France's data protection authority, CNIL (Commission Nationale de l’Informatique et des Libertés), has fined Google a total of €325 million ($380 million) for violating user consent rules by inserting advertisements directly into Gmail inboxes and placing cookies during account creation without obtaining valid consent.
The fine follows an investigation launched in response to a complaint filed by privacy advocacy group NOYB (None Of Your Business) on August 24, 2022. Between 2022 and 2023, CNIL conducted inspections into Gmail's promotional email features and the process users go through when creating a Google account. The findings revealed serious breaches of French data protection laws by Google.
At the heart of the investigation was Google's practice of embedding advertisements that resembled genuine emails into the “Promotions” and “Social” tabs of Gmail inboxes, sections often managed by Google's “smart features” meant to automatically sort emails. CNIL determined these ads, despite minor visual adjustments introduced by Google in April 2023, still constituted direct marketing messages and thus required users' prior consent under Article L.34-5 of the French Postal and Electronic Communications Code (CPCE). This ruling leaned heavily on a precedent set by the Court of Justice of the European Union in November 2021.
Additionally, CNIL scrutinized Google's cookie consent flow during new account registration. Until October 2023, users were presented with a skewed interface that nudged them toward accepting cookies tied to personalized advertising. Rejecting them was more complex, and no clear notice was given that accepting cookies was a condition for accessing Google's services. Even after changes were made in October to add a more balanced “refuse” button, CNIL found that user consent was still not fully informed, a violation of Article 82 of the French Data Protection Act.
Google, which operates the world's second most widely used email platform, was fined €200 million for violations by Google LLC and €125 million for Google Ireland Limited. CNIL noted that more than 74 million French accounts were affected by the cookie consent violations, with at least 53 million individuals exposed to unauthorized advertisements embedded within Gmail. The authority emphasized Google's dominant position in the online advertising market, generating significant revenue from both contextual and targeted ads, as an aggravating factor in its decision.
The tech giant is ordered to bring its practices into compliance within six months, specifically by ceasing the insertion of advertising content into inboxes without prior user consent and ensuring that cookie consent during account creation is freely given and informed. Failure to comply will incur additional penalties of €100,000 per day of delay.
Leave a Reply