Paris, September 3, 2025 — France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has levied record-breaking fines totalising €475 million against tech giants Google and Shein for violating cookie consent rules under the EU’s General Data Protection Regulation (GDPR).
Google received a €325 million penalty—one of the highest ever issued for privacy violations—after investigators found it displayed ads to Gmail users and placed cookies during the account setup process without obtaining proper consent. The CNIL has also mandated that Google halt these practices and face a potential daily fine of €100,000 if it fails to comply within six months. Google stated that users can already control ad settings and that recent updates have addressed the authority’s concerns.
Meanwhile, online fast-fashion retailer Shein was fined €150 million for placing tracking cookies even after users opted out. CNIL emphasised that users were neither properly informed nor given valid consent options. With 12 million monthly users in France, Shein’s violations were seen as particularly egregious. In its defence, Shein called the fine “wholly disproportionate,” claimed full cooperation since August 2023, and labelled the penalty as politically motivated. The company plans to appeal the decision.
These penalties mark the CNIL’s most stringent measures yet and underscore France’s intensifying crackdown on privacy infringements by global platforms. The fines hit at the core of digital business practices, where user tracking is foundational to advertising models.
