After Shein earlier this summer, Google has now been sanctioned by the CNIL. On 1 September 2025, France’s data protection authority issued two record fines: €325 million against Google (Delib. SAN-2025-004) and €150 million against Shein (Delib. SAN-2025-005).
👉 Total: €475 million in a single day. This is a clear signal: user consent is not optional.
⚖️ Sanctioned breaches — what the CNIL found
- Placement of tracking cookies without valid prior consent (breach of Article 82 of the French Data Protection Act — transposition of the ePrivacy Directive);
- Use of advertising inserted between users’ Gmail messages (CNIL relied on Article L.34-5 of the French Postal and Electronic Communications Code regarding direct electronic marketing);
- Implementation of so-called “cookie walls” or account-creation flows that make refusal of advertising traceurs materially harder than acceptance, thereby invalidating consent.
Practical note: the €325M fine is allocated across Google entities (e.g. €200M against Google LLC and €125M against Google Ireland Limited), and the CNIL imposed a compliance injunction (6 months) with daily penalties of €100,000 for failure to comply.
Shein
- Continued deployment of advertising traceurs despite explicit user refusals;
- Failure to provide clear, prior information about the purposes of tracking;
- Use of opaque consent interfaces that do not meet the RGPD standards for valid consent (Art. 4(11) and Art. 7 GDPR).
📜 Doctrinal line: CNIL’s consolidated approach
The CNIL frames these sanctions in continuity with its traceurs action plan (2019 onwards). Key takeaways:
- Consent must meet the RGPD definition (free, specific, informed, and unambiguous — Art. 4(11), Art. 7 GDPR);
- Cookie walls are tightly scrutinized and are only lawful if a real, non-penalizing alternative is offered;
- The CNIL combines legal bases (GDPR, national Data Protection Act provisions such as Art. 82 LIL, and CPCE Art. L.34-5) to strengthen enforcement reach.
This pattern follows prior enforcement against large platforms (e.g., enforcement actions in recent years) and cements a strict French administrative approach that will carry weight in European enforcement discussions.
💡 Google vs Shein — different profiles, same principle
- Google: systemic issue across an integrated ecosystem (account creation, Gmail ads, cross-service tracking) — enforcement targets structural practices tied to market power.
- Shein: classic large-scale opaque tracking on an e-commerce platform — enforcement targets continuous non-compliance with user refusals.
Although distinct in mechanics, both cases converge on the single legal principle: the centrality of valid consent.
🔭 What this means for the market and compliance teams
- France is applying the law cumulatively and robustly; these fines are not symbolic.
- Regulatory authorities (CNIL, EDPB) are aligning toward stricter cookie and tracking enforcement.
- Businesses must integrate legal controls into marketing product design — compliance cannot be an afterthought.
📈 These record fines mark a turning point: warnings have given way to financial enforcement of the consent principle. The CNIL’s approach shows that both market leaders and fast-growing platforms are within reach of aggressive administrative enforcement. For legal teams, the question is no longer if enforcement will occur — it is how to prevent being the next target.
