France’s data protection authority, the CNIL, fined INFINITE STYLES SERVICES CO. LIMITED the Irish subsidiary associated with fast-fashion giant SHEIN €150 million for serious cookie consent violations. This sanction ranks among CNIL’s largest to date and demonstrates the regulator’s intensifying scrutiny of online tracking practices.
What Did SHEIN Do (or Fail to Do)?
- Pre-consent cookie deployment: advertising and analytics cookies were placed before users could accept or deny.
- Refusal didn’t stop tracking: cookies continued to operate even after users opted out.
- Transparency gaps: insufficient information was provided about third-party trackers and their purposes.
- Territorial reach: CNIL asserted jurisdiction because the company targeted French users, even though its entity was based in Ireland.
There are a list of GDPR and CNIL best practices for abiding by the privacy requirements there and we can help you implement these to avoid these very expensive fines & litigation. The Shein fine is just another example of this happening and the trend will only continue to increase as we’ve showcased the billions in fines each year for GDPR violations.
Broader Implications for Data Privacy in France — Why This Case Matters
- Cookie compliance has become high-stakes: multimillion-euro fines are no longer limited to large tech firms.
- Design equals liability: confusing banners, hard-to-find reject buttons, and overlapping dialogs are now treated as dark patterns.
- Vendor responsibility: companies are accountable for ensuring third-party tags respect user consent.
- Withdrawal must work: once consent is withdrawn, all tracking must immediately stop.
- Jurisdiction follows the user: targeting EU residents triggers EU privacy laws, regardless of corporate headquarters.
Quick Compliance Checklist for CNIL Compliance
| Task | Why It Matters |
|---|---|
| Audit consent and tags | Identify any cookies firing before consent is given. |
| Fix consent UX | Reject should be as simple and prominent as Accept. |
| Enforce withdrawal | Ensure cookies stop being set or read after refusal. |
| Govern third-party tags | Block or allow scripts by purpose and vendor. |
| Map jurisdictional exposure | Confirm which local regulators may assert authority. |
Other CNIL Fines You Should Know
Google — €325 million (2025): CNIL fined Google for inserting ads between Gmail messages without valid consent and for setting cookies during account creation without explicit opt-in.
Google — €150 million and Meta (Facebook) — €60 million (2022): Both companies were penalized for cookie banners that made rejection harder than acceptance. The ruling established that refusal options must be equal and immediate.
Amazon — €35 million (2020): CNIL confirmed the fine for placing cookies on Amazon.fr without user consent or clear disclosure of their purpose.
Amazon France Logistique — €32 million (2023–2024): CNIL fined the company for excessive workplace monitoring and retention of employee scanner data beyond legal limits.
Apple — €8 million (2022): The regulator found that personalized ads on the App Store used identifiers without prior user consent, highlighting the importance of opt-in defaults.
Criteo — €40 million (2023): The adtech firm was fined for failing to prove consent across its retargeting ecosystem, emphasizing the need for traceable consent records.
Clearview AI — €20 million plus additional penalties (2022–2023): CNIL sanctioned the company for scraping biometric data without a lawful basis and for ignoring orders to delete that data.
Across these decisions, CNIL has made one thing clear: practical outcomes matter more than policies. Regulators examine whether cookies are genuinely blocked, consent is freely given, and personal data is handled proportionately. Poor UX, weak technical enforcement, and noncompliant partners are no longer defensible.
Why French, UK, EU, and U.S. Companies Need CaptainCompliance.com
1. One Platform, Global Coverage: Captain Compliance dynamically applies the correct consent and privacy standards for each visitor—whether under France’s ePrivacy rules, the UK GDPR, or U.S. state privacy laws.
2. Real Tag Governance: Unlike basic cookie banners, Captain Compliance blocks and unblocks scripts in real time until valid consent is captured and withdrawal is enforced.
3. Dark Pattern Defense: Our design templates ensure equal visibility and usability for both acceptance and refusal options, preventing interface-related violations.
4. Audit-Proof Evidence: Every consent, withdrawal, and tag action is time-stamped and stored in an immutable compliance log, ready for regulator review.
5. Vendor Control: Maintain a registry of all third-party tags and enforce consent propagation across partners—critical for advertising, analytics, and affiliate tracking.
6. Extended Compliance Scope: Our platform helps organizations manage not just cookies, but also DSAR workflows, internal data retention, and cross-border transfer policies.
7. Always Updated: As privacy laws evolve and enforcement expands, Captain Compliance automatically updates jurisdictional rules and consent templates to stay compliant without developer intervention.
Bottom Line
The CNIL’s enforcement trajectory—from Amazon’s early cookie case to Google’s account-level defaults and SHEIN’s €150 million penalty—shows that regulators are raising the bar for both design and enforcement. Whether your company operates in Europe or serves international users from the United States, the compliance expectations are now uniform: explicit, informed, and technically enforced consent.
CaptainCompliance.com empowers businesses to meet these obligations proactively, preventing fines before they arise. It’s not just about cookie banners—it’s about building defensible privacy architecture across your entire digital ecosystem.
Get a free cookie scan and compliance audit today click here
