France’s data watchdog fined Google $379M (€325 million) and Shein $175M (€150 million) for breaching cookie rules.
The French data watchdog, the National Commission on Informatics and Liberty (CNIL), fined Google $379 million (€325 million) and Shein $175 million (€150 million) for violating cookie rules.
“The two fines imposed on GOOGLE and SHEIN by the restricted committee – the CNIL body responsible for imposing penalties – are part of the overall compliance strategy initiated by the CNIL more than five years ago with regard to cookies, which has targeted in particular operators of high-traffic websites and services.” reads the press release published by the CNIL.
“While compliance with obligations regarding the use of cookies is improving, the CNIL remains vigilant, particularly with regard to non-compliant practices such as the placement of cookies without the internet user’s consent, but also with regard to growing practices such as the use of “cookie walls”, which consist of making the acceptance of the placement of cookies on the users’ device a condition to access to a service.”
Since 2020, CNIL has imposed sanctions on organizations violating cookie rules under Article 82 of the French Data Protection Act. While compliance has improved, the authority remains alert to abuses such as placing cookies without user consent and the growing use of “cookie walls,” which force users to accept cookies to access online services.
The CNIL reminded Google that user consent for cookies must be clear, informed, and offered in a fair way, without tricks that push people toward one choice. Users need to understand the consequences of their decision fully. The authority also ruled that Google violated Article L.34-5 CPCE by showing ads in Gmail’s “Promotions” and “Social” tabs without asking for prior consent, an issue it had already flagged in a recent case against Orange.
“The investigations revealed that GOOGLE IRELAND LIMITED and GOOGLE LLC displayed advertisements in the form of emails among the emails in the “Promotions” and “Social” tabs of the Gmail messaging service. The restricted committee – the CNIL body responsible for imposing sanctions – considered that the display of such advertisements required the consent of Gmail users, in accordance with Article L. 34-5 of the French Postal and Electronic Communications Code (CPCE).” reads the CNIL’s announcement.
“Furthermore, the restricted committee considered that, when creating a Google account, users were encouraged to choose cookies linked to the display of personalised advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google’s services. Their consent obtained in this context was therefore not valid, which constituted a breach of the French Data Protection Act (Article 82).”
Google must stop showing ads in Gmail without consent and ensure valid cookie consent within six months, or face €100,000 daily fines for delays.
The CNIL sanctioned Shein for multiple cookie violations: placing ads cookies without consent, incomplete banners lacking purpose details, no info on third-party trackers, and ineffective refusal/withdrawal options as cookies kept being set or read. Though Shein later updated its site, the violations still led to penalties.
Shein will appeal the CNIL fine, calling it disproportionate and politically driven. The retailer claims full compliance, cooperation since 2023, and improved data protection, but faces growing criticism in France, where a draft law could ban its advertising.
“We consider the fine to be wholly disproportionate, given the nature of the alleged issues, our current full compliance, and the proactive corrective actions we have taken,” the fast fashion retailer told Reuters.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Google)