News

🛡️ CNIL: €325M for Google & €150M for SHEIN — Enforcement on cookies & consent

Regulator: CNIL
Decision, Google: SAN 2025-004
Decision, SHEIN: SAN 2025-005

⚠️ The CNIL has just severely sanctioned two giants for non-compliant practices on cookies and marketing communications.
🔍 Clear message: no trackers and no “disguised” ads without prior consent (freely given, informed, specific, unambiguous).

🧾 What the CNIL founds
• ✉️ Google (€325M): insertion of ads between Gmail emails (Promotions/Social tabs) without prior consent, plus 🍪 cookies set without valid consent during account creation.
⚖️ Injunction: ⏳ 6 months to comply, then 💸 €100,000/day penalty payment (astreinte). (Source: CNIL)
• 🛍️ SHEIN (€150M): 🍪 cookies placed without the user’s consent, 🧩 incomplete banner, ❌ ineffective refusal (“Reject all” did not prevent some trackers), insufficient information about third parties. (Source: CNIL)

📚 Key takeaways (GDPR / ePrivacy)
• 🧭 Legal framework applied: ePrivacy (Article 82 of the French Data Protection Act) and French Electronic Communications Code L.34-5, complementing the GDPR.
✅ Consent must be clear, and refusal as easy as acceptance.
Consent was not informed in the account-creation journey, because nothing indicated that access to Google group services was conditioned on placing advertising-related trackers. (Source: CNIL)

🛠️ To do now
🧪 Test your CMP: 🙅‍♂️ one-click refusal; 🚫🍪 no cookies before consent, except strictly necessary ones.
 🔎 Verify choices are respected: 🚫 no setting/reading after “Reject all.”
🧾 Document evidence: 🗂️ consent logs.