Cookie compliance crackdown: SHEIN fined €150 million by CNIL

A significant warning shot to retailers echoed across Europe this month, with CNIL fining SHEIN €150 million for failing to comply with French law in relation to cookies compliance.

The French Data Protection Authority imposed this significant fine on INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of the SHEIN group. 

Background 

CNIL investigated "shein.com" in August 2023 to chart a user’s journey on the website. This investigation identified potential non-compliance with the French Data Protection Act in relation to cookies. Following the inspection of the website and engagement with SHEIN, CNIL issued a report notifying SHEIN of infringements of Article 82 of the French Data Protection Act.

CNIL noted that the fine against SHEIN is part of its overall compliance strategy initiated more than five years ago regarding cookies. CNIL has targeted particular operators of high-traffic websites and services. 

This mirrors the approach of the Information Commissioner’s Office (ICO) in the UK issuing warning letters to non-compliant websites in late 2023 and in 2024. These letters were sent to the most visited websites in the UK regarding breaches of UK data protection laws in relation to cookies.

The companies were provided 30 days to bring their cookie framework into compliance.

French Data Protection Act and Equivalent UK Law Provision

The EU ePrivacy Directive was transposed into French Law through the French Data Protection Act. Article 82 of the French Data Protection Act states that a user of electronic communications services must be informed in a clear and comprehensive manner by the controller or representative regarding: 

• The purpose of any cookie; and
• The means of refusing cookies.

It also provides any placing of cookies can only take place where the user has expressly provided their consent after receiving this information. 

In the UK, the EU ePrivacy Directive was implemented through the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR). PECR similarly provides that users give their informed and specific consent before cookies are stored on their devices. 

Breaches of cookies laws by SHEIN

CNIL held that SHEIN’s cookie framework was non-compliant on the following grounds:

• Failure to obtain users’ consent before placing cookies: Several cookies placed by SHEIN, particularly advertising cookies, were placed on user devices visiting the website immediately on arrival. These cookies were placed before the user was provided with the cookie banner.
• Incomplete cookie banners: Both cookie banners displayed on the website were non-compliant. The first banner had three separate options labelled "Cookie settings", "Reject all" and "Accept". However, it did not contain any detail in relation to advertising cookies. A second cookie banner only displayed a button to accept cookies, and did not provide any information about the purposes of the cookies.
• Insufficient information on third parties: After clicking “Cookie settings”, no information was provided on the identity of third parties likely to place cookies.
• Failure to allow refusal and withdrawal of consent: If a user clicked "Reject all", or withdrew their consent, new cookies were still placed and other cookies already placed were not removed.

Calculation of fine

CNIL stated that the fine reflected the following key considerations:

1. The company's failure to meet multiple regulatory requirements, including deploying cookies without user consent, disregarding user preferences, and providing inadequate information to users. 

2. CNIL’s regulatory committee emphasised that since 2020, it has consistently penalised organisations for similar non-compliance in relation to cookies and has publicised these decisions. 

3. The substantial scale of the data processing activities by SHEIN given the company's dominant position in the online fast-fashion market. CNIL specifically highlighted the approximately 12 million French residents accessing the "shein.com" website monthly.

UK Data (Use and Access) Act 2025

A key consideration for retailers in the UK is the changes to PECR regarding cookie consent requirements under the UK Data (Use and Access) Act 2025 (DUAA). These changes (once in effect) will allow organisations to set some types of cookies without having to get consent, provided specific conditions are met.

The DUAA will significantly increase the maximum fines for breaches of PECR. The maximum fine for a breach of PECR to increase from £500,000 to £17,500,000, or 4% of the organisation's total annual worldwide turnover from the preceding financial year. This will bring the level of potential fines for PECR breaches in line with GDPR. 

Once this comes into effect, the potential consequences for retailers for non-compliance in relation to cookies will be far more severe.

Key takeaways for retailers

On the back of this CNIL fine imposed on SHEIN for a non-compliant cookie framework, all retailers must implement the following key measures:

1. Conduct an immediate cookie audit

This should include:

• Mapping all cookies currently deployed on your website;
• Identifying which cookies are placed before consent is obtained;
• Reviewing third-party cookie providers and their compliance status; and
• Assessing whether current cookie categories align with legal requirements.

2. Review and update cookie banners

Retailers need to ensure cookie banners:

• Provide clear information about advertising cookies and their purposes;
• Offer genuine choice with equally prominent "Accept" and "Reject" options; and
• Include comprehensive details about cookie purposes before consent is requested.

3. Implement robust consent mechanisms 

Retailers must:

• Ensure no cookies are placed before user consent is obtained;
• Implement technical controls to prevent automatic cookie deployment; and
• Ensure user preferences are respected, including having technical measures in place to allow a user to reject cookies or withdraw their consent.

4. Ensure third-party transparency 

Retailers must provide:

• Clear identification of all third-party cookie providers;
• Detailed information about what data these third parties collect; and
• Easy-to-understand explanations of how third-party cookies are used.

5. Ensure awareness of increased PECR penalties within the business

Given the upcoming legislative changes in the UK, retailers should:

• Treat cookie compliance as a genuine high-priority business risk, and raising this change in the risk profile with key internal stakeholders;
• Allocate appropriate resources to ensure ongoing compliance; and
• Establish regular monitoring and review processes in relation to their cookie compliance framework.

6. Monitor regulatory developments 

Retailers should watch out for the commencement date for the upcoming DUAA provisions in relation to cookies, and any regulatory guidance from the ICO.

Conclusion

Cookie compliance is often viewed as an afterthought by organisations, and a low-risk area with minimal enforcement. The €150 million fine imposed on SHEIN by CNIL should send alarm bells ringing through the ears of all DPOs and compliance teams of retailers. This reflects a clear regulatory focus on websites with heavy traffic, which will encompass many retailers.

In assessing the level of fine, CNIL also took into account the fact companies are now expected to have a strong understanding of cookie compliance. All retailers are now on notice that a robust cookie compliance framework is expected and should implement the measures noted above to ensure compliance. 

Further steps

Finally, it is also worth highlighting the potential impact on digital marketing campaigns and other important interactions which rely upon website functionality. As well as imposing a heavy fine, regulatory intervention is likely to severely disrupt these key business operations. 

Given the incoming increase in the level of fines the ICO can impose for breaches of PECR, all UK retailers need to undertake a detailed cookie audit to ensure the business’s approach to cookies is compliant with PECR.

Looking at the broader picture, businesses should already be preparing to address changes to the UK’s data protection regime introduced by the DUAA. These important changes mean that businesses need to review their data flows and update processes dealing with data sharing arrangements, complaints handling and transparency requirements such as privacy notices. We would recommend that reviewing cookie compliance also forms part of this data audit.