French online privacy watchdogs fined Google and Shein nearly €500 million on Thursday for failing to properly inform internet users about advertising cookies – the tools that track online activity for targeted advertising.
The American company Google and its Irish subsiduary were fined €325 million. Shein, through its Irish arm Infinite Styles Services Co Limited, was fined €150 million.
The National Commission for Information Technology and Civil Liberties (CNIL) said both companies flouted their duty to get the free and informed consent of internet users before placing advertising cookies.
Google was fined for the third time in five years. CNIL inspectors criticised the company and its Irish unit for what they described as repeated negligence.
"The panel finally considered that the companies had been negligent, given that they had previously been sanctioned by the CNIL on two occasions, in 2020 and 2021, for breaches relating to trackers," said CNIL.
Those earlier fines totalled €250 million. CNIL had initially sought a €525 million penalty for the latest violations.
'Cookie wall'
Investigators examined Google’s use of a so-called cookie wall when creating a Google account. This practice makes access conditional on accepting cookies. CNIL said it is not illegal in Google’s case but requires informed user consent, which was not provided.
Google was also accused of inserting advertising banners between emails in its Gmail service for users who enabled "smart features".
CNIL said this affected 53 million people in France. The regulator said the ads "constitute direct marketing" under European case law and should have required prior approval.
Google and its Irish subsidiary were given six months to comply. If not, both face daily fines of €100,000.
Sanction for Shein
Shein said it would appeal to France’s Council of State and to the Court of Justice of the European Union.
The company told French news agency AFP that the penalty was "totally disproportionate given the nature of the alleged grievances". Shein also argued that it had been working to comply with the law.
CNIL said Shein placed advertising cookies on users’ devices as soon as they landed on the site shein.com, even before interacting with the cookie banner. The regulator also faulted Shein for using banners that gave incomplete information.
"The first banner had three buttons labelled 'Cookie settings', 'Reject all' and 'Accept' but did not contain any information about the advertising purpose of cookies," CNIL said.
"A second pop-up window, containing only a button to accept cookies, did not provide any information about their purpose either."
CNIL said it was also too difficult for Shein users to withdraw consent. If they tried, new cookies were still placed and existing ones continued to be read.
