France’s data protection authority has imposed a €150 million fine on fast-fashion retailer Shein for failing to comply with cookie consent regulations, marking one of the largest penalties ever issued by the regulator.
The Commission Nationale de l’Informatique et des Libertés (CNIL) announced on 1st September that it had sanctioned Infinite Styles Services Co. Limited, Shein’s Irish subsidiary that operates the shein.com website across Europe, following an investigation launched in August 2023.
The regulator found multiple violations of French data protection law, including placing advertising cookies on users’ devices before obtaining consent, providing incomplete information about cookie purposes, and continuing to place cookies even when users clicked “refuse all” or withdrew their consent.
“The size of this fine takes into account the fact the company has ignored several obligations, by depositing cookies without users’ consent, not respecting their choices and not correctly informing them,” the CNIL said in a statement.
The authority said Shein’s massive scale influenced the penalty decision, noting that approximately 12 million French residents visit the website each month. The fine represents around two per cent of the €7.684 billion in revenue that Shein’s Ireland-registered entity reported for Europe in 2023.
During its investigation, the CNIL discovered that Shein displayed two incomplete cookie information banners. The first banner offered options to accept, reject or manage cookie settings but failed to explain the advertising purposes of the tracking files. A second pop-up window only provided an accept button without any information about cookie purposes.
The regulator also found that no information about third-party cookie providers was available in the website’s second-level settings, and that the mechanisms for refusing or withdrawing consent were inadequate.
Shein has strongly contested the decision and announced plans to appeal. “We consider the fine to be wholly disproportionate, given the nature of the alleged issues, our current full compliance, and the proactive corrective actions we have taken,” the company said in a statement.
The Singapore-headquartered retailer, which was founded in China, described the penalty as “politically motivated rather than the result of fair and balanced enforcement”. The company said it had fully cooperated with the CNIL since August 2023 and strengthened all aspects of its data protection practices.
The CNIL noted that Shein had made changes to its website during the proceedings, meaning no compliance orders were necessary. The case falls under French data protection law rather than the European Union’s General Data Protection Regulation, as it relates to the ePrivacy Directive governing electronic communications.
This fine represents the latest action by European regulators against major technology and retail companies over data protection violations, as authorities increasingly scrutinise how businesses collect and use consumer information online.
