Full Report
Google has been penalized €325 million ($379 million) and clothing retailer Shein has been ordered to pay €150 million ($175 million) for not getting proper consent from users for advertising cookies, France's CNIL said.
Analysis Summary
# Regulation/Compliance: French Cookie Usage & Consent Rules (CNIL Enforcement)
## Overview
This summary pertains to recent enforcement actions taken by the French data protection authority (CNIL) against Google and Shein for violations related to the use and management of internet tracking cookies, specifically focusing on the failure to obtain explicit user consent prior to tracking activities.
## Key Details
- Issuing Authority: Commission Nationale de l'informatique et des Libertés (CNIL) (France's data protection regulator)
- Effective Date: The underlying laws regarding cookie consent have been in effect (derived from ePrivacy Directive/GDPR context), but the enforcement actions referenced took place around September 2025.
- Jurisdiction: France (and by extension, the European Union's data protection framework).
- Status: In Effect (Enforcement Action)
## Requirements
### Mandatory Requirements
1. **Obtain Prior User Consent:** Organizations must obtain explicit user consent *before* placing or reading any non-essential internet cookies (especially advertising cookies) on a user's device.
2. **Provide Clear Information:** Users must be adequately informed about the tracking occurring via cookies.
3. **Offer Means to Withhold Consent:** Organizations must provide users with easy and clear options to refuse or withhold consent for tracking cookies (i.e., consent cannot be the sole condition for access).
4. **Avoid Cookie Walls:** Practices that force users to accept cookies as a condition of using a service ("cookie walls") are highly scrutinized and likely prohibited under current CNIL interpretations.
5. **Specific Compliance for Email Services:** If using data within services (like Google inserting ads "in the form of emails" between Gmail tabs), consent must be obtained for those advertising purposes.
### Recommended Practices
1. **Review Account Setup Flows:** Ensure that the process for setting up new accounts does not implicitly push users toward accepting targeted advertising cookies without clear notice and affirmative consent.
2. **Proactive Policy Updates:** Immediately update cookie policies and consent banners when CNIL guidance or new enforcement trends emerge.
## Affected Organizations
- Industries: Any entity operating a website or service that tracks users in France via cookies, including E-commerce (Shein) and Online Services/Advertisers (Google).
- Organization Size: Enforcement targets were large global entities, indicating high penalties can apply regardless of local establishment size if serving the French public.
- Geographic Scope: Entities targeting or serving users within France.
## Compliance Timeline
- **Prior to Finalization of Previous Probes:** The CNIL had been scrutinizing cookie use across the industry for at least five years (since 2019, according to one referenced press release).
- **As of September 2025:** Fines were levied against Google and Shein.
- **Immediate Change (Shein):** Shein reportedly changed its policies to comply with French and European data protection laws *as a result* of the probe.
## Implementation Guidance
### Assessment Phase
- **Audit Data Collection:** Conduct a comprehensive audit of all third-party trackers and cookies deployed on French-facing websites and applications.
- **Consent Mechanism Review:** Evaluate existing cookie banners and consent interfaces to ensure they meet the standards for affirmative, informed, and freely given consent (no cookie walls).
### Implementation Phase
- **Remediate Non-Consensual Tracking:** Immediately halt the use of advertising cookies for users in France until valid consent is obtained.
- **Refine Disclosure:** Rewrite consent notices to clearly explain *what* data is collected, *why* (purposes), and *by whom*.
- **Implement Granular Controls:** Ensure users can easily accept some cookies while rejecting others, especially advertising cookies.
### Validation Phase
- **Internal Audits:** Periodically re-run technical scans to confirm no non-consented scripts are firing.
- **Legal Review:** Have the updated consent flow reviewed by legal counsel specializing in GDPR/ePrivacy to ensure alignment with CNIL's current strict interpretations.
## Technical Requirements
- **Pre-Consent Script Loading:** Scripts for non-essential cookies (especially advertising/tracking) must be blocked from loading until the user affirmatively consents.
- **Default Privacy Settings:** Default settings must be privacy-protective; tracking must be off by default.
## Penalties & Enforcement
- **Fines (Google):** €325 million ($379 million).
- **Fines (Shein):** €150 million ($175 million). These were noted as two of the largest penalties ever issued by CNIL.
- **Other Consequences:** Public naming and shaming via official press releases, reputational damage, and the requirement to immediately cease non-compliant practices.
- **Enforcement:** Direct investigation and penalty imposition by the national Data Protection Authority (CNIL).
- **Legal Challenge:** Fined entities (Shein) may challenge the fines in court, citing issues like alleged disproportionality.
## Related Standards
- **GDPR (General Data Protection Regulation):** Underlying framework requiring lawful basis for processing personal data, particularly concerning consent.
- **ePrivacy Directive (Cookie Law):** Specifically governs the use of electronic communications data, including tracking technologies like cookies.
## Resources
- Official Documentation: CNIL Press Release regarding Shein Fines (search CNIL website for "Shein 150 million euros").
- Guidance Documents: CNIL's official guidance on cookies and other trackers (available on the CNIL website).
- Tools: Digital consent management platforms (CMPs) integrated correctly to manage user preferences.
## Practical Recommendations
1. **Audit Cookie Walls Immediately:** If you use any mechanism forcing consent for service access, redesign it immediately to offer a clear "Reject All" path equivalent to the "Accept All" path.
2. **Isolate Advertising Consent:** Ensure advertising cookie consent is separate from the consent required for basic site functionality.
3. **Prepare for Appeals:** If targeting large volumes of users in France (like Shein/Google), anticipate high financial penalties if audits reveal systemic failures in obtaining consent.