A Deep Dive into Today’s Privacy Crackdown Against Shein & Google
On September 3, 2025, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced staggering fines against tech giant Google and fast-fashion retailer Shein for violations related to cookie management and user consent. Google faces a €325 million penalty, while Shein has been hit with €150 million, marking some of the largest fines ever issued by the CNIL for such infractions. This move underscores the escalating enforcement of GDPR and ePrivacy Directive rules in Europe, particularly amid growing concerns over online tracking and data privacy in an AI-driven world. As consumers increasingly demand transparency, these fines signal a broader regulatory push to hold global corporations accountable. The details of the violations are exactly what privacy professionals would expect and we’ll compare these penalties to other CNIL actions as well as recent privacy-related fines faced by both companies. The question remains though when will they ever learn?
The fines stem from CNIL’s ongoing action plan initiated in 2019 to enforce cookie regulations, which has now culminated in these high-profile sanctions. Cookies—small data files used to track user behavior for personalized ads and analytics—must comply with strict consent requirements under EU law. Failure to provide clear, easy opt-out mechanisms or placing non-essential cookies without consent constitutes a breach. With tens of millions of users in France alone, both companies’ platforms were scrutinized for practices that allegedly prioritized data collection over user rights, leading to what CNIL described as systemic non-compliance.
CNIL Privacy Violator: Shein’s €150 Million Fine Fast Fashion Meets Privacy Pitfalls
Shein, the Chinese e-commerce powerhouse known for its ultra-affordable clothing and rapid trend cycles, was fined €150 million (approximately $176 million) by CNIL for multiple cookie-related violations. The penalty targets Infinite Styles Services Co. Limited, Shein’s Irish subsidiary responsible for its European operations. Investigations revealed that Shein placed cookies without obtaining proper user consent, used deceptive interfaces that made rejecting cookies more cumbersome than accepting them, and failed to provide transparent information about data processing.
Specifically, CNIL highlighted how Shein’s website and app employed “dark patterns”—design tricks that nudge users toward consenting to tracking. For instance, the consent banner allegedly buried the “reject all” option behind multiple clicks, while “accept all” was prominently displayed. This practice violates Article 7 of the GDPR, which requires consent to be freely given, specific, informed, and unambiguous. Additionally, Shein was accused of deploying non-essential cookies for advertising and analytics purposes before users could opt out, potentially exposing personal data like browsing habits and purchase preferences without authorization.
The fine’s magnitude reflects Shein’s massive user base in France—estimated at over 20 million monthly visitors—and the repeated nature of the violations, despite prior warnings from CNIL. Shein has responded by stating it will appeal the decision, arguing that its consent mechanisms align with industry standards and that it has invested heavily in compliance tools. However, experts note that this case could set a precedent for other fast-fashion platforms like Temu or Zalando, emphasizing the need for simplified consent processes in high-traffic e-commerce sites.
Beyond the financial hit, this fine could dent Shein’s reputation, especially as it eyes a potential IPO in London or New York. Privacy advocates praise the action, viewing it as a win for consumer rights in an industry often criticized for opaque supply chains and data practices.
Google’s €325 Million Penalty: A Recurring Theme for the Search Giant
Google, no stranger to regulatory scrutiny, received the larger fine of €325 million (about $380 million) for similar cookie infractions across its services, including Search, YouTube, and Gmail. CNIL’s probe found that Google violated French rules on managing cookies and personalized advertising, particularly by making it disproportionately difficult for users to refuse tracking. The authority pointed to Google’s consent interfaces, which required more steps to reject cookies than to accept them, echoing complaints from previous cases.
In detail, CNIL criticized Google’s use of cookies for targeted ads without explicit consent, breaching the ePrivacy Directive’s requirements for electronic communications. The investigation also uncovered issues with transparency: Google’s privacy notices were deemed overly complex, failing to clearly explain how data from cookies was used for profiling. This is particularly concerning given Google’s dominance in the French market, where it processes billions of searches daily and collects vast amounts of user data to fuel its ad ecosystem.
Google has contested the fine, claiming its cookie banners comply with EU guidelines and that it offers robust user controls. Nonetheless, this penalty adds to Google’s mounting legal woes in Europe, where regulators are intensifying efforts to curb Big Tech’s data dominance. The fine also ties into broader concerns about AI training data, as cookies often feed into machine learning models for personalization.
Dark Patterns Deployed That CNIL Caught
- Deceptive Consent Interfaces: Both companies used designs that favored acceptance over rejection, violating GDPR’s “freely given” consent principle.
- Pre-emptive Cookie Placement: Non-essential trackers were deployed before users could consent, leading to unauthorized data collection. (using a tag manager with the proper opt-in model that we recommend to avoid these issues)
- Lack of Transparency: Privacy policies were vague on data usage, failing to inform users about sharing with third parties or ad profiling.
- Scale of Impact: Affecting millions of French users, amplifying the fines based on the breadth of non-compliance.
- Failure to Rectify: Despite prior audits, neither company fully addressed CNIL’s recommendations from earlier inspections.
These points encapsulate the core issues, providing a quick reference for understanding the regulatory rationale from the CNIL enforcement team.
