The French data protection authority has fined Google €325 million ($378 million) for violating cookie regulations and displaying ads between Gmail users’ emails without their consent.
During several investigations between 2022 and 2023, the National Commission on Informatics and Liberty (CNIL) found that Google’s Gmail email service displayed advertisements in the “Promotions” and “Social” tabs without the consent of Gmail users, thereby breaching Article L. 34-5 of the French Postal and Electronic Communications Code (CPCE).
As explained in a press release issued on Wednesday, this fine was imposed because Google breached the French Data Protection Act (Article 82) by failing to inform users who created new accounts that they were required to allow the search giant to place cookies for advertising purposes to access its services.
“The amounts of these fines, which only took the number of users residing in France into account, considered the very high number of people affected, as the breach regarding cookies concerned more than 74 million accounts,” CNIL said. “Among these, 53 million individuals had illegally seen the involved advertisements displayed in the ‘Promotions’ and ‘Social’ tabs of their email accounts.”
CNIL also stated that Google’s behavior “had been negligent,” given that the company was also fined in 2020 (€100 million) and 2021 (€150 million) for other breaches related to cookies.
In January 2022, the French data protection agency issued another fine of €170 million to Google for violating users’ rights to consent by complicating the process of declining website tracking cookies, which were concealed behind multiple clicks.
Google was also fined $2.72 billion for abusing its dominant market position to tweak search results in June 2017, $1.7 billion for anti-competitive practices in online advertising in March 2019, €220 million for favoring its services to the disadvantage of competitors in June 2021, and $11.3 million for aggressive data collection in November 2021.
“While compliance with obligations regarding the use of cookies is improving, the CNIL remains vigilant, particularly with regard to non-compliant practices such as the placement of cookies without the internet user’s consent, but also with regard to growing practices such as the use of ‘cookie walls,’ which consist of making the acceptance of the placement of cookies on the users’ device a condition to access to a service,” CNIL added.
On Wednesday, the CNIL also imposed a €150 million ($174 million) fine on the Irish subsidiary of Chinese e-commerce platform Shein for failing to obtain users’ consent before placing cookies, displaying incomplete information banners, providing insufficient information on placed cookies, and having inadequate mechanisms for refusing and withdrawing cookie consent.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
