France Slaps Google, Shein With Huge Fines for Cookie Breaches

Shein blasted the decision and said it will appeal. Google said it's reviewing the order.

The Google fine arose from a complaint that privacy organization None of Your Business (noyb) filed in 2022 relating to the Gmail messaging service and the process of creating Google accounts, CNIL said.

CNIL's investigations showed that Google Ireland and Google displayed ads in the form of emails in the "Promotions" and "Social" tabs of the Gmail messaging service. Such ads need the consent of Gmail users under France's Postal and Electronic Communications Code, the regulator said.

CNIL also found that when users created Google accounts, they were encouraged to choose cookies linked to the display of personalized ads, to the detriment of those linked to the display of generic ads, and that users weren't clearly told that placement of cookies for advertising purposes was a condition of being able to access Google's services. As such, the consent wasn't valid under the French Data Protection Act.

In addition to the fine, Google and Google Ireland were ordered to correct their cookie violations within six months or face penalties of 100,000 euros per day.

The Google fines were high because the cookie breaches affected more than 74 million accounts and that Gmail, the second-most widely used email account service in the world, generates most of its profits from contextual and targeted advertising, CNIL said.

It also found that the two Google companies were negligent, given that they had been sanctioned by CNIL in 2021 and 2022 for cookie-related violations.

"We're reviewing the decision," a Google spokesperson emailed us Thursday.

"People have always been able to control the ads they see in our products," the spokesperson said. As CNIL acknowledged, Google said, it has "made additional updates to address their concerns, including an easy way to decline personalized ads in one click when creating a Google account, and changes to the way ads are presented in Gmail."

Noyb Chairman Max Schrems cheered the decision. "Google tried to sneak commercial emails into the inboxes of Google users," he posted Thursday. "This is only allowed if you obtain consent -- a fact the CNIL has now confirmed."

Shein's fine was based on the company's failure to comply with rules applicable to cookies placed on devices of users visiting the shein.com website, the watchdog said.

The website, which sells clothing, shoes and accessories, is managed in Europe by Infinite Styles, based in Ireland.

CNIL inspected the website in August 2023, finding that Shein failed to obtain users' consent before placing cookies and displayed two incomplete information banners.

In addition, the site contained no information on the identity of third parties likely to place cookies when users clicked the cookie-settings button. Mechanisms for refusing and withdrawing consent were also inadequate, CNIL said.

The amount of the fine recognized the "massive scale" of Shein's data processing, given the company's central position in the online ready-to-wear clothing sector and the fact that about 12 million people in France visit shein.com every month, CNIL said.

Shein "firmly contests the CNIL's decision and will file an appeal," a spokesperson emailed us Thursday. The company considers the fine "wholly disproportionate, given the nature of the alleged actions, our current full compliance, and proactive corrective actions we have taken."

Shein accused the procedure of being "marked by clear bias," saying it acknowledged many substantial errors in its own analysis that didn't alter the final outcome, confirming the decision was predetermined.