Comparing Shein & Google’s Violations To Other CNIL Fines: A Pattern of Escalating Penalties
CNIL has been one of Europe’s most active data protection authorities since GDPR’s inception in 2018, issuing over €1 billion in fines collectively. Today’s penalties rank among the highest, surpassing previous records for cookie-specific violations. For context, in 2021, CNIL fined Google €100 million and Amazon €35 million for similar cookie issues, citing inadequate consent mechanisms. That same year, Facebook (now Meta) was hit with €60 million for cookie non-compliance.
The largest CNIL fine to date remains the €150 million levied against Google in 2022 for cookie consent failures, but today’s €325 million eclipses it, reflecting inflation in penalties as violations persist. Other notable CNIL actions include a €225 million fine against WhatsApp in 2021 for transparency violations and €35 million against H&M in 2020 for employee data misuse. In May 2025, CNIL fined data broker CALOGA €80,000 for unsolicited commercial prospecting.
What sets today’s fines apart is their combined €475 million total, highlighting CNIL’s focus on repeat offenders and high-impact sectors like e-commerce and search. Compared to broader GDPR fines across Europe, these are substantial but dwarfed by Ireland’s €1.2 billion penalty against Meta in 2023 for data transfers. Nonetheless, CNIL’s aggressive stance signals a trend toward higher fines for cookie violations, which have surged as authorities prioritize user-facing privacy issues. We’ve also put together a list of GDPR fines & violations that total billions of dollars with the trend in the USA shaping up to start heading in the same direction but here in the USA you also have the private right of action litigation risks.
CNIL Fine Trends: A Timeline of Major Penalties
- 2019: Google €50 million – First major GDPR fine for lack of transparency in ad personalization.
- 2020: H&M €35 million – For unlawful employee surveillance.
- 2021: Amazon €35 million, Google €100 million – Cookie consent failures.
- 2021: WhatsApp €225 million – Transparency violations (coordinated with Irish DPC).
- 2022: Google €150 million – Continued cookie issues.
- 2025: CALOGA €80,000 – Commercial prospecting without consent.
- 2025: Google €325 million, Shein €150 million – Latest cookie crackdown.
This timeline illustrates CNIL’s escalating enforcement, with fines growing in size and frequency for tech and retail giants.
Shein and Google’s Broader Privacy Woes: Recent Fines in Context
While today’s fines are cookie-centric, both companies have faced a barrage of privacy-related penalties recently, painting a picture of systemic challenges.
For Shein, privacy fines are relatively new, but 2024-2025 has seen a flurry of regulatory actions, albeit more focused on consumer protection than pure data privacy. In July 2025, France’s antitrust agency fined Shein €40 million for deceptive discounting practices, misleading consumers on sales. In August 2025, Italy’s watchdog imposed a €1 million fine for greenwashing—exaggerating environmental claims in marketing. Earlier in August, Shein settled a $700,000 lawsuit in California for misleading promotions, though not directly privacy-related. The CNIL fine marks Shein’s first major privacy hit, but it aligns with EU scrutiny over its data practices, including allegations of unauthorized tracking in a 2025 EU consumer law probe.
Google’s record is far more extensive. In August 2025, Google settled a $30 million lawsuit in the U.S. over YouTube’s alleged violation of children’s privacy by collecting data without parental consent. Earlier, in 2024, its parent Alphabet faced nearly $2.9 billion in global fines, including GDPR penalties. In 2021, CNIL fined Google €150 million for cookie issues, a precursor to today’s action. Other recent hits include a €91 million fine against Meta (relevant for comparison) in 2024 for password storage lapses, but Google’s own include a €50 million CNIL fine in 2019. These repeated fines highlight Google’s challenges in balancing its data-driven business model with stringent privacy laws.
Comparative Chart: Recent Fines for Shein and Google (2024-2025)
| Company | Fine Amount | Issuing Authority | Violation Type | Date | Comparison to Today’s Fine |
|---|---|---|---|---|---|
| Shein | €40 million | French Antitrust | Deceptive Discounts | July 2025 | Consumer-focused, lower than €150m privacy fine |
| Shein | €1 million | Italian Watchdog | Greenwashing | August 2025 | Environmental claims, much smaller scale |
| Shein | $700,000 | California Courts | Misleading Promotions | August 2025 | U.S. settlement, non-privacy |
| $30 million | U.S. Settlement | Children’s Privacy (YouTube) | August 2025 | Targeted at kids’ data, lower than €325m | |
| €150 million | CNIL | Cookie Consent | 2021 (prior) | Similar issue, half today’s amount | |
| Google (Alphabet) | $2.9 billion (total) | Various Global | Multiple Privacy/GDPR | 2024 | Cumulative, dwarfs individual fines |
This chart contrasts the penalties, showing escalation in privacy enforcement and that these companies are no strangers to receiving fines which can be avoided by using our Consent Management Platform and following proper privacy suggestions.
CNIL’s fines against Google and Shein today represent a watershed moment in EU privacy regulation, emphasizing that no company is too big—or too fast—to evade accountability. As AI and data analytics intensify tracking, businesses must prioritize user-centric designs to avoid similar fates. These actions not only protect consumers but also push for a more ethical digital ecosystem.
