In a significant enforcement of data privacy regulations, the French data protection authority, Commission nationale de l’informatique et des libertés (CNIL), has imposed a fine of €325 million ($379 million) on Google for breaching cookie consent rules. This action underscores the ongoing scrutiny of tech giants’ compliance with privacy laws.
Details of the Violation
The CNIL’s investigation revealed that Google placed advertising cookies on users’ browsers without obtaining their explicit consent. This practice contravenes the French Data Protection Act, which mandates clear and informed user consent before such data collection. The authority noted that when users created a Google account, they were encouraged to accept cookies related to personalized advertisements, often without being fully aware that this was a prerequisite for accessing Google’s services. This lack of transparency led the CNIL to conclude that the consent obtained was neither valid nor informed.
Historical Context and Recurring Issues
This is not the first instance of Google facing penalties for similar infractions. In January 2019, the CNIL fined Google €50 million ($57 million) for lack of transparency, inadequate information, and lack of valid consent regarding ads personalization. The authority criticized Google’s complex consent process, which required users to navigate through multiple documents and actions to access essential information. Additionally, in January 2022, Google was fined €60 million ($68 million) for failing to provide users with an easy option to reject cookie tracking technology. The CNIL highlighted that while users could accept cookies with a single click, rejecting them required multiple steps, thereby infringing on users’ freedom of consent.
Implications for Google’s Practices
The CNIL has mandated that Google align its systems with the French Data Protection Act within six months. Failure to comply will result in additional penalties of €100,000 per day. This directive emphasizes the necessity for Google to overhaul its cookie consent mechanisms to ensure they are transparent and user-friendly.
Broader Industry Impact
The enforcement actions against Google are part of a broader trend of regulatory bodies holding tech companies accountable for data privacy violations. For instance, in October 2024, the Irish Data Protection Commission fined LinkedIn €310 million ($335 million) for conducting behavioral analyses of personal data for targeted advertising without proper consent. Similarly, in April 2025, Apple was fined €150 million by the French regulator for discriminatory App Tracking Transparency (ATT) consent practices.
Conclusion
The substantial fine imposed on Google by the CNIL serves as a stark reminder of the critical importance of adhering to data privacy laws. It highlights the necessity for companies to implement transparent and user-centric consent processes, ensuring that users are fully informed and have genuine control over their personal data.
