CNIL Imposes Record Fines on Google and Shein for Cookie Consent Violation

Bottom Line Up Front: France's data protection authority delivered a powerful message on September 3, 2025, with record-breaking fines of €325 million against Google and €150 million against Shein for systematic cookie consent violations. These penalties mark the largest cookie-related sanctions in CNIL history and signal an escalation in European privacy enforcement targeting manipulative design practices and inadequate user consent mechanisms.

On September 3, 2025, France's Commission Nationale de l'Informatique et des Libertés (CNIL) announced unprecedented fines that sent shockwaves through the digital advertising industry. Google faces a €325 million penalty, while Shein has been hit with €150 million, marking some of the largest fines ever issued by the CNIL for cookie law violations. These sanctions represent the culmination of extensive investigations into how two of the world's most-visited platforms handle user consent for tracking cookies.

The enforcement action underscores the CNIL's commitment to protecting user privacy rights in an increasingly complex digital ecosystem. This move underscores the escalating enforcement of GDPR and ePrivacy Directive rules in Europe, particularly amid growing concerns over online tracking and data privacy in an AI-driven world.

The Scale of Violations: Millions of Users Affected

The scope of these violations is staggering. Google was found to have affected 53 million French people through its practice of inserting adverts between inbox items in its popular Gmail email service, while Shein had amassed "massive" amounts of data from the cookies it placed on 12 million monthly users' computers in France.

For Google, this represents the third major cookie-related fine from the CNIL in recent years. Wednesday's fine against Google is the third issued by the CNIL over the search giant's use of cookies, after paying 100 million euros in 2020 and 150 million in 2021. The escalating penalties reflect the regulator's growing frustration with repeated violations and the tech giant's failure to fully address systemic consent issues.

Four Core Violations: A Pattern of Non-Compliance

The CNIL's investigation revealed four critical areas where both companies systematically violated French data protection law, creating a blueprint of what regulators will no longer tolerate in cookie consent practices.

1. Deploying Cookies Before Consent

The most egregious violation involved placing tracking cookies on users' devices before obtaining proper consent. Both firms failed to secure users' free and informed consent before setting advertising cookies on their browsers. This practice directly contravenes Article 82 of the French Data Protection Act, which requires explicit consent before non-essential cookies can be deployed.

For Shein, the violations were particularly blatant, with advertising cookies being placed immediately upon users landing on the site, before any interaction with cookie information banners. This "cookie first, ask later" approach fundamentally undermines the consent framework that European privacy law is designed to protect.

2. Inadequate Cookie Information and Transparency

Both companies failed to provide clear, comprehensive information about their cookie practices. The CNIL found that cookie banners and information pop-ups lacked crucial details about advertising purposes and failed to identify third parties who would access collected data. This opacity prevents users from making informed decisions about their privacy preferences.

The transparency failures were particularly problematic for Google's Gmail service, where the company inserted advertisements between email items without clearly explaining this practice to users or obtaining specific consent for what the CNIL characterized as "direct canvassing."

3. Broken Withdrawal and Refusal Mechanisms

Perhaps most concerning was the discovery that user attempts to refuse or withdraw consent were systematically undermined. When users clicked "Refuse all" or later tried to withdraw consent, both companies continued to place new cookies and read existing ones. This practice makes a mockery of user choice and directly violates the principle that withdrawing consent must be as easy as giving it.

The Asian low-cost clothing firm failed to secure users' consent or inform them adequately, as well as offering inadequate options to withdraw consent. The technical implementation of these systems appeared designed to capture data regardless of user preferences.

4. Dark Patterns and Manipulative Interface Design

The CNIL specifically called out both companies for designing interfaces that nudged users toward accepting cookies through manipulative design practices known as "dark patterns." These included making refusal options less visible, harder to access, or requiring more steps than acceptance options.

They especially highlight the case of a so-called "cookie wall" when creating a Google account, which requires users to accept the tracking software before proceeding. While not illegal per se, the implications were not sufficiently explained to users, who could therefore not provide informed consent.

Understanding Dark Patterns: The Manipulation Tactics Exposed

The CNIL's enforcement action sheds light on sophisticated manipulation techniques that have become endemic in cookie consent interfaces. The CNIL has received complaints about dark patterns on cookie consent banners encouraging data subjects to accept cookies, leading to systematic investigation and enforcement.

Research supports the regulator's concerns about the prevalence of these practices. A 2024 joint study from Karlsruhe Institute of Technology, and IT University of Copenhagen also found that 72% of websites use at least one dark pattern. The most common manipulative techniques include:

Visual Manipulation: The reject option is presented in the form of a clickable link whose choice of color, font size, and font style disproportionately emphasizes the acceptance option over the reject option. Accept buttons are typically displayed in bright, attention-grabbing colors while reject options appear in muted gray or low-contrast text.

Spatial Manipulation: The location of the reject option is so embedded in the information that it is not readily apparent. Reject buttons are often hidden in secondary menus or placed in locations where users are unlikely to notice them.

Interaction Complexity: Rejecting cookies often requires twice as many clicks as accepting them, creating artificial friction that discourages users from protecting their privacy.

