noyb Victory: CNIL Fines Google €325 Million for Gmail Spam Ads
Privacy advocacy group noyb (None of Your Business) has scored another major win in its campaign against unlawful digital marketing practices. The French Data Protection Authority (CNIL) has fined Google €325 million for two main violations: sending unsolicited advertising emails directly into Gmail inboxes and for making it difficult for users to refuse advertising cookies during account setup. This follows a complaint noyb first filed over three years ago.
noyb’s Complaint Pays Off
In its August 2022 complaint, noyb argued that Google’s Gmail “ad emails,” which appear among regular messages in the “Promotions” and “Social” tabs, were a form of direct marketing. The group contended that users never provided consent, making the practice unlawful under the French Postal and Electronic Communications Code and the EU ePrivacy Directive. The CNIL agreed, confirming that any form of advertising within a user’s inbox requires prior consent.
The CNIL also found a separate violation concerning cookie consent. Until October 2023, Google’s interface for creating a new account made it far easier to accept personalized advertising cookies than to reject them. The CNIL ruled that this practice violated the French Data Protection Act by not ensuring consent was “freely given, informed, and unambiguous.”
“We are very happy about the CNIL’s decision to sanction Google for this blatant breach of the GDPR. Google tried to sneak commercial emails into the inboxes of Gmail users. This is only allowed if you obtain consent, a fact, the CNIL has now confirmed,” said Max Schrems, Chairman of noyb.
Google a Repeat Target
This is not the first time noyb complaints have led to significant fines for the tech giant. Previous CNIL rulings include:
- €150 million (2021): cookie consent violations.
- €50 million (2019): lack of a legal basis for personalized ads, following complaints by noyb and La Quadrature du Net.
This latest €325 million penalty, split between Google LLC (€200 million) and Google Ireland Limited (€125 million), underscores the regulatory momentum driven by advocacy groups like noyb, who continue to push back against opaque and intrusive marketing practices.
The case has made clear, that in europe at least:
- Inbox ads are subject to the same rules as direct marketing.
- Consent must be freely given, informed, and unambiguous.
- User experience shortcuts that steer users toward consent carry regulatory risks.
The CNIL has ordered Google to cease displaying ads between emails without consent and to ensure valid cookie consent during account setup. Failure to comply within six months could trigger additional fines of €100,000 per day.
Looking Ahead
With noyb leading the charge, regulators are setting clear boundaries on what constitutes acceptable email marketing and marketing in the inbox. For marketers, the takeaway is simple: consent-first strategies are no longer best practice, they are the law.
