Cookies and advertisements inserted between emails: GOOGLE fined 325 million euros by the CNIL

 Background

Following a complaint filed by the organisation None Of Your Business (NOYB) on 24th August 2022, the CNIL conducted several inspections between 2022 and 2023 on Gmail messaging service and on the process of creating a Google account.

The investigations revealed that GOOGLE IRELAND LIMITED and GOOGLE LLC displayed advertisements in the form of emails among the emails in the "Promotions" and "Social" tabs of the Gmail messaging service. The restricted committee – the CNIL body responsible for imposing sanctions – considered that the display of such advertisements required the consent of Gmail users, in accordance with Article L. 34-5 of the French Postal and Electronic Communications Code (CPCE).

Furthermore, the restricted committee considered that, when creating a Google account, users were encouraged to choose cookies linked to the display of personalised advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google's services. Their consent obtained in this context was therefore not valid, which constituted a breach of the French Data Protection Act (Article 82).

For these two breaches, the restricted committee issued a public decision imposing:

• Two fines totalling 325 million euros against GOOGLE (200 million euros against GOOGLE LLC and 125 million euros against GOOGLE IRELAND LIMITED) ;
• An order requiring the companies to implement, within six months, measures to cease displaying advertisements between emails in the Gmail service users' mailboxes without prior consent and to ensure valid consent from users for the placement of advertising cookies when creating a Google account. Failing this, the companies will each have to pay a penalty of €100,000 per day of delay.

The amounts of these fines, which only took the number of users residing in France into account, considered the very high number of people affected, as the breach regarding cookies concerned more than 74 million accounts. Among these, 53 million individuals had illegally seen the involved advertisements displayed in the "Promotions" and "Social" tabs of their email accounts.

The restricted committee also pointed out that the GOOGLE group holds a central position in the online advertising market and that its Gmail application is the second most widely used email service in the world. It specified that the companies generate most of their profits in the two main segments of the online advertising market, namely contextual advertising and targeted advertising.

Finally, the restricted committe considered that the companies had been negligent, given that they had previously been sanctioned by the CNIL on two occasions, in 2020 and 2021, for breaches relating to cookies.

The breaches sanctioned

Failure to comply with the obligation to obtain consent from individuals to receive commercial prospecting by electronic means (Article L.34-5 of the CPCE)

The investigations carried out revealed that users of the Gmail messaging service were offered the option of activating "smart features" to organise their inbox into three tabs:

• "Primary";
• "Promotions"; and
• "Social".

The CNIL found that users who chose to activate this setting saw advertising messages in the form of emails inserted between their private emails in their inbox, in the "Promotions" and "Social" tabs, without their consent.

The CNIL, relying on a ruling by the Court of Justice of the European Union (CJEU) on 25 November 2021, considered that these messages promoting services or goods that were not sent by one user to another, but displayed in a space normally reserved for private emails and appearing to be genuine emails, constituted direct marketing by email. Consequently, it is necessary to obtain the consent of the persons concerned in accordance with Article L. 34-5 of the CPCE.
The CNIL noted that companies made visual changes to advertising messages in April 2023 in order to reduce the risk of confusion with other emails. However, it considered that these changes did not call into question the legal regime applicable to the display of these advertisements, as they still cannot be clearly distinguished from genuine emails.

A breach relating to the deposit of cookies without free and informed consent (Article 82 of the French Data Protection Act)

The CNIL found that, until October 2023, the consent of users creating a Google account was not freely given, as it was more difficult to refuse cookies linked to personalised advertising than to accept them.

The CNIL then considered that access to a service may depend on the placement of advertising cookies on users' devices, provided that users have a complete and clear understanding of the value, scope and consequences of their choices. In this case, the CNIL noted that consent was not informed during the account creation process, as there was no information indicating that access to GOOGLE group services depended on the placement of advertising cookies (generic or personalised, depending on the user's choice).

In October 2023, the companies added a button that made it as easy to refuse as to accept the placement of personalised advertising cookies. Nevertheless, the CNIL found that the lack of informed consent still persisted.

The jurisdiction of the CNIL

The CNIL has jurisdiction to carry out investigations and sanction operations related to cookies placed by companies and electronic prospecting carried out on the terminals of Internet users located in France. The cooperation mechanism provided for by the GDPR (the "one-stop shop" mechanism) is not intended to apply in these procedures, since operations related to the use of cookies and electronic prospecting don’t fall under the GDPR but under other rules (the "ePrivacy" Directive, transposed into Articles 82 of the French Data Protection Act for cookies and Article L. 34-5 of the CPCE for electronic commercial prospecting).  

The restricted committee considered that the CNIL also has territorial jurisdiction pursuant to Article 3 of the French Data Protection Act because the use of cookies and electronic prospecting is carried out within the "framework of the activities" of GOOGLE France, which constitutes the "establishment" on French territory of GOOGLE LLC and GOOGLE IRELAND LIMITED.

It also considered that the latter are jointly responsible since they both determine the purposes and means related to the use of cookies and commercial prospecting. It considered that the organisational changes that had taken place had no impact on the joint responsibility of the companies.