News
π Non-compliant practices
π‘οΈ CNIL: €325M for Google & €150M for SHEIN — Enforcement on cookies & consent
Regulator: CNIL
Decision, Google: SAN 2025-004
Decision, SHEIN: SAN 2025-005
β οΈ The CNIL has just severely sanctioned two giants for non-compliant practices on cookies and marketing communications.
π Clear message: no trackers and no “disguised” ads without prior consent (freely given, informed, specific, unambiguous).
π§Ύ What the CNIL founds
• βοΈ Google (€325M): insertion of ads between Gmail emails (Promotions/Social tabs) without prior consent, plus πͺ cookies set without valid consent during account creation.
βοΈ Injunction: β³ 6 months to comply, then πΈ €100,000/day penalty payment (astreinte). (Source: CNIL)
• ποΈ SHEIN (€150M): πͺ cookies placed without the user’s consent, 𧩠incomplete banner, β ineffective refusal (“Reject all” did not prevent some trackers), insufficient information about third parties. (Source: CNIL)
π Key takeaways (GDPR / ePrivacy)
• π§ Legal framework applied: ePrivacy (Article 82 of the French Data Protection Act) and French Electronic Communications Code L.34-5, complementing the GDPR.
β
Consent must be clear, and refusal as easy as acceptance.
Consent was not informed in the account-creation journey, because nothing indicated that access to Google group services was conditioned on placing advertising-related trackers. (Source: CNIL)
π οΈ To do now
π§ͺ Test your CMP: π
βοΈ one-click refusal; π«πͺ no cookies before consent, except strictly necessary ones.
π Verify choices are respected: π« no setting/reading after “Reject all.”
π§Ύ Document evidence: ποΈ consent logs.