ARTICLE
26 September 2025

When The Cookie Crumbles: Lessons From The CNIL

LS
Lewis Silkin

Contributor

Lewis Silkin logo
We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
Explore Firm Details
In September 2025, France's data protection authority (the CNIL) raided the digital cookie jar handing down hefty financial penalties to tech giant Google and fast-fashion powerhouse Shein.
France Privacy
Zahra Laher
Your Author LinkedIn Connections

In September 2025, France's data protection authority (the CNIL) raided the digital cookie jar handing down hefty financial penalties to tech giant Google and fast-fashion powerhouse Shein. The reason was that according to the CNIL both companies failed to comply with regulations on the use of cookies – those tiny bits of data that file and track users online.

Background

In 2019, the CNIL "initiated an action plan by publishing guidelines and a recommendation on the use of cookies" to clarify how organisations must deploy cookies and similar tracking technologies placed on user devices. The objective was two-fold: to ensure compliance with the applicable legal framework and to guarantee that internet users receive transparent and clear information about the trackers deposited on their devices, in keeping with Article 82 of the French Data Protection Act (French DPA).

Throughout 2020, the CNIL's restricted committee (the body entrusted with the authority's sanctioning power) handed down a series of headline-grabbing fines against operators of high-traffic websites and online services that were found to have breached their cookie and advertising obligations. (For more information see our articles on dark patterns in cookie banners, dark patterns in cookie banners, lack of a reject all button and as easy to reject as accept cookies.) Most recently Google and Shein have received financial penalties because in the view of the CNIL they failed to provide users with clear, comprehensive information on the use of cookies and targeted advertising on their platforms.

From inbox to ad-box

Gmail, Google's widely used web-based email service became the focus of the investigation following a complaint filed by privacy advocacy group noyb in August 2022. This complaint triggered an inquiry into Google's approach to email-based advertising. At the heart of the investigation was a subtle yet significant issue: the apparent integration of advertising messages directly into user inboxes without obtaining their consent.

The CNIL's findings were that Google Ireland Limited and Google LLC had embedded ads "in the form of emails among the emails in the "Promotions" and "Social" tabs of the Gmail messaging service". These ads were displayed "in a space normally reserved for private emails" and appeared to be styled as "genuine emails", blurring the line between marketing and private correspondence. This practice constituted direct email marketing triggering the consent requirements set out in Article L.34-5 of the French Postal and Electronic Communications Code (CPCE). The CNIL found that Google did not obtain this consent and so its advertising practices were in violation of the CPCE.

The CNIL identified a further infringement in relation to Article 82 of the French DPA. Users were unable to provide consent freely as "it was more difficult to refuse cookies linked to personalised advertising than to accept them". Beyond this, the CNIL also found that users were not "clearly informed" about the use of cookies for displaying ads "during the account creation process". On this basis, the CNIL considered that access to Google's services was conditional on the acceptance of these cookies, rendering any consent invalid under Article 82 of the French DPA.

Interestingly, in its decision the CNIL made clear that such practices would not be "illegal provided consent is freely given. The various alternatives offered to the user must therefore be presented in a balanced manner, without encouraging them to choose one option over another (for example, by making one choice more complex than the other). Consent must also be informed, i.e. individuals must have a complete and clear understanding of the consequences of their choices."

In response to the CNIL's investigation and to address concerns raised Google implemented two changes: visual changes aimed at reducing the risk of confusion between genuine emails and advertising content, and the addition of a button designed to make it easier to refuse consent to personalised ads. However, the CNIL found these adjustments insufficient as users were still unable to clearly distinguish between personal and advertising emails leaving the core issue of obtaining "informed consent" unresolved.

In determining the penalty, the CNIL noted the number of individuals affected by the breach i.e. 74 million Gmail accounts of which 53 million users had ad emails displayed in their "Promotion" or "Social" tabs of their accounts. The CNIL also highlighted Google's position as a central player within the online advertising market, particularly given that a large proportion of the company's revenue is derived from contextual and targeted ads. Given this, on 1 September 2025 two fines totalling €325 million were imposed and an order "requiring the companies to implement, within six months, measures to cease displaying advertisements between emails in the Gmail service users' mailboxes without prior consent and to ensure valid consent from users for the placement of advertising cookies when creating a Google account. Failing this, the companies will each have to pay a penalty of €100,000 per day of delay".

A fashion faux pas

On 1 September 2025, the CNIL issued a €150 million fine on INFINITE STYLES CO. LIMITED, the Irish subsidiary of the SHEIN group, following an investigation that was launched in August 2023 into the Shein group's primary website, shein.com. The investigation uncovered several infringements of Article 82 of the French DPA, with four primary areas of non-compliance cited:

  1. Failure to obtain user consent before placing cookies: The CNIL found that as soon as a user landed on the website a constellation of cookies, including advertising cookies, were automatically deposited on their device. Crucially, this occurred before the user had any meaningful opportunity to interact with the site or even read the cookie banner.
  2. Incomplete information banners: The investigation revealed the presence of two "interfaces related to the management of cookies" which fell short of the legal requirements. The first banner failed to contain any information about the "advertising purpose of cookies", while the second, a "pop-up window" offered only a prompt to accept cookies without clearly explaining their purpose in plain language.
  3. Insufficient second layer information: The CNIL found a lack of second-level information regarding the identity of third parties "likely to place cookies" on user devices. This omission left users uninformed about who was collecting their data and for what purpose.
  4. Inadequate mechanisms for refusing and withdrawing consent: Even when a user selected an option to refuse all cookies or later attempted to withdraw consent, new cookies continued to be set, and those already stored on the device remained active continuing to collect data. The CNIL categorised this practice as a failure to provide a mechanism for refusing and withdrawing consent, reiterating that valid consent must be as easy to retract as it is to give.

The CNIL cited several reasons for issuing the fine. These included the number and nature of the breaches, the mass scale of processing involved by shein.com, with an average of 12 million monthly visitors from France, and the company's significant market share. The penalty was designed to reflect both the seriousness of the violations and the importance of upholding user rights in the digital marketplace. The case demonstrates regulators are prepared to act when digital rights are undermined.

Key takeaways

The CNIL's spotlight on cookies is not dimming any time soon, and proactive, demonstrable compliance is the price of admission to the French digital market. The CNIL has imposed large fines for non-compliance over a number of years, so it is essential for any business operating in France to ensure compliance by conducting regular cookie audits, improving cookie banners, documenting processing activities, and validating consent management platforms against the CNIL's guidance and decisions. By doing so, businesses can substantially mitigate enforcement risk and preserve user trust.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Zahra Laher
Zahra Laher
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More