France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed a substantial €325 million (approximately $381 million) fine on Google for systematic violations of European cookie consent regulations1. The penalty, announced on September 3, 2025, specifically targets Google’s practice of displaying advertisements within the Gmail interface without obtaining valid user consent and for implementing a cookie consent mechanism that heavily nudged users toward acceptance2. This enforcement action is part of a broader, coordinated wave of global regulatory scrutiny on data privacy practices, occurring simultaneously with a separate $425 million U.S. jury verdict against Google and a €150 million fine against the e-commerce platform Shein3.
The core of the CNIL’s findings centers on two primary violations. First, the authority determined that Google placed advertisements within the “Promotions” and “Social” tabs of Gmail users’ inboxes. Under French law (CPCE Article L. 34-5), this practice is classified as “direct marketing,” which requires explicit prior consent from the user1. This violation affected an estimated 53 million French users. The second violation concerned the account creation process, where the interface design made it significantly easier for a user to accept advertising cookies than to refuse them. This design, often described as a “dark pattern,” violated the French Data Protection Act’s requirement for “free and informed consent” and impacted over 74 million French user accounts1.
Aggravating Factors and Regulatory History
Several factors contributed to the size of the penalty. A primary consideration was Google’s status as a repeat offender. This marks the third major cookie-related fine the CNIL has levied against the company, following a €100 million penalty in 2020 and a €150 million fine in 20211. The CNIL cited Google’s “central position in the online advertising market” and the massive scale of the user impact as justifications for the substantial fine. The use of deceptive interface designs, or dark patterns, which subtly manipulate user choice, was explicitly mentioned as an aggravating factor4. The authority has given Google a six-month deadline to cease the non-consensual placement of Gmail ads and to implement a lawful cookie consent process. Failure to comply will result in escalating penalties of €100,000 per day of delay1.
Concurrent U.S. Legal Action Against Google
In a significant demonstration of cross-border regulatory pressure, a U.S. District Court jury in the Northern District of California delivered a $425 million verdict against Google on the same day as the CNIL’s announcement3. The class action suit, Rodriguez v. Google LLC, proved that Google continued to collect user data from nearly 98 million users even after they had explicitly disabled the “Web & App Activity” tracking setting within their account preferences. Data collection persisted through partnerships with third-party apps like Uber, Venmo, and Instagram that utilized Google’s analytics services. The jury found this practice to be an invasion of privacy under California law. A jury foreperson noted that Google’s “consent language should be a little more obvious,” observing that “the average user is probably not a reader, the average user is probably a skimmer”3.
The Shein Fine and Broader Regulatory Context
The CNIL’s enforcement actions extended beyond Google, with a €150 million fine issued against the Irish subsidiary of the e-commerce giant Shein5. The violations included placing advertising cookies on users’ devices immediately upon visiting shein.com, before any interaction with a cookie banner, and employing deceptive banners with incomplete information or only an “Accept” option. The process to refuse consent was deemed overly difficult, and the company sometimes placed new cookies even after a user had refused consent. This action against a Chinese company, alongside the penalty for the U.S.-based Google, is viewed by some analysts as a strategic move by French regulators to demonstrate impartiality in global tech enforcement4.
Analyst Sanchit Vir Gogia characterized the simultaneous fines as a sign of “maturity” in global privacy enforcement, indicating that “privacy infractions are no longer being dealt with in isolation but amplified through transatlantic echo”3. This suggests the end of an era where tech giants could manage regulatory penalties in one jurisdiction independently of others. Compliance strategies must now be harmonized and defensible on a global scale. The structure of the CNIL’s penalty, with its provision for daily fines for non-compliance, is considered a more potent deterrent than a one-time lump sum, as it creates continuous financial and operational pressure to remediate the issues3.
Relevance to Security and Compliance Professionals
For security teams and compliance officers, this event is a potent case study in regulatory risk. The technical implementation of consent mechanisms, often handled by development and product teams, has direct and severe financial consequences. The findings against Google and Shein highlight how user interface design choices can be legally construed as dark patterns, making a strong case for involving legal and compliance teams early in the design process of any feature that collects user data or presents consent options. The CNIL’s focus on the practical difficulty of refusing consent, as opposed to simply having the option available, sets a high bar for implementation.
The incident also underscores the importance of robust data flow auditing. The U.S. case, in particular, revealed a disconnect between a user’s stated preference (disabling “Web & App Activity”) and the actual behavior of Google’s systems, which continued collection via other channels. Organizations must ensure their data processing activities are fully aligned with user consent settings across all integrated services and partnerships. Regular audits and penetration tests that include a review of data collection and transmission points can help identify such discrepancies before they result in legal action.
Remediation steps should include a full review of all user consent interfaces for compliance with regulations like the GDPR and ePrivacy Directive, ensuring that rejecting cookies or data collection is as easy as accepting it. All data collection endpoints must be mapped and validated to ensure they respect user-controlled privacy settings without exception. Furthermore, organizations should prepare for increased regulatory coordination across borders, meaning a violation in one region could influence or compound enforcement actions in another.
Conclusion and Future Implications
The €325 million fine against Google by France’s CNIL represents a significant escalation in the enforcement of digital privacy laws, particularly concerning cookies and advertising practices. Coupled with a major U.S. verdict, it signals a new era of coordinated global regulatory action that increases the stakes for non-compliance. For technology companies, the message is clear: obtaining valid, informed, and freely given consent is not a peripheral legal formality but a core operational requirement. The use of dark patterns to manipulate user choice is now a high-risk practice with substantial financial penalties. As regulatory bodies worldwide appear to be aligning their efforts, organizations must adopt a globally consistent and transparent approach to user data privacy or face the prospect of simultaneous, compounding penalties in multiple jurisdictions.
References
- CNIL, “Cookies and advertisements inserted between emails: Google fined 325 million euros by the CNIL,” [Online]. Available: https://www.cnil.fr/en/cookies-and-advertisements-inserted-between-emails-google-fined-325-million-euros-cnil
- The Hacker News, “Google Fined $379 Million by French Regulator for Cookie Violations in Gmail,” Sep. 03, 2025. [Online]. Available: https://thehackernews.com/2025/09/google-fined-379-million-by-french.html
- Computerworld, “Google hit with $806M in penalties from U.S. and French authorities over privacy issues,” Sep. 03, 2025. [Online]. Available: https://www.computerworld.com/article/4051435/google-hit-with-806m-in-penalties-from-us-and-french-authorities-over-privacy-issues.html
- The Cyber Express, “Google Fined $381 Million Over Gmail Ads by CNIL,” Sep. 03, 2025. [Online]. Available: https://thecyberexpress.com/google-fined-381-million-over-gmail-ads-cnil/
- CNIL, “Cookies placed without consent: Shein fined 150 million euros by the CNIL,” [Online]. Available: https://www.cnil.fr/en/cookies-placed-without-consent-shein-fined-150-million-euros-cnil
- Reuters, “France fines Shein 176 million euros over cookies,” Sep. 03, 2025. [Online]. Available: https://www.reuters.com/sustainability/boards-policy-regulation/france-fines-shein-176-million-over-cookies-2025-09-03/
- Captain Compliance, “France’s CNIL Slams Google and Shein with Record Fines for Cookie Violations,” [Online]. Available: https://captaincompliance.com/education/frances-cnil-slams-google-and-shein-with-record-fines-for-cookie-violations/
