โ ๏ธ
Action required. If your organisation operates authenticated user environments (logged-in portals, apps, or services) across multiple devices, the new CNIL multi-device consent rules apply to you. Non-compliance risks are now significant โ Google’s โฌ325M fine is a clear signal of intent.
01 โ Background
Six Years of CNIL Cookie Enforcement
The CNIL’s structured enforcement plan on cookies and trackers โ launched in 2019 โ has steadily escalated in both scope and financial impact. What began as a framework-building exercise has become one of Europe’s most consequential data protection enforcement programmes.
2019
CNIL launches structured enforcement plan on cookies and trackers across French-market operators.
2021
Google fined โฌ150M, Facebook โฌ60M โ reject buttons missing or harder to access than accept buttons.
2022
Amazon fined โฌ35M. CNIL publishes updated cookie guidelines. Consent Management Platforms (CMPs) come under scrutiny.
2023โ2024
CNIL broadens enforcement to mid-size operators. Over 100 formal notices issued. Cross-border cooperation with other DPAs intensifies.
September 2025 ๐ด
Google fined โฌ325M for Gmail ad insertion without consent + invalid cookie mechanism during account creation.
December 2025 ๐ข
CNIL publishes final multi-device consent recommendations โ binding rules for authenticated environments across all devices.
๐ The โฌ325M Google Fine โ Breakdown
โฌ325,000,000
CNIL ยท September 2025 ยท Two separate violations
๐ง
Gmail Ad Insertion
Displaying targeted advertisements inside Gmail inboxes without obtaining prior, explicit user consent under Article 82 of the French Data Protection Act.
๐
Account Creation Cookies
Placing advertising cookies during Google account creation without a valid consent mechanism โ treating account registration as implicit consent.
The scale of this fine reflects a clear regulatory message: no organisation is too large to be held accountable, and “it’s always been done this way” is not a defence. The two violations address patterns that are widespread across the industry โ ad integration in communication tools and consent bypass during onboarding flows.
๐ CNIL Cookie Enforcement โ Historical Scale
Gmail ads + account creation cookies
Consent mechanism harder to refuse than accept
Cookies placed before consent
02 โ New Rules
Multi-Device Consent: The New Framework
Published in December 2025, the CNIL’s final recommendations on multi-device consent establish โ for the first time โ a clear legal framework for how consent can be collected, propagated and documented across multiple devices for authenticated users.
๐ Core principle: Consent given on one device may be extended to other devices โ but only if the user was clearly informed, the propagation is technically traceable, and the original consent record is preserved per device.
๐ฑ How Multi-Device Consent Works
โ
Consent given on Device 1
๐ป
Desktop
Consent collected here
โ
๐ฑ
Mobile App
Propagated if conditions met
โ
๐บ
Smart TV
Propagated if conditions met
- ๐
Authenticated only. Rules apply exclusively to logged-in users. Anonymous/unauthenticated sessions are out of scope and must be treated separately.
- ๐
Full transparency required. Users must be explicitly informed that their consent on one device will apply across all other devices linked to their account.
- ๐
Traceable chain of proof. You must be able to prove: when consent was given, on which device, in which context, and how it was propagated โ with timestamps per device.
- โฉ๏ธ
Withdrawal must be universal. If a user withdraws consent on one device, it must be withdrawn across all linked devices immediately.
- โฐ
Renewal cadence. Consent does not last indefinitely. The CNIL recommends re-asking at reasonable intervals consistent with your original consent terms.
03 โ Action Plan
What Your Organisation Must Do Now
These developments translate into four concrete operational priorities for DPOs and compliance teams. Each has a different urgency level and technical complexity โ but all are now required for defensible compliance.
ACTION 01
๐ช
Audit your cookie banners
Verify that the reject mechanism is equally prominent and accessible as the accept button. Any asymmetry โ visual or UX โ is now a documented enforcement trigger. Test on mobile and desktop.
ACTION 02
โ๏ธ
Update your CMP
If you run an authenticated service, your Consent Management Platform must now handle multi-device propagation logic. Validate that your CMP vendor supports the December 2025 CNIL framework.
ACTION 03
๐
Document consent per device
Build or update your consent logs to capture: device type, timestamp, consent scope, propagation events, and withdrawal events โ per user, per device. This is now your primary proof of compliance.
ACTION 04
๐
Review ad-tech contracts
If you work with advertising technology processors, review your DPAs. Obligations flowing from the CNIL’s ruling must be mirrored in processor contracts โ especially around consent signal transmission.
โ ๏ธ The 3 Lessons From the Google Fine
Lesson 1 โ Context matters for ads
Inserting advertising inside a messaging or communication interface (like Gmail) requires explicit, prior consent โ even if the user agreed to general advertising cookies elsewhere. The context of the placement creates a separate consent obligation.
Lesson 2 โ Registration โ Consent
Creating an account with a service does not constitute consent to advertising cookies. Account creation and cookie consent must be entirely separate flows with separate, unambiguous actions.
Lesson 3 โ France = All of Europe
The CNIL expects that fixing a French compliance gap means updating practices across all EU operations. A “France-only fix” is not a valid response to a CNIL enforcement action if you operate a pan-European service.
๐ก๏ธ
Need a Cookie Compliance Audit?
DPO Advisors can review your consent architecture, CMP configuration, and documentation framework against the latest CNIL requirements โ in under 2 weeks.
Talk to our experts โ
๐ก๏ธ
DPO Advisors
Published January 2026 ยท dpoadvisors.com ยท contact@dpoadvisors.com
