French regulator fines SHEIN's subsidiary €150 million for cookie violations

The Commission nationale de l'informatique et des libertés (CNIL) imposed a €150 million fine on INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of the SHEIN group, on September 1, 2025. The penalty targets violations of Article 82 of the French Data Protection Act, which governs cookie consent requirements.

CNIL's restricted committee concluded that Shein's French website deployed advertising and analytics cookies before users could express consent. According to the decision document, during an online monitoring mission conducted on August 10, 2023, CNIL delegation identified multiple cookie violations on the shein.com domain.

The fine represents CNIL's third-highest penalty to date, following record-breaking enforcement actions against technology companies in 2025. French data protection authorities have increasingly targeted deceptive cookie practices, demonstrating intensified scrutiny of digital advertising technologies across European markets.

Technical violations identified during inspection

CNIL's investigation revealed ten cookies placed on user terminals without prior consent collection. The violations included three advertising cookies (_pinterest_ct_ua, _pin_unauth, and muc_ads), six advertising capping cookies (no_pop_up_fr, hideCoupon, hideCouponId_time, hideCouponWithRequest, revisit_canshow, and have_show), and one audience measurement cookie (cookieId) with a 10-year lifespan.

According to CNIL documentation, the company's French subdomain employed "two ways of collecting consent to the deposit and reading of cookies on their terminals." The investigation found coexisting cookie banner and pop-up advertising window interfaces that created "confusion for the user" regarding consent collection.

The enforcement action focused specifically on cookie placement during user visits to the French subdomain of shein.com from terminals located in France. The decision establishes CNIL's territorial jurisdiction based on the existence of INFINITE STYLES ECOMMERCE FRANCE, a wholly-owned subsidiary promoting the SHEIN brand through offline marketing activities including fashion shows and pop-up shops.

CNIL's technical assessment identified multiple compliance failures in consent collection mechanisms. The cookie banner provided incomplete information about tracking purposes, stating only that cookies were deployed to "offer content tailored to your interests" without specifying advertising tracking across multiple websites. The pop-up window offered unconditional cookie acceptance as the only navigation option while failing to mention refusal mechanisms.

Ineffective consent withdrawal and refusal mechanisms

The investigation documented continued cookie operations despite user rejection. According to CNIL findings, after users clicked the "Refuse All" button and closed promotional pop-ups, advertising capping cookies were nevertheless deposited on their terminals. The authority noted that 32 cookies remained active following expressed refusal, with additional cookies placed after pop-up window interactions.

CNIL testing revealed that consent withdrawal mechanisms failed to prevent ongoing cookie operations. The authority found that 75 cookies were initially placed after consent acceptance, but 85 cookies remained active after withdrawal attempts through the consent management platform. The investigation documented continued reading of advertising, advertising capping, and non-exempt audience measurement cookies despite withdrawal requests.

The decision highlighted particularly serious violations regarding third-party cookie management. According to CNIL analysis, "10 additional cookies were also deposited on the user's terminal after that withdrawal, including cookies for advertising purposes deposited by '.shein.com' and third parties." The authority determined that new third-party advertising cookies from domains including bing.com were placed after consent withdrawal, demonstrating systematic disregard for user choices.

French enforcement precedent established that website publishers authorizing third-party cookie deployment must ensure partner compliance with withdrawal requests. CNIL referenced Conseil d'État jurisprudence requiring publishers to "implement the measures necessary to ensure that new requests to third-party domains were stopped from being made" following consent withdrawal.

Information disclosure and controller identification failures

CNIL determined that consent collection mechanisms failed to meet informed consent standards under GDPR Article 4(11). The investigation found that the consent management platform's second-level information did not identify third-party controllers placing advertising cookies on user terminals. According to the decision, "no information is provided as to the identity of those third parties, which does not sufficiently clarify the scope of the consent given."

The authority noted that valid consent requires data subjects to know "at least the identity of the controller and the purposes of the processing for which the personal data are intended," referencing GDPR Recital 42. CNIL's analysis concluded that users could not provide informed consent without understanding which companies would access their data through cookie deployment.

