Google hit with $806M in penalties from US and French authorities over privacy issues

In an unprecedented day of privacy enforcement, Google was hit with $806 million in combined penalties on Wednesday as authorities on two continents delivered a coordinated blow to the tech giant’s data collection empire.

The dual actions signal what analysts call a turning point in global privacy enforcement — the end of Big Tech’s ability to treat regulatory oversight as fragmented and manageable.

Within hours of each other, a San Francisco jury ordered Google to pay $425 million for deceiving users about privacy controls, while France’s data protection authority CNIL slapped the company with a separate $381 million (€325 million) penalty for inserting ads in Gmail and manipulating cookie consent.

“This is a turning point,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “Regulators on both sides of the Atlantic struck in parallel. It was less a coincidence and more a sign of maturity: privacy infractions are no longer being dealt with in isolation but amplified through transatlantic echo.”

Five years in the making: the $425 million verdict

The San Francisco verdict caps a legal saga that began in July 2020 when smartphone user Anibal Rodriguez discovered Google was still harvesting his data despite disabling “Web & App Activity” tracking. His complaint grew into Rodriguez v. Google LLC, Case No. 20-cv-4688-RS, a class action representing 98 million users across 174 million devices.

The case exposed what plaintiffs called Google’s “fake button” problem. Users who toggled off tracking believed they had stopped data collection, but court documents reveal Google continued gathering information through partnerships with apps like Uber, Venmo, and Instagram using Google’s analytics services.

US District Judge Richard Seeborg certified the class action, setting up a confrontation over whether users’ privacy choices actually mattered. The eight-person jury found Google liable for invasion of privacy under California law, though stopping short of finding malice — preventing punitive damages, according to a Bloomberg report.

“This decision misunderstands how our products work, and we will appeal it,” Google spokesperson Jose Castaneda said. But the jury disagreed, with the panel’s foreperson telling attorneys that Google’s “consent language should be a little more obvious,’ noting that “the average user is probably not a reader, the average user is probably a skimmer,” the report added.

France’s innovation: daily penalties that change everything

The French action originated from a complaint filed by None Of Your Business (NOYB), the Vienna-based privacy advocacy group founded by activist Max Schrems.

The violations were extensive: “The breach regarding cookies concerned more than 74 million accounts,” the CNIL decision stated. “Among these, 53 million individuals had illegally seen the involved advertisements displayed in the ‘Promotions’ and ‘Social’ tabs of their email accounts.”

CNIL imposed a €325 million ($381 million) fine, but the more significant deterrent may be the penalty structure. The authority ordered Google to comply within six months or face €100,000 ($117,000) in daily penalties, the decision specified.

“One-off fines, even at eye-watering levels, can be tucked into extraordinary items,” Gogia explained. “Daily penalties change the equation. They turn every day of delay into a cost, every board meeting into a reckoning.”

“People have always been able to control the ads they see in our products,” a Google spokesperson said. “Over the last two years, as the CNIL has acknowledged, we made additional updates to address their concerns, including an easy way to decline personalized ads in one click when creating a Google account, and changes to the way ads are presented in Gmail. We’re reviewing the decision.”

The end of jurisdiction shopping

The simultaneous penalties reveal how privacy enforcement has evolved from isolated regulatory actions to coordinated global pressure. For over a decade, Big Tech survived on fragmented oversight — settling with one authority here, redesigning a banner there. That comfort has evaporated.

“The age of jurisdiction shopping is over,” Gogia said. ‘Compliance can no longer be compartmentalised by geography — it has to be harmonised, rigorous, and defensible across the board.”

Google’s repeated violations also strip away the illusion that size equals compliance sophistication. Despite extraordinary engineering capability, formidable legal resources, and deep financial reserves, the company finds itself repeatedly facing privacy rulings.

Consider the pattern: Google paid nearly $1.4 billion to Texas earlier this year, agreed in April 2024 to destroy billions of “Incognito” mode data records, and now faces these dual penalties. Each case targets different aspects of Google’s data collection apparatus, creating cumulative pressure for systemic change.

For enterprise IT leaders, the implications are profound. “Vendor evaluation must now treat compliance credibility as a board-level criterion, equal to cost, performance, and innovation,” Gogia noted. “Trust is becoming the determinant of vendor viability, not a secondary concern.” The daily penalty structures create ongoing operational pressure that transcends traditional financial planning. Gogia pointed out that companies now face mounting fines for failing to implement court-ordered changes — a shift from one-time penalties to continuous accountability that turns “every quarter into an exercise in reputational damage control.”