CNIL Fines Google €325 Million & Shein €150 Million in Ongoing Crackdown on Cookie Violations

Key Takeaways

• Record Sanctions: The CNIL fined Google €325 million ($357 million) and Shein €150 million ($165 million) for cookie-related violations.
• Shein’s Failures: Cookies were placed before consent, banners lacked key details, third-party information was absent, and refusal mechanisms were ineffective.
• Google’s Breaches: Gmail displayed ads as emails without consent, and account creation processes pressured users into accepting advertising cookies.
• Repeat Offender: Google’s sanction followed earlier CNIL fines in 2020 and 2021, with more than 74 million French accounts affected this time.
• Ongoing Crackdown: The fines are part of CNIL’s enforcement plan, launched in 2019, targeting non-compliant practices under Article 82 of the French Data Protection Act and the ePrivacy Directive.

Deep Dive

France’s data protection watchdog has once again flexed its regulatory muscle, imposing large fines on two global giants, Google and Shein, for failing to comply with rules governing the use of cookies and online advertising practices. The Commission nationale de l'informatique et des libertés (CNIL) announced on September 1 that it had fined Google €325 million ($357 million) and Shein €150 million ($165 million), underscoring its determination to rein in non-compliant tracking practices under its long-running enforcement plan.

The sanctions are the latest in a series of measures that stem from the CNIL’s 2019 action plan on cookies. That initiative, launched with the publication of guidelines and recommendations, aimed to ensure internet users were properly informed and given meaningful choices about tracking. Since 2020, multiple organizations have been sanctioned under Article 82 of the French Data Protection Act for non-compliance, with CNIL increasingly targeting operators of high-traffic websites and services.

While compliance has improved in recent years, the regulator said vigilance remains necessary, especially against practices such as placing cookies without consent or deploying so-called “cookie walls,” which condition access to services on cookie acceptance.

Shein’s Breaches

Fast-fashion retailer Shein, through its Irish subsidiary Infinite Styles Services Co. Limited, was fined €150 million ($165 million) after an August 2023 inspection revealed widespread non-compliance on shein.com, which attracts an estimated 12 million monthly visitors in France alone.

The CNIL’s restricted committee found multiple failures, including:

• Cookies with advertising purposes were placed on user devices before consent was given.
• Consent banners lacked key information, including the advertising purpose of cookies.
• No information was provided on third parties able to place cookies.
• Mechanisms for refusing or withdrawing consent were ineffectiv, and cookies were still placed or read even after users rejected them.

The regulator noted that Shein has since adjusted its practices, but the scale of the violations and the company’s central position in e-commerce justified the sanction.

Google’s Breaches

Google faced even steeper penalties after investigations triggered by a 2022 complaint from advocacy group None of Your Business (NOYB). The CNIL found that the company inserted advertisements in the form of emails into Gmail’s “Promotions” and “Social” tabs without user consent, violating Article L. 34-5 of the French Postal and Electronic Communications Code.

Additionally, the regulator concluded that Google misled users during the account creation process by nudging them toward accepting personalized advertising cookies. The consent was deemed invalid because rejecting cookies was more complex, and users were not clearly informed that access to Google’s services depended on cookie placement.

In total, Google Ireland and Google were fined €325 million ($357 million), split between the two entities. They have also been ordered to stop displaying Gmail ads without consent and to ensure valid cookie consent mechanisms within six months or face additional daily penalties of €100,000.

The CNIL highlighted that more than 74 million French accounts were affected by cookie violations and that 53 million individuals saw ads displayed without proper consent. The decision also noted Google’s history of repeat infringements, having already faced CNIL sanctions in 2020 and 2021 for similar cookie-related breaches.

These decisions reaffirm the CNIL’s jurisdiction over cookie and electronic marketing practices under France’s Data Protection Act and the ePrivacy Directive, which fall outside the GDPR’s “one-stop-shop” mechanism. In both cases, the regulator pointed to the companies’ French operations as establishing territorial jurisdiction.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.