Shein, Google hit with fines from French data protection regulator over cookie practices
France’s data protection regulator has levied significant fines against Google and clothing retailer Shein for violating laws that cover internet cookies.
Google was fined €325 million ($379 million) and Shein €150 million ($175 million) — two of the largest penalties ever issued by the agency, the Commission Nationale de l'informatique et des Libertés (CNIL).
The CNIL alleges that the companies failed to obtain user consent prior to tracking them online with advertising cookies, the small text files that follow web users across sites and allow advertisers to target their marketing with greater precision.
The regulator has increasingly zeroed-in on cookie use over the past five years. It is particularly scrutinizing the use of so-called cookie walls, which force users to accept cookies if they want to use a service, according to a CNIL press release issued on Wednesday.
Twelve million people in France visit Shein’s website a month, CNIL said, pointing to the scale of the problem as a driving factor in its decision to levy what it called a “massive” fine.
Shein, which makes most of its fast-fashion products in China, did not adequately inform users of the tracking in addition to failing to obtain their consent, CNIL said in a press release. The company also gave web users few options to withhold consent, the regulator said.
As a result of the probe, Shein has changed its policies to comply with French and European data protection laws, according to CNIL.
A Shein spokesperson issued a statement saying that it will appeal a fine it called "totally disproportionate given the nature of the alleged grievances." The company noted that it has fixed the problem flagged by French regulators.
“The procedure itself was marked by clear bias,” the statement said. “The CNIL acknowledged multiple substantial errors in its own analysis, yet none of these admissions altered the final outcome — confirming that the decision was pre-determined.”
Google showed ads “in the form of emails” and stored them between the "Promotions" and "Social" tabs of the Gmail platform and did so without user consent, CNIL said.
It also pushed anyone setting up a Google account to choose cookies tied to targeted advertising displays without clear notice, CNIL said.
“Users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google's services,” CNIL said, noting that the practice violated French law.
A Google spokesperson did not immediately respond to a request for comment.
Editor's Note: Story updated 11:45 a.m. Eastern U.S. time with statement from Shein.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.