found that Google’s cookie banner and data collection practices did not meet EU standards. During the account registration process, users were presented with options that nudged them toward accepting personalized ad tracking. While there was a theoretical option to refuse consent, CNIL said that the user interface was designed in a way that made refusal difficult or unclear, thus invalidating any supposed consent (Reuters).

Moreover, cookies related to personalized advertising were allegedly placed on users’ devices before meaningful consent had been obtained. This practice directly contradicts the ePrivacy Directive, which requires explicit opt-in consent for non-essential cookies.

Breakdown of the Penalty

The €325 million fine has been split across two Google entities: €200 million was levied against Google LLC, the U.S.-based parent company, and €125 million against Google Ireland Limited, which handles most of Google’s European operations. This structure reflects how Google operates across borders and the scope of responsibility for each legal entity.

In addition to the fine, CNIL has issued a legally binding order that mandates Google to bring its Gmail advertising practices into full compliance within six months. If the company fails to meet this deadline, it will be subject to a further fine of €100,000 for each day of non-compliance (Wall Street Journal).

CNIL’s Statement and Legal Basis

In its official statement, CNIL emphasized that unsolicited advertising via email, particularly when disguised to look like ordinary emails, constitutes a form of spam. According to European privacy law, such communication requires prior, freely given, and informed consent.

The authority also clarified that its action is based not only on GDPR but also on the ePrivacy Directive, which governs electronic communications and sets strict rules on marketing via email, messaging platforms, and cookies.

“Users must be able to clearly distinguish between private correspondence and advertising. Companies cannot bypass consent requirements by embedding ads in a service that resembles personal communication,” CNIL stated in its press release.

Google’s Response

Google responded to the fine by expressing disappointment and defending its advertising practices. A spokesperson for the company stated:

“We provide users with clear information and simple controls for ad personalization, and we’ve made improvements over time to increase transparency and choice. We will review the CNIL’s decision carefully and continue working constructively with regulators across Europe.”

Google also reiterated that its Gmail ads are not based on the content of individual users’ emails and that the platform offers settings that allow users to opt out of personalized ads. However, CNIL argued that the way those settings are presented does not meet the criteria for freely given and informed consent under GDPR.

Role of Privacy Advocates

This case was triggered by a complaint filed by NOYB (None of Your Business), the Austrian-based privacy rights organization founded by activist and lawyer Max Schrems. NOYB has been at the forefront of several high-profile privacy cases across Europe and has filed numerous complaints against Google, Meta, Amazon, and other major digital platforms.

In a statement following the CNIL ruling, NOYB said the decision was a significant win for users and a step toward eliminating “email spam disguised as legitimate content.” The organization noted that Google’s Gmail promotions had become “a new form of commercial intrusion that users never agreed to” (NOYB).

Broader Regulatory Context

This is not the first time Google has faced legal action over privacy issues in Europe. In previous years, the company has received several fines from EU data protection authorities related to advertising personalization, location tracking, and cookie consent. The latest fine adds to growing pressure on Google to overhaul its consent mechanisms and data processing policies in line with EU standards.

CNIL has also issued major fines to other companies in recent months, including a €176 million fine to fast fashion retailer Shein for similar cookie consent violations (Reuters).

Legal experts suggest that CNIL’s ruling against Google may set a precedent for how data protection authorities across the EU handle similar cases in the future, particularly as the European Commission continues pushing for stronger enforcement of digital regulations under the upcoming Digital Services Act (DSA) and Digital Markets Act (DMA).

Why This Matters

The case raises essential questions about the boundaries of user consent in digital services. As online platforms increasingly rely on behavioral data for monetization, regulators are drawing clearer lines around what constitutes informed, voluntary agreement and what counts as manipulation.

Google’s Gmail, a service used by over 1.5 billion people globally, functions as a core communication tool. When advertising begins to blur with personal communication, the stakes for privacy and transparency grow significantly.

This ruling from CNIL demonstrates that regulatory bodies are not only willing to go after data breaches or cyberattacks, but also increasingly focused on the subtle ways companies may exploit user attention and consent for profit.