Google is facing a €325 million GDPR fine from French data regulator CNIL for its placement of cookies that may not have been noticed by those signing up for new accounts and its use of ads in Gmail.
The fine was issued on September 1 for Google’s practice of inserting ads between emails in Gmail without required user consent, and for its placement of tracking cookies without notification when users create new accounts. The case stems from a privacy complaint filed by prolific European digital rights group NOYB in August 2022 and applies to a window of time from 2022 into 2023, though both practices have continued past that end date.
Google GDPR fine accompanied by order to adjust Gmail ad placement
For some time the “Promotions” and “Social” tabs in Gmail have featured paid promotional emails that are targeted to user interests. CNIL’s investigation determined that these ads violated the consent requirements of Article L. 34-5 of the French Postal and Electronic Communications Code (CPCE).
The GDPR fine element is tied to the placement of cookies at account creation. Though Google asks those creating new accounts to select advertising preferences as part of the process, CNIL’s investigation found that users were not clearly informed that cookies would be placed as a condition of accessing the company’s services. Additionally, Google was found to have influenced users to choose the more intrusive personalized option over the generic option that would collect less personal information. These elements were found to be in violation of Article 82 of the French Data Protection Act, the country’s local implementation of the GDPR.
The GDPR fine took into account that the illicit cookie placement impacted some 74 million people in the country, with some 53 million having also had the Gmail ads delivered to them at some point. The fines are accompanied by an order to cease placing ads between emails in Gmail and to ensure compliance with cookie placement requirements within six months, or face added fines of €100,000 per day going forward. Google issued a statement indicating that they are reviewing the decision and noting that improvements to its ad type selection and Gmail ad presentation had already been made.
GDPR fines trigger concerns about retaliatory US tariffs
While the GDPR fine is substantial it is hardly devastating for Google, with its annual revenue of about $350 billion. The company has found some support in pushing back against it, however, but not out of any sense of it being unfair; instead, it is seen as potentially triggering retaliatory tariffs from the United States.
Trump has recently threatened countries that slap fines seen as “unfair” or “discriminatory” with added tariffs and/or the possibility of restrictions on sale of AI chips to them. Most of Trump’s prior objection to these measures has been due to perceived censorship and stifling of political speech, however, rather than procedural issues involving cookie consent.
Still, the GDPR fine is large enough that European Trade Commissioner Maroš Šefčovič lobbied hard to stop CNIL from issuing it on that basis. Trump very recently made a direct threat of more tariffs related to a different case involving a €2.95 billion fine on Google by the European Commission for monopoly practices.
This is not CNIL’s first GDPR fine for Google involving their cookie practices, though the two prior instances came very late in the first Trump administration and early in the Biden administration respectively. In December 2020, the French regulator fined Google €100 million for failing to obtain consent for placement of cookies on the “google.fr” version of its search website. At the time, that penalty set a record for GDPR fine amounts and was unsuccessfully challenged in court by Google (upheld by the French high court in a January 2022 decision).
About a year later CNIL would fine Google yet again for a cookie infraction, this time for a larger penalty of €150 million over the legal insufficiency of its cookie refusal procedure on both the google.fr site and YouTube. This led to Google implementing a “allow only essential cookies” button alongside the acceptance button to come into compliance.
Alongside the more recent GDPR fine, CNIL also penalized Shein’s Irish subsidiary (Infinite Styles Services Co.) for similar stealth placement of cookies when users visited the “shein.com” website. The CNIL investigation found that Shein was placing cookies on visitor’s devices immediately upon loading the page, before they could even interact with the cookie acceptance banner. Investigators also found that the supposedly informative pop-ups meant to explain the cookies lacked necessary information, and that overall disclosure about the purpose of the advertising cookies was inadequate. Shein has issued a statement saying that it believes the fine is “totally disproportionate” and that it plans to appeal.
