France's CNIL Google decision clarifies joint controllership and cookie consent

The question

When can affiliated entities be deemed joint controllers under the GDPR in cookie and advertising contexts?

The key takeaway

The CNIL prioritises real‑world control over contractual labels, staying consistent with prior decisions and EU case law. For cross‑border groups, the priority should be to design governance structures, responsibilities and technical ownership with clearly stated roles or risk a finding of joint‑controllership which brings with it increased complexity.

The background

As part of its ongoing cookies enforcement programme, CNIL has recently imposed fines on both Google and Shein for breaches relating to cookies and consent. The investigations form part of the CNIL’s cookies compliance strategy launched over five years ago, which has focused especially on operators of high‑traffic websites and services. In its decisions, the CNIL stressed that cookies consent must be genuinely informed, meaning users receive clear, complete information about what accepting or refusing entails, including the downstream consequences for data use and advertising.

Against this backdrop, CNIL’s decision against Google provides particularly notable guidance on controllership. CNIL fined Google LLC €200 million and Google Ireland Limited €125 million for unsolicited Gmail ads and cookies set without valid consent, affecting over 74 million users in France. It ordered Google to stop these practices and obtain informed consent within six months or face further penalties.

The separate fine against Shein for cookie infringements underscores CNIL’s broader, continuing focus on compliant cookie practices and manipulation‑free consent mechanisms.

The development

Importantly, in Deliberation SAN‑2025‑004, CNIL also found Google Ireland Limited (GIL) and Google LLC (GL) to be joint controllers for Gmail ad processing under Articles 4(7) and 26(1) GDPR, based on factual control over the purposes and means: GL designs, manages and owns core systems and policies, while GIL co‑designs and implements EEA features. Google argued that only GIL was responsible and that GL was merely a third‑party developer under data processing agreements, but the CNIL rejected this, emphasising that contractual labels cannot override the reality of joint decision‑making.

The CNIL’s key considerations in finding GIL and GL to be joint controllers were as follows:

• entities are joint controllers when they jointly determine purposes and essential means of processing;
• contractual labels (e.g. “processor”) are not determinative - actual control and influence prevail;
• joint controllership does not require identical roles. In line with previous CJEU’s rulings, control may be uneven and is assessed on concrete facts;
• internal governance structures revealed a shared influence over data processing activities and approvals of both entities on new product rollout;
• when one entity is the architect and technical owner of the core systems (including cookies and related infrastructure) which the other entity could not unilaterally modify, they are likely to be joint controllers.

CNIL also considered that it had found GL to be a joint controller in respect of Google services in previous decisions, due to the role it played in designing and building Google product technology, and this analysis had not been challenged previously. The subcontract between the parties had not changed since the previous decision and therefore CNIL considered that that analysis still stands.

Why is this important?

CNIL’s restricted committee decisions are legally binding in France and, in cookie/ePrivacy matters, apply directly to processing affecting users in France, even for companies headquartered elsewhere in the EU. They therefore set concrete, enforceable expectations for design, consent, and controllership, with immediate compliance implications and the risk of significant fines and periodic penalty payments.

More broadly, CNIL is an influential regulator and, as a result, these decisions provide practical guidance that complements CJEU case law and clarify how to assess joint controllership based on factual influence rather than contractual labels. As many multinational providers align implementations EU‑wide, CNIL decisions often have persuasive effect beyond France and signal enforcement approaches across the Union.

Any practical tips?

For cross‑border groups, it is important to map who actually decides on purposes and essential means, align contracts and privacy notices and, where control is shared, put in place an Article 26 joint‑controller arrangement with clear allocation and external transparency.

Organisations should consider:

• keeping auditable records of governance (e.g. design reviews and privacy approvals);
• ensuring consent flows and cookie/ad configurations are owned by the entity or entities exercising real control with EEA‑specific defaults; and
• refreshing DPIAs and accountability documentation as roles and systems evolve.

Winter 2025