The French data protection authority (CNIL) has made an example of the online fashion giant SHEIN, imposing a staggering €150 million fine. The reason: a systematic and severe violation of the cookie rules under the ePrivacy Directive. The ruling, dated September 1, 2025 (Case No. SAN-2025-005), is one of the highest fines ever issued for cookie violations and serves as an unmistakable warning signal to the entire e-commerce industry.

The Case: A Cookie Banner That Failed on Every Level

The CNIL conducted an investigation into the website shein.com and uncovered a whole series of violations. SHEIN argued that the Irish data protection authority was the competent body, as the case involved cross-border data processing under the GDPR. The CNIL rejected this, emphasizing that cookie regulations fall under the ePrivacy Directive, for which there is no “one-stop-shop” mechanism. The existence of a French establishment was sufficient to establish the CNIL’s jurisdiction.

The Authority’s Decision: A Textbook Example of Non-Compliance

The CNIL found that SHEIN’s handling of cookies was unlawful in almost every respect. The key violations serve as a blueprint for the most common mistakes made when implementing consent management platforms:

  1. Cookies Were Set BEFORE Consent Was Given: Upon visiting the homepage, several cookies, including advertising cookies, were placed on the user’s device before they could even interact with the banner. This is a fundamental breach of the principle of prior consent.
  2. Consent Was NOT Informed: The cookie banner was vague and incomplete. Users were not clearly informed about the purposes of the cookies or the identity of the third-party providers. Furthermore, the simultaneous display of a banner and a pop-up window created confusion and prevented an informed decision.
  3. Refusal Was NOT Effective: Even if a user clicked “Reject All” or later withdrew their consent, the website continued to set cookies. The user’s choice was simply ignored on a technical level, which rendered the entire consent process absurd.

The size of the fine was justified by the severity and number of violations, as well as SHEIN’s prominent market position (averaging 12 million monthly visitors in France).

What Does This Ruling Mean for Your Company?

  • ePrivacy Violations Are Costly and Can Be Prosecuted Nationally: This ruling makes it clear that national data protection authorities can act independently and with full force in cases of cookie violations. The GDPR’s “one-stop-shop” mechanism offers no protection here.
  • “Reject” Must Actually Mean “Reject”: The technical implementation is crucial. A “Reject” button that has no function is not just user-unfriendly; it is a serious legal violation. Regular technical audits of your consent solution are essential.
  • Transparency Is Non-Negotiable: A vague description like “to improve your experience” is not sufficient. You must clearly state the purposes and list the third-party providers that set cookies.
  • Fines Are Based on the Entire Corporate Group’s Revenue: To determine the scope of the fine, the CNIL used the concept of an “undertaking” as defined in competition law. This means the global revenue of the parent company is used for the calculation, not just that of the local subsidiary.

FAQ: Cookies & ePrivacy – What You Need to Know Now

What is the difference between the ePrivacy Directive and the GDPR?
The ePrivacy Directive (often called the “cookie law”) specifically regulates the protection of privacy in electronic communications, including the use of cookies. The GDPR governs the general processing of personal data. Both apply in parallel.

What are the core requirements for a compliant cookie banner?

  1. No non-essential cookies before active consent. 2. Clear and understandable information about purposes and providers. 3. An option to reject that is as easy as the option to accept. 4. The technical implementation must respect the user’s choice.

Is it enough if my consent tool provider claims to be compliant?
No. As the website operator, you are the primary party responsible. You must ensure the correct configuration and technical functionality of the tool and review it regularly.

Which cookies do not require consent?
Only those that are technically essential for the basic functioning of the website or for a service explicitly requested by the user (e.g., the shopping cart cookie).

Where can I get support for reviewing my cookie banner?
You can get support for reviewing your cookie banner through our contact form at our contact formular.

Conclusion: A Wake-Up Call for Technical and Legal Diligence

The SHEIN case is more than just another large fine. It is a detailed analysis of everything that can go wrong when obtaining user consent. The CNIL’s decision shows that the era of superficial “cookie banner cosmetics” is over. Authorities are looking deep into the technical implementation and penalizing shortcomings with a severity that can be existentially threatening to businesses. Every company is now called upon to review its own practices for not only legal but also technical compliance.

Table of Contents