Google is facing a fresh privacy complaint in Europe over ads it inserts into its Gmail email service in the guise of emails.
Privacy advocacy group, noyb, has filed the complaint with France’s data protection watchdog, the CNIL, claiming the adtech giant has breached the European Union’s ePrivacy Directive rules on direct marketing by failing to gain consent from Gmail users for the ads it displays inside their inboxes, alongside promotional emails they have actually signed up for.
noyb’s complaint cites a ruling by the EU’s top court last year, in a separate case related to the use of email for direct marketing, which it argues makes it plain that ads which are displayed inside a user’s inbox constitutes “a use of electronic mail for the purposes of direct marketing” — which, under ePrivacy rules, requires user consent. (The Gmail advertising emails only distinguish themselves from genuine emails users have signed up for by the inclusion of an ‘ad’ label and the lack of a date-stamp.)
The complaint asserts that Gmail users did not consent to being spammed with Google’s ads — noting that, under ePrivacy, consent would have needed to be obtained prior to the ads being displayed in their inboxes.
noyb also argues that exceptions set out in relevant EU law do not apply here because Google’s ad emails are not used for the direct marketing of similar products for which consent was previously obtained.
“It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider,” added Romain Robert, lawyer at noyb, in a statement.
Google was contacted for comment on the complaint.
France’s CNIL has been an active regulator of Google on privacy issues, making use of the competency it can exert under ePrivacy — which, unlike the General Data Protection Regulation, does not require cross-border complaints to be funnelled through a lead DPA (in Google’s case, Ireland’s Data Protection Commission) — avoiding the GDPR bottleneck that has slowed down privacy enforcement against Big Tech.
Back in December 2020, the CNIL fined Google $120 million for dropping tracking cookies without consent — after finding it had breached ePrivacy rules. It followed that up with another beefy fine — $170 million — this January for dark patterns it found Google deploying in cookie consent flows.
Those French ePrivacy enforcements soon led to Google announcing an updated cookie consent banner in Europe which finally offered users a top-level option to refuse all its tracking — suggesting muscular enforcement of laws defending web users rights and freedoms can face down the power of Big Tech.
The CNIL also managed to slap Google with an early GDPR enforcement, back in 2019, prior to a legal switch which brought the company’s EU users under the jurisdiction of its Irish subsidiary (instead of its U.S. parent) — thereby ensuring that subsequent GDPR complaints against Google have been routed through Ireland.
Hence the majority of GDPR enforcement on major complaints against Google — such as over the legality of its adtech (a formal investigation was opened in May 2019); or its location tracking practices (under probe in Ireland since February 2020) — remain in limbo as the Irish regulator’s painstaking procedures grind on. But decisions must flow eventually — within months or years.
It will be interesting to see which arrives first: A decision from France’s CNIL on this fresh noyb complaint against Google’s Gmail ad spam (filed August 2022) — or a final decision from Ireland on Google’s adtech or location tracking.
In the meanwhile, noyb has been pressing another series of strategic complaints against Big Tech by targeting B2B users of Google Analytics and Facebook Connect across the EU — which has led to a number of breach findings and warnings from DPAs against use of Google’s analytics software, with France’s watchdog putting out guidance in June that warns users of the tool of the need to apply additional safeguards to ensure their implementation complies with GDPR requirements on data transfers outside the bloc or else switch to a compliant (non-Google) alternative.
Facebook also has a major decision hanging over it related to a long-standing complaint about its EU data exports which was originally filed by noyb’s chairman — long before he founded the privacy advocacy group.