Google fined €325 million by France's CNIL for GDPR and cookie violations
France's data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), has slapped a fine of €325 million ($381 million) on Google for violating GDPR and cookie regulations.
According to the press release, CNIL says Google displayed ads between user emails in Gmail without their consent and placed tracking cookies on new accounts during the sign-up process.
The fine is the result of several investigations conducted between 2022 and 2023 into the company's Gmail service, following a complaint by privacy organization None of Your Business (NOYB) in August 2022.
The investigations revealed that Google had displayed advertisements disguised as emails in Gmail's "Promotions" and "Social" tabs. CNIL stated that these advertisements required consent from users.
The second bone of contention was cookies that Google encouraged users to opt into for Gmail, and the company did a poor job of informing users that these would be used to serve personalized advertisements.
Apart from the combined fine, Google will now need to implement measures to prevent this from happening in the future and stop displaying advertisements in users' inboxes without consent. Failure to do so would result in hefty fines of up to €100,000 per day.
This isn't the first time Google has found itself in CNIL's crosshairs. In 2019, it was fined €50 million for GDPR violations for similar ad-related breaches. In 2020 and 2021, Google was fined again for breaches related to cookies.
Also in 2021, France's competition authority, Autorité de la Concurrence, fined Google $590 million in a news media compensation row.
A Google spokesperson told Reuters that the company is reviewing the decision and argued that Google has always allowed users to control the ads they want to see.
