CNIL fines Google €325M over hidden ads & cookie consent violations

  • Author: Arno Schlösser, DP-Dock GmbH
  • Last updated: October 2025
  • Category: Enforcement, Cookies

The importance of complying with cookie consent requirements under the GDPR and ePrivacy Directive was also emphasized upon by other national authorities. On September 1st 2025, France’s data protection authority (CNIL) fined Google 325 million euros for two main violations: inserting adverts between Gmail users’ emails without consent, and placing advertising cookies during account creation without valid user consent. The whole sum was split between Google LLC (€200 million) and Google Ireland Ltd. (€125 million). Furthermore, the CNIL issued a remedial order, as in requiring Google to stop inserting ads into users’ inboxes without consent and applying valid consent mechanisms. Google has to adhere to the order within six months, whereas every day beyond that deadline will amount to additional fines, as in €100,000 per day.

The violations of concern entailed unauthorized ads inside inboxes, which were judged to be direct marketing by email without users’ prior consent. Further, during account registration, users were not provided with clear and equal options to reject advertising cookies, which deemed given consent to such as invalid under French law.

These developments suggest for companies targeting EU users to audit their cookie banners, tracking scripts and consent flows. As mentioned above, DP Dock is happy to support and advise in cookie banner compliance and consent requirements. All contact details can be found below.

For further information click here.

The Google logo seen at Googleplex, the Google Headquarters in Mountain View, California.
© Tada Images / stock.adobe.com | #398409601

Back to the news overview

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group essential
Name Matomo
Technical name
Provider
Expire in days 72
Privacy policy
Use Use without cookies
Allowed
Group external media
Name Calendly
Technical name __cf_bm,__cfruid,OptanonConsent
Provider Calendly LLC
Expire in days 365
Privacy policy
Use To arrange appointments via the provider Calendly
Allowed
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Allowed
Name Contao HTTPS CSRF Token
Technical name csrf_https_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Allowed
Name PHP SESSION ID
Technical name PHPSESSID
Provider Contao
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Allowed
Privacy Policy | Privacy Policy