Executive Summary
The French data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €325 million fine on Google on September 1, 2025, for displaying advertisements in Gmail without prior user consent and collecting invalid consent when creating Google accounts. This landmark decision represents a pivotal moment in the evolution of ePrivacy enforcement, demonstrating that regulators are prepared to impose substantial penalties for violations that blur the lines between legitimate service provision and unlawful marketing practices.
The proceedings, triggered by a complaint from the nongovernmental organization None of Your Business (commonly known as noyb) in August 2022, followed CNIL inspections in 2022 and 2023. The decision establishes critical precedents for direct marketing practices within digital environments and consent validity in an era of sophisticated user interface design.
For multinational businesses, this enforcement action signals a new era of regulatory scrutiny over advertising practices, consent mechanisms, and the intersection of ePrivacy and General Data Protection Regulation (GDPR) compliance. The decision’s emphasis on “dark patterns” and embedded advertising creates immediate implications for companies across the digital advertising ecosystem.
Why This Enforcement Action Matters Now
The digital advertising industry has been operating in a regulatory gray area in which the boundaries between service provision and marketing communications have become increasingly blurred. The CNIL’s reliance on the Court of Justice of the European Union’s November 25, 2021, judgment (Case C-102/20, StWL Städtische Werke Lauf a.d. Pegnitz GmbH v. eprimo GmbH), which confirmed that ads mimicking private communications constitute “direct marketing” requiring prior consent, represents a fundamental shift in how regulators view embedded advertising.
For businesses, the CNIL decision offers something increasingly rare in today’s regulatory environment: clear boundaries defining what constitutes unlawful marketing practices in digital environments. The CNIL’s assertion of territorial jurisdiction under Article 3 of the French Data Protection Act, establishing that Google France acts as the local “establishment” involved in the activities, demonstrates that the GDPR one-stop-shop mechanism does not shield companies from ePrivacy enforcement by national authorities.
Market responses to this enforcement action will likely shape industry practices for years to come, particularly as other European data protection authorities observe CNIL’s approach to joint controllership and penalty calculation methodologies.
Understanding the Scope of Violations
Direct Marketing Without Consent: Redefining Digital Advertising Boundaries
The CNIL identified that ads displayed in Gmail’s “Promotions” and “Social” tabs mimicked private emails, creating a deceptive user experience that violated direct marketing consent requirements. This finding extends beyond traditional email marketing to encompass advertising practices embedded within digital service environments.
The violation of Article L34-5 of the French Code of Posts and Electronic Communications — code des postes et des communications électroniques (CPCE) — which governs direct electronic marketing, establishes that companies cannot rely on service provision as a justification for embedded advertising that resembles personal communications.
Invalid Consent Collection: The Dark Patterns Enforcement Era
Users creating Google accounts were nudged toward accepting personalized advertising cookies through asymmetric design (“dark patterns”), making refusal harder than acceptance. The information provided did not clearly state that access to Google services was conditional on advertising tracker placement. The CNIL determined that consent collected was neither free nor informed, and, therefore, it was invalid.
This represents the first major enforcement action explicitly targeting interface design choices that manipulate user consent decisions, establishing precedent for evaluating consent validity based on user experience design principles.
Jurisdictional Framework: Navigating Fragmented ePrivacy Enforcement
The End of One-Stop-Shop Protection
The GDPR one-stop-shop mechanism does not apply to ePrivacy infringements, with national data processing agreements (DPAs) retaining the full authority to investigate and sanction. This creates a fundamentally different compliance landscape in which multinational companies must anticipate parallel investigations across multiple jurisdictions.
Google LLC and Google Ireland Limited were held jointly responsible, as they “jointly determine[d] the purposes and means of the processing,” demonstrating that corporate structure cannot shield companies from liability when multiple entities participate in unlawful practices.
Penalty Calculation: Understanding Regulatory Risk Multipliers
Scale and Market Position as Aggravating Factors
The scale of processing affected more than 74 million accounts through invalid cookie consent, with 53 million users in France exposed to unlawful Gmail ads. Google’s dominant market position as the world’s second most used email service and central role in online advertising significantly influenced penalty calculation.
Recidivism as a Critical Risk Factor
The CNIL explicitly considered Google’s prior fines in 2020 (€100 million) and 2021 (€150 million) for cookie-related violations as aggravating circumstances, noting that despite earlier sanctions, Google failed to adequately remedy its practices. This confirms that regulatory history becomes a significant penalty multiplier in subsequent enforcement actions.
Implementation Requirements: Building Compliant Advertising Systems
Immediate Compliance Obligations
The €200 million fine against Google LLC and €125 million fine against Google Ireland Limited come with a compliance order requiring Google to cease displaying Gmail ads without prior consent and ensure valid cookie consent during account creation within six months, with €100,000 daily penalties for noncompliance.
Broader Industry Implications
Dark patterns undermining consent validity are now explicitly sanctioned. Direct marketing rules extend to ads embedded within digital environments that imitate private communications. Multinationals must anticipate fragmented enforcement under ePrivacy rules, as compliance cannot rely on a single lead authority, unlike the GDPR, which provides for it.
Strategic Considerations: Navigating the New Compliance Landscape
Immediate Risk Assessment Priorities
Organizations deploying advertising, cookies, or consent interfaces must reassess their compliance programs considering this CNIL enforcement precedent. This case confirms that ePrivacy rules are enforced separately from GDPR, with national DPAs retaining jurisdiction. The CNIL’s decision highlights the invalidity of consent obtained through design asymmetry, potentially opening enforcement in areas such as app design, subscription models, and targeted advertising.
Building Adaptive Compliance Capabilities
The joint liability approach reflects strict joint controllership principles, while the CNIL’s explicit consideration of prior fines as aggravating circumstances confirms that recidivism significantly multiplies regulatory sanctions. Companies must build compliance systems that can adapt to evolving regulatory expectations while maintaining operational efficiency across multiple jurisdictions.
Looking Ahead: Regulatory Evolution and Market Dynamics
Enforcement Trajectory and Industry Response
The ePrivacy enforcement landscape is evolving rapidly, with national data protection authorities developing supplementary guidance and preparing for expanded enforcement responsibilities. Early positioning decisions on consent mechanisms and advertising practices will become increasingly important as regulators signal expectations through enforcement actions.
From a technological perspective, advertising technologies continue advancing at an unprecedented pace, with programmatic advertising, artificial intelligence–driven targeting, and emerging digital environments creating new compliance challenges that current frameworks struggle to address.
Building Future-Ready Compliance Systems
The CNIL’s principles-based approach to evaluating consent validity and marketing practices provides some flexibility for technological evolution, but companies must build adaptive capabilities, rather than point solutions, that can respond to changing requirements and emerging enforcement priorities.
Successful navigation of this regulatory environment requires balancing innovation momentum with compliance obligations and stakeholder expectations. Organizations that develop proactive relationships with regulators and invest in robust consent and advertising compliance systems will gain significant competitive advantages in an increasingly complex enforcement environment.
