CNIL Sanctions Against Google for Cookie Consent and Electronic Prospecting Violations

The French Data Protection Authority (CNIL) has imposed substantial monetary sanctions totaling €325 million against Google LLC and Google Ireland Limited in a landmark enforcement action addressing systematic violations of cookie consent requirements and electronic prospecting regulations. This decision, rendered 1st September 2025, represents a sophisticated application of the European ePrivacy Directive's transposition into French law, demonstrating the evolving regulatory landscape governing digital privacy rights in the context of technology platforms' advertising practices.

The jurisdictional foundation for this enforcement action rests upon the territorial application of French data protection law, specifically Article 82 of the modified Law of 6th January 1978 (Loi Informatique et Libertés) and Article L. 34-5 of the Posts and Electronic Communications Code (CPCE). The CNIL established its competence through the activities of Google France as a stable establishment conducting promotional and commercial activities for Google's advertising solutions within French territory, thereby triggering the territorial nexus required for regulatory oversight.

I. Substantive Violations and Legal Framework

1. Cookie Consent Mechanisms: Structural Deficiencies in User Choice Architecture

The investigation revealed fundamental deficiencies in Google's account creation process regarding cookie consent mechanisms. Prior to October 2023, users creating Google accounts encountered a systematically biased choice architecture that privileged acceptance of personalized advertising cookies over their rejection. The "express personalization" pathway required only two clicks to accept personalized advertising cookies, while refusing such cookies necessitated navigating through a five-step "manual personalization" process requiring six distinct user actions.

This asymmetrical design violated the principle of freely given consent established under Article 82 of the French Data Protection Act, interpreted in harmony with Article 4(11) of the General Data Protection Regulation (GDPR). The European Data Protection Board's guidance emphasizes that consent mechanisms must present acceptance and refusal options with equivalent ease and prominence. The CNIL determined that Google's implementation created a "dark pattern" that systematically nudged users toward accepting more invasive data processing.

Furthermore, the consent obtained was deemed inadequately informed. The interface failed to clearly communicate that account creation necessarily entailed accepting advertising cookies—whether personalized or generic. This informational deficit persisted even after Google's October 2023 modifications, as users remained unable to understand the mandatory nature of advertising cookie deployment as a condition for service access. The ambiguous phrasing "if you accept" incorrectly suggested the possibility of complete cookie refusal, when in reality users could only choose between personalized and generic advertising models.

2. Electronic Prospecting Violations: Unauthorized Commercial Communications in Gmail

The second major violation concerns the display of advertising content within Gmail users' inbox folders, specifically within the "Promotions" and "Social" tabs. Following the Court of Justice of the European Union's (CJEU) 25th November 2021 decision in StWL Städtische Werke Lauf, the CNIL applied an expansive interpretation of "electronic mail for direct marketing purposes" under Article L. 34-5 of the CPCE.

The technical implementation involved inserting advertising entries between legitimate emails in users' private message lists. These advertisements mimicked the visual appearance of genuine emails, distinguished only by subtle indicators such as an "Ad" label and the absence of certain interactive elements. The CNIL rejected Google's argument that these were not technically emails, applying a functional approach aligned with the CJEU's jurisprudence that focuses on the intrusion into spaces normally reserved for private communications.

Critically, Google failed to obtain users' prior consent for displaying these advertising messages within their email interface. The activation of Gmail's "smart features"—which creates the tabbed inbox structure—did not constitute valid consent for advertising display, as users were not informed that enabling this organizational feature would result in advertising insertion.

II. Regulatory Analysis and Precedential Significance

1. Jurisdictional Innovation and the Inapplicability of GDPR's One-Stop-Shop Mechanism

The decision demonstrates sophisticated jurisdictional reasoning in establishing CNIL's competence despite Google's arguments regarding the GDPR's one-stop-shop mechanism. The CNIL distinguished between GDPR-governed data processing and ePrivacy Directive obligations, confirming that the coordination mechanism under GDPR Article 56 does not extend to ePrivacy enforcement. This interpretation, validated by the French Conseil d'État, preserves national authorities' enforcement autonomy for electronic communications privacy violations.

The joint liability determination for both Google LLC and Google Ireland Limited reflects a nuanced understanding of corporate structure and decisional authority within multinational technology enterprises. Despite Google's assertions that operational changes had centralized responsibility with Google Ireland Limited, the CNIL identified continued involvement by Google LLC in product development and privacy governance decisions affecting European users.

2. Proportionality Assessment and Sanction Calculation Methodology

The €325 million total sanction reflects careful calibration of multiple aggravating and mitigating factors under Article 83(2) of the GDPR. Aggravating factors included:

• Scale and systematic nature: Affecting millions of French users, with over Google accounts created between April 2021 and October 2023
• Prior violations: Google's previous sanction in December 2021 for similar cookie consent violations demonstrated persistent non-compliance
• Economic benefit: Substantial revenue generation from advertising operations fundamentally dependent on the contested practices
• Market position: Google's dominant position in digital advertising markets imposing heightened compliance obligations

The CNIL appropriately considered Google's partial remediation efforts, including modifications to the account creation process in October 2023 and visual changes to Gmail advertisements in April 2023. However, these measures were deemed insufficient to achieve full compliance, justifying both the monetary sanctions and prospective injunctive relief.

III. Compliance Imperatives and Forward-Looking Implications

1. Injunctive Requirements and Implementation Timeline

The CNIL's injunction mandates comprehensive remediation within six months, subject to €100,000 daily penalties for non-compliance. Specific requirements include:

• Cookie consent transparency: Clear, unambiguous information that advertising cookies are mandatory for account creation, with genuine choice between personalized and generic advertising models
• Gmail advertising consent: Implementation of valid prior consent mechanisms before displaying any advertising content within email interfaces

These requirements establish stringent standards for consent mechanics that will likely influence industry-wide practices. The emphasis on informational clarity and genuine user choice represents an evolution from formal compliance toward substantive protection of user autonomy.

2. Broader Market Implications and Regulatory Trajectory

This enforcement action signals intensified regulatory scrutiny of dominant platforms' privacy practices, particularly regarding advertising-dependent business models. The decision's reasoning suggests several emerging regulatory themes:

• Functional interpretation of electronic communications law: Regulatory authorities will examine the practical impact on users rather than technical implementation details
• Heightened obligations for dominant platforms: Market position creates enhanced compliance responsibilities and reduced tolerance for violations
• Convergence of privacy frameworks: Harmonized interpretation of GDPR and ePrivacy requirements despite distinct enforcement mechanisms

Conclusion

The CNIL's decision represents a sophisticated exercise of regulatory authority that advances digital privacy protection through rigorous application of existing legal frameworks to evolving technological practices. By rejecting formalistic arguments and focusing on substantive user protection, the decision establishes important precedents for consent validity, electronic prospecting boundaries, and the responsibilities of dominant digital platforms.

The substantial monetary sanctions, coupled with ongoing compliance obligations, demonstrate regulatory commitment to meaningful enforcement that matches the scale and impact of privacy violations by major technology companies. This decision will likely catalyze industry-wide reassessment of consent mechanisms and advertising practices, particularly for services operating under "free" models subsidized by advertising revenue.

For legal practitioners and compliance professionals, this decision provides crucial guidance on the evolving interpretation of cookie consent requirements and electronic prospecting regulations, emphasizing the need for transparent, equitable user choice architectures that respect the fundamental right to privacy in digital communications.