Google LLC is a limited liability company based in California, USA, and the primary subsidiary of Alphabet Inc., which wholly owns it. Founded in 1998, it developed and operates core services such as Google Search, Gmail, Google Maps, and YouTube. Google Ireland Ltd (GIL) serves as the entity responsible for managing Google products within the European Economic Area (EEA) and Switzerland. The CNIL considers the two companies, along with the parent company, Alphabet Inc., to constitute a single economic unit (the ‘GOOGLE Group’). In 2024, Alphabet Inc. reported a revenue of over $350 billion and a profit exceeding $100 billion. GIL alone generated a revenue of over €72.6 billion in 2022. See CNIL, ‘Délibération de la formation restreinte no SAN-2025-004 du 1 er septembre 2025 concernant les sociétés GOOGLE LLC et GOOGLE IRELAND LIMITED’ (2025) SAN-2025-004 accessed 23 October 2025, paras 2 – 4.
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, consolidated version available at .
Code des postes et des communications électroniques, consolidated version available at .
CNIL, ‘Délibération de la formation restreinte no SAN-2025-004 du 1 er septembre 2025 concernant les sociétés GOOGLE LLC et GOOGLE IRELAND LIMITED’ (2025) SAN-2025-004 accessed 23 October 2025.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Gen-eral Data Protection Regulation) [2016] OJ L 119/1.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37 as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 [2009] OJ L 337.
Google had already been sanctioned by the CNIL in December 2021 for a related breach of art 82 of the LIL, concerning non-compliant cookie deposit practices. See CNIL, ‘Délibération de la formation restreinte n°SAN-2021-023 du 31 décembre 2021 concernant les sociétés X et Y’ (2021) SAN-2021-023 le 31 décembre 2021 < https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840062> accessed 23 October 2025 as mentioned in CNIL (n 5) para 224.
This is a literal translation.
See also: CNIL, ‘Délibération n° 2020-092 du 17 septembre 2020 portant adoption d’une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux « cookies et autres traceurs’ (2020) accessed 23 October 2025, para 17.
GDPR, art 5.1(a).
CNIL, ‘Délibération de La Formation Restreinte n°SAN-2024-019 du 14 Novembre 2024 Concernant La Société ORANGE SA’ (2024) SAN-2024-019 accessed 2 December 2025, and in that regard, Lisa Haro, 'Consent and Cookies: Has Orange Crossed the Line? An Analysis of CNIL Decision SAN-2024-019' (2025) 11(1) EDPL 93-96. The CNIL has intervened in similar scenarios repeatedly; see also CNIL, ‘Délibération de la formation restreinte n° SAN-2025-001 du 15 mai 2025 concernant la société SOLOCAL MARKETING SERVICES’ (2025) SAN-2025-001 accessed 23 October 2025.
Case C-102/20 StWL Städtische Werke Lauf ad Pegnitz GmbH v eprimo GmbH [2021] ECLI:EU:C:2021:954.
See also: EDPB, ‘Guidelines 04/2022 on the calculation of administrative fines under the GDPR‘ (2023) ch 7.
Treaty on the Functioning of the European Union (consolidated version) [2016] OJ C 202/1.
C-102/20 StWL Städtische Werke Lauf ad Pegnitz GmbH v eprimo GmbH (n 14).
