Last month, Google was hit with a staggering €325 million fine by the French data protection authority (CNIL) – the largest fine ever imposed for cookie-related violations.
Yet cookie compliance rarely tops the list of reasons clients reach out to data protection consultants. Cookie compliance often feels like a low-priority or “someone-else’s-job” kind of issue – especially next to high-profile topics like breaches or AI governance. But that mindset is dangerous. The risks are real, the fines are growing, and the requirements are well-established across the EU.
What happened?
Google was fined for displaying ads between Gmail users’ emails without consent, and for placing cookies when creating Google accounts, again, without valid consent.
The CNIL commented that the fine was particularly high because of the “very high number of people affected,” Google’s “central position in the online advertising market” and the popularity of Gmail.
Google has six months to rectify these issues, failing which the CNIL will apply a penalty of €100,000 per day of delay.
If Google Got Fined, What Hope for the Rest of Us?
When a tech giant like Google is penalised at this scale, the natural reaction is: “If they can’t get it right, how can we?” But the reality is, Google probably could get it right – they have the resources, teams, and legal advice.
This raises a broader question many in the industry have been asking: are some firms downplaying cookie compliance to protect advertising revenue? Whether or not that played a role here, CNIL’s fine might change the risk-reward calculation. Regulators are signalling that cookie compliance matters – and the penalties are real.
5 Cookie Compliance Checks Every Company Should Be Doing
Whether you’re a startup or a multinational, cookie compliance isn’t optional. And it doesn’t have to be overwhelming. Here are 5 simple but essential checks you can do today:
1. No pre-checked boxes
Consent must be freely given. Pre-ticked boxes are unlawful under GDPR – and yet, they’re still surprisingly common.
2. Avoid deceptive design (“dark patterns”)
That big, bright “Accept All” button next to a tiny, greyed-out “Reject” one? That’s manipulation, not choice. Regulators have repeatedly called this out.
3. Make Rejecting as Easy as Accepting
If users can accept all cookies in one click, but have to navigate multiple steps to refuse them, your consent mechanism may not be compliant. Regulators expect symmetry: refusal must be as easy and accessible as acceptance.
4. Don’t drop cookies before consent
Analytics, marketing, and tracking cookies must not be set until the user has actively opted in. Simply loading them on page load, even if you ask for consent later, is a breach.
5. Keep records of consent
Many platforms don’t retain good records of cookie consent – especially after updates or re-designs. But logging when, how, and what the user consented to, will provide valuable proof in the event of a challenge or audit.
Final Thoughts
Cookie compliance often feels like a box-ticking exercise – but it shouldn’t. The risks are real, the fines are serious, and the solutions are (relatively) simple. If regulators are willing to hold Google accountable, none of us should assume we’re flying under the radar. It’s time to move cookies from the “probably fine” pile to the “urgent compliance review” list.