By Gloria Nosa
France’s data protection authority, CNIL, has handed down two of the heaviest penalties in its history against global tech and retail giants Google and Shein for violating cookie consent laws.
In its decision announced Wednesday, CNIL fined Google 325 million euros—one of the largest fines ever imposed by the regulator—while fast-fashion retailer Shein was ordered to pay 150 million euros. Both companies stand accused of failing to obtain users’ free and informed consent before placing advertising cookies on their devices.
Cookies, the small files stored on web browsers, are a cornerstone of online advertising, enabling platforms to track browsing behavior and deliver targeted ads. But under French and European law, companies must ensure users are fully informed and given clear options to accept or decline them.
According to CNIL, Shein collected “massive” amounts of user data from 12 million monthly visitors in France without proper disclosure or consent, and also offered inadequate means for withdrawing permission. Although Shein has since updated its systems, the company has vowed to appeal the fine, calling it “totally disproportionate” to the alleged violations.
Google, meanwhile, has a longer history of disputes with the French watchdog. This latest penalty marks the third fine over its cookie practices, following 100 million euros in 2020 and 150 million in 2021. Prosecutors had even recommended a steeper penalty of 520 million euros this time, citing the company’s vast French user base and repeated “negligence.”
CNIL criticized Google for practices such as its so-called “cookie wall”—a system requiring users to accept tracking before opening a Google account—without sufficiently explaining the implications. The regulator also flagged Google’s placement of advertisements within Gmail inboxes, which it deemed unlawful “direct canvassing” since no explicit consent was obtained from the 53 million French users affected.
In addition to paying the fines, Google has been given six months to fully comply with French and EU rules. Failure to meet this deadline will trigger further penalties of 100,000 euros per day, applicable to both Google and its Irish subsidiary.
These record-breaking fines underscore CNIL’s ongoing crackdown on major digital platforms, as part of its five-year strategy to enforce stricter data privacy compliance across Europe’s largest online markets.
