France’s CNIL Fines Google $379M and Shein $175M for Breaching Cookie Rules
The French data watchdog, the National Commission on Informatics and Liberty (CNIL), has imposed significant fines on two of the world's largest tech companies, Google and Shein, for violating cookie rules. The CNIL fined Google €325 million ($379 million) and Shein €150 million ($175 million) for breaching European Union regulations regarding online cookies.
The fines are part of a comprehensive compliance strategy initiated by the CNIL over five years ago to ensure that operators of high-traffic websites and services adhere to cookie rules. Despite improvements in compliance, the CNIL remains vigilant, particularly with regard to non-compliant practices such as placing cookies without user consent and the use of "cookie walls," which force users to accept cookies to access online services.
"The two fines imposed on GOOGLE and SHEIN by the restricted committee – the CNIL body responsible for imposing penalties – are part of the overall compliance strategy initiated by the CNIL more than five years ago with regard to cookies, which has targeted in particular operators of high-traffic websites and services," reads the press release published by the CNIL.
Google's Cookie Fine
The CNIL fined Google €325 million ($379 million) for violating cookie rules. The authority reminded Google that user consent for cookies must be clear, informed, and offered in a fair way, without tricks that push people toward one choice. Users need to understand the consequences of their decision fully.
Specifically, the CNIL ruled that Google violated Article L.34-5 CPCE by showing ads in Gmail's "Promotions" and "Social" tabs without asking for prior consent. The authority considered that displaying such ads required the consent of Gmail users, in accordance with Article L. 34-5 of the French Postal and Electronic Communications Code (CPCE).
"Furthermore, the restricted committee considered that, when creating a Google account, users were encouraged to choose cookies linked to the display of personalised ads, to the detriment of those linked to the display of generic ads and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google's services. Their consent obtained in this context was therefore not valid, which constituted a breach of the French Data Protection Act (Article 82)," reads the CNIL's announcement.
Google must stop showing ads in Gmail without consent and ensure valid cookie consent within six months, or face €100,000 daily fines for delays. This means that if Google fails to comply with the CNIL's requirements, it could be subject to significant financial penalties.
Shein's Cookie Fine
The CNIL also fined Shein €150 million ($175 million) for multiple cookie violations, including placing ads cookies without consent, incomplete banners lacking purpose details, no info on third-party trackers, and ineffective refusal/withdrawal options as cookies kept being set or read.
Despite updating its site, the violations still led to penalties. Shein will appeal the CNIL fine, calling it disproportionate and politically driven. The retailer claims full compliance, cooperation since 2023, and improved data protection, but faces growing criticism in France, where a draft law could ban its advertising.
"We consider the fine to be wholly disproportionate, given the nature of the alleged issues, our current full compliance, and the proactive corrective actions we have taken," the fast fashion retailer told Reuters. The CNIL's decision is a significant reminder to companies operating in France to prioritize data protection and transparency when it comes to online cookies.
Conclusion
The CNIL's fines on Google and Shein are a wake-up call for tech companies operating in Europe to ensure compliance with cookie rules. The French data watchdog is committed to protecting user rights and ensuring that companies adhere to regulations designed to promote transparency and fairness online.