Language Manipulation: The accept option is presented multiple times in the banner, while the reject option is presented only once and in non-explicit terms ("I decline non-essential purposes"). This creates confusion about what choices users are actually making.

Broader Context: A Pattern of Escalating Enforcement

These latest fines represent the culmination of a multi-year enforcement strategy by the CNIL targeting cookie compliance. The CNIL has stepped up its scrutiny of their use, part of "a general strategy of bringing (market players) into line over the past five years, targeting especially sites and services that receive a lot of traffic".

The enforcement pattern shows escalating penalties for repeat offenders. Google's cookie-related fines from the CNIL have grown from €100 million in 2020, to €150 million in 2021, and now €325 million in 2025. This progression reflects both the severity of ongoing violations and the regulator's determination to drive compliance through meaningful financial consequences.

For Shein, this represents the first major privacy penalty, but it aligns with broader regulatory scrutiny of the fast-fashion giant. The CNIL fine marks Shein's first major privacy hit, but it aligns with EU scrutiny over its data practices, including allegations of unauthorized tracking in a 2025 EU consumer law probe.

Technical Requirements and Compliance Deadlines

The fines come with specific technical requirements and tight compliance deadlines. On top of the fines, Google has been ordered to bring its systems into compliance within six months. Failure to comply would draw further penalties of 100,000 euros per day for both Google and its Irish subsidiary.

The CNIL has ordered the companies to implement corrective measures within six months, including ceasing the display of advertisements between emails without user consent and ensuring valid consent for the placement of advertising cookies. These technical requirements address the specific violations identified in the investigation.

Industry Response and Implications

Both companies have indicated they will challenge the decisions. Shein has updated its systems to comply with the CNIL's requirements under French and European law since the investigation. It told AFP that it would appeal the fine, which it said was "totally disproportionate given the nature of the alleged grievances" and its "current compliance" with the legislation.

Google said it would study the decision, and that it has complied with earlier CNIL demands. However, the company's history of repeated violations may limit the effectiveness of such arguments.

The industry response reflects broader concerns about the evolving regulatory landscape. As consumers increasingly demand transparency, these fines signal a broader regulatory push to hold global corporations accountable.

The Broader Impact on Digital Privacy

These enforcement actions represent more than isolated penalties - they signal a fundamental shift in how European regulators approach digital privacy enforcement. The results show that CNIL's action has reduced the intensity of tracking activity for advertising purposes on websites visited by Internet users in France. The proportion of websites depositing more than 6 third-party cookies dropped from 24% to 12% between January 2021 and August 2022.

The enforcement strategy appears to be working. At the same time, the proportion of websites that do not deposit any third-party cookie has increased from 20% to 29%. This demonstrates that regulatory pressure can drive meaningful changes in industry practices.

User awareness and behavior are also evolving. In June 2022, 95% of respondents say they know what cookies are and 52% of them know exactly what recent regulatory changes on the subject are (compared to only 44% in November 2020). This increased awareness puts additional pressure on companies to implement genuinely compliant consent mechanisms.

Looking Forward: The Future of Cookie Consent

The CNIL's actions provide clear guidance for the future of cookie consent in Europe. While compliance with obligations regarding the use of cookies is improving, the CNIL remains vigilant, particularly with regard to non-compliant practices such as the placement of cookies without the internet user's consent, but also with regard to growing practices such as the use of "cookie walls".

The regulator has made clear that genuine user choice must be at the center of any compliant consent mechanism. As a reminder, with certain exceptions, cookies can only be used with the consent of data subjects. Moreover, rejecting cookies should be just as easy as accepting them.

Key Takeaways for Digital Businesses

The Google and Shein fines provide several critical lessons for businesses operating in the European digital market:

Prior Consent is Non-Negotiable: Setting any non-essential cookies before obtaining clear user consent is a direct violation that will result in significant penalties.

Transparency Must Be Comprehensive: Cookie information must clearly explain purposes, identify third parties with access to data, and provide specific details about how data will be used.

User Choice Must Be Genuine: Withdrawal and refusal mechanisms must function properly, and interfaces cannot manipulate users toward acceptance through dark patterns.

Compliance is Ongoing: Regular auditing and monitoring of consent mechanisms is essential, as regulators continue to identify new forms of non-compliant practices.

Conclusion: A New Era of Privacy Enforcement

The record fines against Google and Shein mark a watershed moment in European privacy enforcement. These fines signal a broader regulatory push to hold global corporations accountable and demonstrate that even the largest technology companies are not immune from meaningful penalties when they systematically violate user privacy rights.

For the digital advertising industry, these enforcement actions represent both a warning and an opportunity. Companies that proactively implement genuinely user-centric consent mechanisms will be better positioned to build trust with privacy-conscious consumers. Those that continue to rely on manipulative design practices and technical workarounds face escalating regulatory scrutiny and potentially business-threatening penalties.

The CNIL's message is clear: the era of "consent theater" is over. Genuine user choice, transparency, and respect for privacy preferences are no longer optional considerations in digital business models - they are legal requirements that will be rigorously enforced. As the digital economy continues to evolve, companies that embrace these principles will be better positioned for sustainable success in an increasingly privacy-conscious marketplace.