The French data protection authority CNIL fined Google €325 million and Shein €150 million for cookie-rule violations, saying both companies placed advertising cookies on users’ browsers without securing consent, according to CNIL.
Shein has since updated its systems to comply with CNIL regulations, while Reuters reported the retailer plans to appeal the decision. Reuters said the retailer plans to challenge the ruling.
The CNIL said the consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82); it noted that cookie-defaults persisted until October 2023, when an option to refuse cookies was added, but the lack of informed consent persisted.
France also cited advertising embedded in emails as a breach of the CPCE, and Google faced similar scrutiny for ads inserted between emails in Gmail. The CNIL pointed to Google’s Gmail ads case and noted that Orange was fined €50 million in December 2024 for a related practice.
Separately, a U.S. jury found Google violated users’ privacy by collecting data after opt-out of Web & App Activity tracking, awarding $425 million in damages. Google said the ruling misunderstands how its products work and plans to appeal.
In privacy-related actions, the U.S. Federal Trade Commission announced Disney will pay $10 million to settle allegations that it collected personal data from children watching YouTube videos without proper parental notification or consent under COPPA. The FTC also cited the need for proper labeling of videos as “Made for Kids.” The agency said Apitor Technology was likewise investigated for enabling a third party to collect children’s geolocation data without parental consent; see the FTC filing and related materials, including Disney COPPA settlement and Apitor action, as well as JPush SDK.