Google is once again in the crosshairs of French regulators. France’s data watchdog, the CNIL, has fined the tech giant €325 million (approximately $381 million) for slipping promotional messages directly into Gmail inboxes and for cookie consent practices that regulators say were more about coercion than choice.
For French users, those little “Promotions” or “Social” tabs inside Gmail weren’t always filled by brands they had subscribed to—they were also stocked with ads that looked and felt like regular emails. CNIL ruled that these weren’t just promotions, but direct marketing messages and under French law, sending them without prior consent was a violation. With nearly 53 million of the Gmail’s more than 76 million users in France viewing these ads, the impact was massive.
Consent by Design—or Coercion?
It wasn’t just inbox ads. Regulators also took issue with how Google pushed new users into accepting advertising cookies when setting up accounts. Instead of presenting a clear yes-or-no choice, the consent flow leaned heavily toward acceptance, with rejection buried or made less intuitive.
The EU’s privacy framework is crystal clear on this matter. Consent has to be freely given, informed, and unambiguous. Google’s setup, CNIL said, fell short. This marks the third time the regulator has sanctioned Google for cookie-related violations, after €100 million in 2020 and €150 million in 2021. The repeated fines suggest a deeper friction between Google’s ad business model and Europe’s stricter privacy guardrails.
Regulators with teeth
Along with the fine, the CNIL ordered Google to stop placing ads directly in Gmail inboxes in France and to rework its cookie flows. The company has six months to comply, or it will face an additional €100,000 ($117,000) per day in penalties.
For CNIL, the point isn’t to kill innovation—it’s about drawing a line around digital rights. People should get to decide if their inboxes double as advertising spaces or if their clicks fuel one of the world’s largest ad engines.
Google’s Response
Google, for its part, insists it has already made significant changes. “People have always been able to control the ads they see in our products. Over the last two years, as the CNIL has acknowledged, we made additional updates to address their concerns, including an easy way to decline personalized ads in one click when creating a Google account, and changes to the way ads are presented in Gmail. We’re reviewing the decision,” a Google spokesperson told The Cyber Express.
Behind the scenes, the company emphasized that Gmail ads are clearly marked and play an important role in keeping the service free. According to Google, three-quarters of French users don’t see Gmail ads at all, and those who do can switch them off at any time. In April 2023, following a European Court of Justice ruling, Google voluntarily rolled out updates to make Gmail ads appear more distinct from user emails.
The company also pointed out that it introduced a “Reject All” button in October 2023 during account creation, allowing users to decline personalized ads with a single click. CNIL itself has acknowledged that this addressed the majority of its cookie-related concerns. Still, regulators decided Google’s earlier practices merited a heavy penalty.
Fashion Meets fines
Google wasn’t the only one to get a reality check. Fast-fashion retailer Shein was hit with a separate €150 million (about $176 million) penalty after CNIL found it was tracking users even when they rejected cookies. Investigators said Shein’s platform continued deploying trackers behind the scenes, creating what the regulator described as an “illusion of control.”
With roughly 12 million monthly visitors in France, the violations weren’t minor. As per Reuters, Shein has said it will appeal, calling the fine disproportionate, but CNIL argued the penalty reflects both the scale of the user base and the systemic nature of the problem.
This is one of the largest fines ever imposed on a retailer for privacy violations in Europe, and it sends a message to the retail industry that cookie compliance isn’t just a Big Tech issue anymore.
Europe’s Long War with Dark Patterns
These rulings don’t exist in a vacuum. Across Europe, regulators have been zeroing in on so-called dark patterns—the design tricks that nudge users toward the least privacy-friendly option. Whether it’s a consent box that’s easier to accept than decline, or an opt-out button hidden three clicks away, the CNIL and other EU authorities are calling time on those practices.
France has taken a leading role, requiring companies to make “accept” and “reject” cookie options equally visible. Anything else, CNIL argues, undermines real choice.
And this isn’t just about rules—it’s about trust. As users grow savvier about how their data is exploited, companies that treat consent as a checkbox risk not only fines but also erosion of their reputation.
Half a Billion in Penalties—and Counting
Together, the fines against Google and Shein total more than half a billion dollars. For Google, the €325 million hit shows its long-running tension with Europe’s privacy regime. For Shein, the €150 million fine might be even more consequential—it puts retailers, not just tech platforms, firmly under the spotlight.
Inboxes and browsing habits aren’t free-for-all advertising spaces any more. In France and increasingly across Europe, privacy is treated as a fundamental right, not an obstacle to business.
As Europe sharpens its privacy enforcement, the ripple effects will reach far beyond Paris. Google may be able to absorb the fines as a cost of doing business, but regulators are steadily shifting the calculus. The longer the firms rely on gray-area consent tactics, the higher the price tag.
For Shein, the reputational blow may sting just as much as the financial one. A company that already faces criticism over labor and environmental practices now finds itself branded as a repeat offender in the digital space.
The bottom line is that Europe is laying down a marker. Whether you’re a search giant or a fast-fashion powerhouse, the age of easy consent tricks is now behind us.
Also read: Texas AG Paxton Takes on Google—and Wins $1.375 Billion in Privacy Case
Source: Read More
