CNIL Fines Google €325M and SHEIN €150M for Breaking Cookie Rules
France’s data protection authority, the CNIL, has fined the fast-fashion giant SHEIN’s Irish subsidiary €150 million for breaching cookie consent rules. The decision, announced in September 2025, highlights that cookie compliance remains one of the biggest risks for global digital businesses operating in Europe.
Following an investigation into shein.com, the CNIL found that advertising cookies were automatically placed on users’ devices as soon as they visited the website, before any action was taken to accept or reject them. The website’s cookie banner also failed to provide meaningful information about the purposes of the cookies or the third parties involved.
Even more strikingly, when users clicked “Reject all,” tracking cookies continued to be installed and read, effectively nullifying their choice. CNIL described these as serious breaches of Article 82 of the French Data Protection Act, which implements the EU ePrivacy Directive a framework that governs cookies and online trackers separately from the GDPR.
The regulator took into account the scale of SHEIN’s operations, with around 12 million visitors from France each month, and its failure to correct the issues quickly. The result was a fine of €150 million, placing SHEIN among the most heavily sanctioned companies in Europe for cookie violations, alongside Google and Meta.
The CNIL’s Message: Cookie Rules Are Not Optional
While many companies assume cookie compliance falls under the GDPR’s “one-stop shop” mechanism (allowing a single EU data authority to take the lead), the CNIL’s decision highlights that ePrivacy operates outside that framework. This means the French regulator can directly investigate and penalise businesses if their cookie practices affect users in France even if the company is headquartered elsewhere in the EU.
The CNIL has made cookie enforcement a strategic priority since 2020, imposing record fines against Google, Amazon, and TikTok. This latest case confirms that vague banners, default tracking, and incomplete consent mechanisms are no longer acceptable.
Key Takeaways for Businesses
For any company using cookies or similar tracking technologies, this ruling offers several crucial lessons, including the following:
Consent must be active and explicit: No cookies should be placed until a user clicks “Accept.” Implied consent or pre-ticked options are non-compliant.
Information must be complete and accessible: Users should know who’s collecting their data, for what purpose, and how they can change their choices.
Respect refusals and withdrawals: Systems must be designed so that “Reject all” means no tracking, and any previously set cookies must stop operating immediately.
Check local enforcement risk: Even if your headquarters are outside France, targeting French users brings you under the CNIL’s jurisdiction for cookie matters.
Make compliance a business advantage: Transparent consent practices not only reduce risk but can also strengthen brand trust and demonstrate ethical data stewardship.
The CNIL’s action against SHEIN shows that regulators are no longer tolerating “cosmetic compliance.” Cookie pop-ups that mislead, nudge, or ignore user choices will draw enforcement, and for large platforms, the financial and reputational costs can be enormous. For digital businesses, this is an opportunity to rethink how they handle user consent.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.