France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has issued record fines against Google and Shein for failing to respect the law on internet cookies. Google has been fined a staggering €325 million, while Shein has been hit with a €150 million penalty. These fines mark the largest cookie-related sanctions in CNIL history and signal an escalation in European privacy enforcement targeting manipulative design practices and inadequate user consent mechanisms.
The CNIL’s investigation revealed that both companies systematically violated French data protection law by deploying cookies before obtaining proper consent, providing inadequate cookie information and transparency, and using dark patterns and manipulative interface design to nudge users toward accepting cookies. Google’s cookie-related fines from the CNIL have grown from €100 million in 2020 to €150 million in 2021 and now €325 million in 2025, reflecting the regulator’s growing frustration with repeated violations and the tech giant’s failure to fully address systemic consent issues.
The fines come with specific technical requirements and tight compliance deadlines. Google has been ordered to bring its systems into compliance within six months, with potential further penalties of €100,000 per day for non-compliance. Shein has updated its systems to comply with the CNIL’s requirements since the investigation but plans to appeal the fine, which it considers “totally disproportionate”.
The CNIL’s enforcement action underscores its commitment to protecting user privacy rights in an increasingly complex digital ecosystem. The record fines against Google and Shein mark a watershed moment in European privacy enforcement, signaling a broader regulatory push to hold global corporations accountable. Companies that proactively implement genuinely user-centric consent mechanisms will be better positioned to build trust with privacy-conscious consumers, while those relying on manipulative design practices face escalating regulatory scrutiny and potentially business-threatening penalties.