During hearings conducted on October 5, 2023, INFINITE STYLES ECOMMERCE FRANCE confirmed its promotional activities targeting French consumers. The subsidiary reported local events to other SHEIN entities, enabling targeted online advertising campaigns directing recipients to shein.com for purchases. CNIL determined this promotional relationship established sufficient connection between French operations and cookie processing to support territorial jurisdiction.

Financial penalty calculation methodology

CNIL applied GDPR Article 83 criteria to determine the €150 million penalty amount. The authority considered the processing's massive scale, noting that shein.com received "more than 20 million visits from French territory between January and July 2023" with approximately 12 million unique monthly visitors. The decision characterized this volume as reflecting "the central place occupied by the company in the online ready-to-wear sales sector in France."

The penalty calculation incorporated the concept of "undertaking" under competition law, as established by Court of Justice of the European Union jurisprudence in December 2023. CNIL determined that INFINITE STYLES SERVICES CO. LIMITED and parent company ROADGET BUSINESS PTE LTD constitute a single economic entity, justifying consideration of the Singapore-based parent's turnover for proportionality assessment.

According to the decision, ROADGET BUSINESS PTE LTD recorded 2023 turnover of US dollars "[...]" (approximately EUR "[...]") with profits of USD "[...]" (approximately EUR "[...]"). The authority noted the €150 million penalty appears "appropriate" given the company's financial capacity and the violations' proven seriousness.

CNIL rejected INFINITE STYLES SERVICES' arguments that financial advantages from non-compliant cookie practices were undemonstrated. The authority determined that advertising personalization enabled by unlawful cookie deployment "makes it possible to significantly increase the visibility of these goods and increase the likelihood that they will be purchased." The decision noted that Pinterest tracking cookies enabled optimization of marketing expenditure through campaign analysis.

Procedural challenges and defense arguments

INFINITE STYLES SERVICES disputed CNIL's jurisdiction, arguing that cross-border processing fell under Irish authority oversight through GDPR's one-stop-shop mechanism. The company contended that cookies collected personal data subject to GDPR rather than ePrivacy Directive provisions transposed into French law.

CNIL rejected jurisdiction challenges, referencing Conseil d'État precedent establishing French authority competence over cookie operations targeting French users. The decision cited the January 2022 Google ruling confirming that "the one-stop-shop system provided for by the GDPR is not applicable" to ePrivacy Directive implementation measures. The authority noted that cookie deposit and reading operations fall within ePrivacy scope, while subsequent personal data processing triggers GDPR provisions.

The company challenged the restricted committee's impartiality, arguing insufficient separation between policy-setting plenary formation and sanctioning restricted formation. CNIL dismissed these procedural arguments, referencing April 2023 Conseil d'État precedent regarding independent administrative authority internal organization. The authority noted that similar organizational structures were validated for other regulatory bodies including ARCEP.

INFINITE STYLES SERVICES requested additional preparation time, English-language documentation, and earlier file access. CNIL determined that one-month response periods provided adequate defense opportunities given the case's straightforward nature and precedential sanctions for similar violations since 2020. The authority noted that most procedural documents were previously submitted by the company during inspection phases.

Compliance measures implemented during proceedings

According to CNIL findings, INFINITE STYLES SERVICES implemented corrective measures throughout the enforcement procedure. The company ceased deploying contested cookies without prior consent collection and modified its consent banner to specify tracking purposes. The pop-up window was reconfigured to eliminate cookie consent collection functionality.

The decision noted that consent management platform modifications included third-party controller identification and enhanced purpose descriptions. INFINITE STYLES SERVICES implemented mechanisms preventing cookie reading operations following consent withdrawal and established processes blocking third-party domain requests after refusal expression.

CNIL determined that these compliance measures eliminated the need for injunctive orders originally proposed by the rapporteur. The authority noted that violations were no longer ongoing at the time of deliberation, focusing penalty determination on deterrent and proportionate financial sanctions.

European enforcement context and implications

The SHEIN penalty emerges amid intensified European cookie enforcement. German courts have clarified consent requirements for tag management systems, while Dutch authorities have imposed multiple fines for similar violations throughout 2024 and 2025.

Recent GDPR enforcement statistics show authorities have imposed over 6,680 fines totaling approximately €4.2 billionsince implementation. Ireland's data protection authority has levied the highest total penalties at €2.8 billion, while Luxembourg follows at €746 million. The SHEIN fine positions France among the most active GDPR enforcement jurisdictions.

