The French data protection authority (CNIL) has imposed an administrative fine of €150 million on SHEIN for violations of the GDPR and the ePrivacy Directive related to the use of cookies. The decision concerned, in particular, the placement of cookies without valid user consent and the implementation of consent mechanisms that made it significantly more difficult to refuse cookies than to accept them.
CNIL found that users of the SHEIN website were able to easily consent to cookies, while the option to refuse them required additional steps and was not equally accessible. As a result, consent could not be considered freely given, as required under GDPR principles. Moreover, certain cookies were placed before any choice had been made by the user, which constitutes a direct infringement of applicable data protection rules.
In its decision, CNIL reiterated that:
-
the options to “accept” and “reject” cookies must be presented in an equivalent and symmetrical manner,
-
refusing cookies must be as simple as giving consent,
-
analytics and marketing cookies cannot be placed by default without prior user consent.
This case forms part of a consistent enforcement trend across the European Union, where data protection authorities increasingly focus on cookie compliance and online tracking practices. Regulators continue to treat unlawful cookie deployment as a serious infringement, even when no other personal data breach occurs.
For website operators and online service providers, the decision serves as a clear reminder that cookie compliance remains one of the most frequently audited areas under the GDPR, and that shortcomings in consent mechanisms may result in substantial financial penalties.