Google Fined €325 Million by French Regulators
France’s data protection authority, CNIL, has leveled a hefty fine of €325 million (around $381 million) against Google. This penalty arises from the company’s practices concerning promotional messages in Gmail and cookie consent processes deemed more coercive than transparent.
Ads in Gmail: A Closer Look
French Gmail users have recently discovered that the so-called "Promotions" and "Social" tabs often contain ads that resemble regular emails rather than just messages from brands they opted to follow. The CNIL ruled that these ads are, in fact, direct marketing communications. Under French legislation, sending such messages without prior consent is a clear violation of the law. Given that almost 53 million of Gmail’s 76 million users in France were exposed to these ads, the ramifications are significant.
Consent Practices Under Scrutiny
The issue extends beyond email ads. Regulators flagged Google’s approach in prompting new users to accept advertising cookies when setting up their accounts. Rather than providing a straightforward opt-in or opt-out choice, the consent flow appeared to push users toward accepting, with rejection options not only hidden but also complex.
The EU’s privacy regulations are unambiguous: consent must be given freely, informed, and without ambiguity. Unfortunately, the CNIL found that Google’s setup failed to meet these criteria. This marks the third instance of regulatory action against Google regarding cookie violations, with previous fines of €100 million in 2020 and €150 million in 2021, highlighting escalating tensions between Google’s advertising model and Europe’s rigorous privacy standards.
CNIL Takes Action
In addition to the fine, the CNIL has mandated that Google cease ad placements directly within Gmail inboxes in France and revise its cookie consent processes. Google faces a six-month deadline to comply or risk incurring supplementary fines of €100,000 ($117,000) per day.
The CNIL aims to protect digital rights, emphasizing that users should have the choice to keep their inboxes free of advertisements rather than being unwitting participants in a major advertising network.
Google’s Position
A Google spokesperson has stated that the company has already implemented substantial changes in response to previous concerns. “People have always had control over the ads displayed in our products. Over the last two years, as recognized by the CNIL, we’ve made updates that include easier options to decline personalized ads when creating a Google account, along with modifications in how Gmail ads are displayed,” the spokesperson commented to The Cyber Express.
Internally, Google has assured users that all Gmail ads are clearly labeled and play a key role in maintaining a free service. Google claims that a majority of French users do not encounter Gmail ads, and those who do can opt out at any time. Following a ruling from the European Court of Justice in April 2023, Google introduced updates to make Gmail ads more distinguishable from personal emails.
The company also launched a “Reject All” button during the account creation process in October 2023, allowing users to easily decline personalized ads with a single click. While the CNIL has acknowledged that this significantly addresses many cookie-related concerns, they still deemed previous practices worthy of a substantial penalty.
Shein Faces Similar Penalties
Google isn’t the only tech company receiving a punitive wake-up call. Fast-fashion retailer Shein was slapped with a €150 million ($176 million) fine for tracking users even after they expressed their intent not to be tracked. The CNIL described this behavior as creating an “illusion of control” for users.
With a user base of approximately 12 million monthly visitors in France, the severity of Shein’s violations is significant. Though the retailer plans to appeal the ruling, citing the penalty as excessive, the CNIL maintains that the fine reflects both the scale of Shein’s user base and the systemic nature of the issue.
This penalty constitutes one of the largest ever imposed on a retailer for privacy infringements in Europe, signaling that compliance with cookie regulations is a pressing concern for all companies, not just the major tech players.
Addressing Dark Patterns in Europe
These penalties are part of a broader regulatory trend in Europe, where authorities are focusing on “dark patterns”—design strategies that nudge users toward choices that compromise their privacy. Whether through misleading consent boxes or hidden opt-out features, the CNIL and other EU regulators are cracking down on these practices.
France, in particular, has been at the forefront, mandating that companies present "accept" and "reject" cookie options in an equally visible fashion. The CNIL argues that anything less undermines the essence of informed choice.
As consumers become more aware of data exploitation, companies that treat consent as merely a formality risk facing both fines and reputational damage.
A Cumulative Impact of Fines
The total fines against Google and Shein now exceed half a billion dollars. For Google, the €325 million charge illustrates ongoing friction with Europe’s privacy regulations. For Shein, the €150 million penalty could have far-reaching implications for the retail sector, emphasizing that the scrutiny of privacy practices is becoming increasingly stringent across industries.
In Europe, the approach to privacy is evolving—these fines indicate a firm stance against the exploitation of personal data. As enforcement intensifies, businesses will need to reevaluate their consent practices, or risk facing substantial penalties and loss of consumer trust.
With Europe’s privacy landscape rapidly changing, the pressure on firms to comply with stringent regulations is on the rise. Both tech giants and retailers must adapt or face the consequences of outdated practices.