Cookie consent violations have emerged as primary enforcement targets across European markets. Recent actions include substantial penalties against major retailers for pre-ticked consent boxes and complex rejection processes. Regulatory focus on deceptive interface design has intensified throughout 2025, with multiple authorities targeting dark patterns in consent collection.

The SHEIN enforcement demonstrates regulatory coordination across European markets addressing global technology companies. French competition authorities recently imposed a €150 million fine on Apple for anticompetitive App Tracking Transparency implementation, while German courts have addressed Google Tag Manager consent requirements in parallel proceedings.

Marketing industry implications

The penalty affects programmatic advertising practices across European markets. Cookie consent enforcement has emerged as a critical compliance area for international retailers operating multi-market digital advertising campaigns. The SHEIN case establishes precedent for substantial financial exposure when consent mechanisms fail to meet technical requirements.

Marketing technology implementations face heightened scrutiny regarding pre-consent data collection. The decision clarifies that audience measurement cookies with extended lifespans require user consent, challenging industry practices around analytics deployment. Tag management systems must implement consent initialization mechanisms preventing data collection before authorization.

European privacy advocacy organizations have increased complaint filing, contributing to enforcement escalation. None of Your Business (NOYB) reported filing 210 complaints leading to over €2 billion in GDPR fines during 2023. The organization's systematic approach to identifying consent violations has driven regulatory action across multiple markets.

Third-party cookie management has become a particular enforcement focus, with authorities requiring publishers to ensure partner compliance with withdrawal requests. Consent management platforms must provide granular controller identification and purpose specification to meet informed consent standards. The SHEIN case demonstrates that global retailers cannot rely on generic privacy policies for French market operations.

Timeline

• July 31, 2023: CNIL President instructs Secretary-General to conduct verification mission targeting shein.com domain processing
• August 10, 2023: CNIL delegation conducts online monitoring mission identifying cookie violations on French subdomain
• August 29, 2023: Initial hearing with INFINITE STYLES ECOMMERCE FRANCE postponed at company request
• October 5, 2023: CNIL conducts hearing with INFINITE STYLES ECOMMERCE FRANCE regarding subsidiary operations
• October 30, 2024: CNIL President appoints rapporteur for restricted committee proceedings under Decree Article 39
• February 18, 2025: Rapporteur notifies INFINITE STYLES SERVICES of violation report proposing administrative fine and injunction
• March 18, 2025: Company submits initial written observations responding to penalty report
• April 18, 2025: Rapporteur replies to company observations with additional analysis
• May 19, 2025: INFINITE STYLES SERVICES files second written observations in reply
• June 10, 2025: Investigation closure notified to company and restricted committee president
• July 10, 2025: Restricted committee hearing with rapporteur and company representatives
• September 1, 2025: CNIL imposes €150 million administrative fine on INFINITE STYLES SERVICES CO. LIMITED
• French regulator updates cookie exemption rules for websites - CNIL clarifies audience measurement requirements
• Google fined €325 million by French regulator for Gmail ads and cookie violations - Related CNIL enforcement action

Summary

Who: The Commission nationale de l'informatique et des libertés (CNIL), France's data protection authority, penalized INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of Singapore-based SHEIN group responsible for managing European subdomains of shein.com since August 1, 2023.

What: CNIL imposed a €150 million administrative fine for violating Article 82 of the French Data Protection Act through deploying advertising and analytics cookies before user consent, implementing non-compliant consent collection mechanisms, and failing to ensure effective consent withdrawal and refusal options.

When: The enforcement action began with online monitoring on August 10, 2023, progressed through investigation and adversarial proceedings throughout 2024 and early 2025, and concluded with the administrative fine announcement on September 1, 2025.

Where: The violations occurred on the French subdomain of shein.com affecting users accessing the website from terminals located in French territory, with CNIL asserting jurisdiction based on INFINITE STYLES ECOMMERCE FRANCE's promotional activities supporting the parent company's European operations.

Why: The penalty addresses systematic violations of French privacy law protecting user consent rights in electronic communications, with CNIL determining that SHEIN's cookie practices constituted "substantial infringement of the data subjects' right to privacy" affecting millions of monthly French visitors to the fast-fashion retailer's website.