Regulators Intensify Global Privacy Push Against Tech Giants

Alphabet Inc.'s GoogleGOOGL-- has been fined 325 million euros (approximately $381 million) by France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), for improperly displaying advertisements in Gmail users’ inboxes without prior consent and for using cookies without user approval. The CNIL has also mandated that Google cease displaying ads between emails in Gmail users’ inboxes without consent and ensure that users provide valid consent for the creation of a Google account to place ad trackers. Failure to comply within six months will result in daily penalties of 100,000 euros for both Google and its Irish subsidiary. A Google spokesperson stated the company was reviewing the decision and emphasized that users have always had control over the advertisements they see within its products. In response to the ruling, Google has already made updates to address some of the CNIL’s concerns, including easier ways to decline personalized ads when creating a Google account and changes to how ads are presented in Gmail.

Simultaneously, in the United States, a federal jury ruled that Google must pay $425 million for invading users’ privacy by continuing to collect data from millions of users who had turned off the Web & App Activity tracking feature in their Google accounts. The class-action lawsuit, filed in July 2020, alleged that Google accessed mobile devices over an eight-year period to collect, store, and use user data in violation of its privacy assurances. The case was certified by U.S. District Judge Richard Seeborg as a class action, covering approximately 98 million Google users and 174 million devices. The jury found the company liable on two of the three claims brought by the plaintiffs but ruled that Google had not acted with malice, thereby denying plaintiffs any punitive damages. Google plans to appeal the decision, with a company spokesperson stating that the ruling misunderstands how its products function and emphasizing that the company honors users’ choices when personalization settings are turned off.

At trial, Google defended its actions by asserting that the data collected was “nonpersonal, pseudonymous, and stored in segregated, secured, and encrypted locations,” and that the information was not associated with users’ Google accounts or individual identities. The company has faced similar privacy-related legal challenges in recent years, including a $1.4 billion settlement with Texas over alleged violations of the state's privacy laws and a $425 million fine from a U.S. federal jury for privacy violations. Additionally, in April 2024, Google agreed to destroy billions of data records from users’ private browsing activities as part of a settlement in a lawsuit that claimed the company tracked users under the impression of privacy, including within Incognito mode.

These recent legal developments mark a continuation of mounting scrutiny against Google’s data collection practices and its ability to comply with evolving global privacy regulations. The simultaneous U.S. and French actions signal increasing regulatory pressure on tech firms to align their operations with stricter data protection standards. With Google reportedly reviewing the latest rulings, the outcomes of these cases may influence future enforcement actions and shape the company’s approach to privacy and data governance in both jurisdictions.

The penalties and required compliance measures imposed by French and U.S. authorities reflect the growing importance of user consent and transparency in data processing activities. As regulatory bodies continue to hold major technology companies accountable for privacy violations, the burden of compliance is expected to increase, particularly for firms operating in multiple jurisdictions with varying legal requirements. The actions taken by the CNIL and U.S. courts highlight the necessity for companies to continuously review and refine their data handling practices to meet the expectations of both regulators and users.

Source: [1] Google must pay $425 million in class action over privacy ... (https://www.cnbc.com/2025/09/04/google-must-pay-425-million-in-class-action-over-privacy-jury-rules.html) [2] Google hit with $425M fine in the US for invading users ... (https://www.arabnews.com/node/2614062/media)