SHEIN Fined €150M for Cookie Consent Violations

• .What: SHEIN deployed 30+ tracking cookies before obtaining user consent.
• .Who: Approximately 12 million French monthly visitors to shein.com.
• .Data Exposed: Browsing behavior, purchase funnels, and cross-site tracking data.
• .Outcome: CNIL fined SHEIN EUR 150M for pre-consent cookie deployment.

The CNIL investigation was prompted by complaints from French consumer advocacy groups and focused on SHEIN's e-commerce platform, shein.com, which attracted approximately 12 million unique French visitors per month.

The CNIL's technical analysis established that upon loading shein.com, the user's browser received over 30 non-essential cookies from third-party domains - including advertising networks operated by Google, Meta, and TikTok, social media tracking pixels, and analytics services - before the consent banner was even displayed.

The cookies were set through JavaScript executed during the initial page render, meaning data collection was already underway before any user had the opportunity to accept or refuse tracking.

The investigation also examined SHEIN's consent banner design and found it constituted a dark pattern. The banner displayed a large, prominently colored "Accept All" button alongside a much smaller, muted "Manage Preferences" link.

There was no "Refuse All" button at the first layer of the consent interface. Users who wanted to refuse non-essential cookies were required to navigate through a multi-step preferences panel - a design asymmetry that materially steered user behavior toward acceptance.

The non-compliance had persisted for over 18 months.

The CNIL imposed the EUR 150 million fine under Deliberation No. SAN-2025-001, calculating the penalty based on the scale of SHEIN's French operations, the duration of non-compliance, and the aggravating factor that cookies were deployed before consent was even requested.

The fine applied to SHEIN Distribution France SARL as the data controller for French operations.

• .Browsing behavior data including page views, product views, search queries, time spent on pages, and scroll depth across SHEIN's e-commerce platform
• .Purchase funnel data including cart additions, wishlist activity, size selections, and checkout abandonment patterns
• .Cross-site tracking data collected through third-party advertising cookies from Google, Meta, TikTok, and programmatic advertising networks
• .Device and browser fingerprinting data including user agent strings, screen resolution, installed fonts, and canvas fingerprints
• .Retargeting audience data enabling SHEIN to track users across the web after they left the platform, building persistent behavioral profiles

The CNIL's investigation addressed violations under both the GDPR and the ePrivacy Directive, specifically Article 5(3) of Directive 2002/58/EC as transposed into French law through Article 82 of the Loi Informatique et Libertes.

The primary finding was that SHEIN deployed advertising and analytics cookies before any user interaction with the consent banner.

The CNIL's technical analysis revealed that upon loading shein.com, the user's browser received over 30 non-essential cookies from third-party domains including advertising networks, social media pixels, and analytics services.

These cookies were set through JavaScript executed during the initial page render, meaning data collection began before the consent banner was even displayed to the user.

The CNIL also found that SHEIN's consent banner violated GDPR Article 7's conditions for valid consent.

The banner displayed a large, prominently colored "Accept All" button alongside a much smaller, muted "Manage Preferences" link that required users to navigate through a multi-step preferences panel to refuse non-essential cookies.

There was no "Refuse All" button at the first layer of the consent interface.

The EUR 150 million fine reflected the scale of SHEIN's French operations (12 million monthly unique visitors), the duration of the non-compliance (over 18 months), and the aggravating factor that cookies were deployed before consent was even requested.

The SHEIN enforcement action is a direct warning to every e-commerce operator serving EU consumers: deploying tracking cookies before consent is obtained is not a gray area - it is a violation that the CNIL has now priced at EUR 150 million.

The difference between compliance and a nine-figure fine is not legal complexity. It is whether tracking scripts execute before or after the user makes a choice, and whether that choice is genuine or manufactured through dark patterns.

The first control is technical and non-negotiable: no non-essential cookie or tracking script may execute until the consent management platform has recorded a valid, affirmative consent signal from the user.

This means advertising pixels from Google, Meta, TikTok, and programmatic networks must be gated behind a server-side consent check, not merely a client-side JavaScript flag that can be bypassed or loaded out of order.

Tag management platforms such as Google Tag Manager, Tealium, or Segment must be configured so that all advertising and analytics tags are in a "blocked" state at page load and are released only upon receipt of a consent signal.

Regular automated auditing - using tools such as Cookiebot Scanner, OneTrust Cookie Compliance, or the open-source CookieConsent tool - should verify that no tracking cookies are set during the page render before consent interaction.

The second control is consent interface design that complies with CNIL's explicit requirement: "Refuse All" must be presented with equal prominence to "Accept All" at the first layer of the consent interface. Same size, same color weight, same number of clicks.

Any design that requires the user to navigate through a multi-step preferences panel to refuse cookies while offering a single-click acceptance button is a dark pattern.

The EDPB Guidelines 05/2020 on consent make this clear, and the EUR 475 million in combined cookie fines against Google plus this EUR 150 million against SHEIN establish the financial consequence.

The third control is implementing a unified consent signal that propagates across all platforms and third-party integrations.

When a user refuses tracking on shein.com, that refusal must prevent cookie placement, pixel firing, and data collection across every third-party service integrated into the platform.

The Transparency and Consent Framework developed by IAB Europe provides a standardized mechanism for communicating consent signals to advertising partners, though organizations must ensure the TCF implementation is genuinely enforced rather than merely declared.

The fourth control is conducting a Data Protection Impact Assessment under GDPR Article 35 for any tracking ecosystem that involves systematic monitoring of user behavior at scale - 12 million monthly visitors placing 30+ cookies per visit unambiguously qualifies.

The fifth control is ongoing monitoring: quarterly audits of cookie deployment behavior, consent acceptance ratios, and third-party script loading sequences to detect regression before regulators detect non-compliance.

CNIL Deliberation No. SAN-2025-001, CNIL Guidelines on cookies (Deliberation No. 2020-091), ePrivacy Directive Article 5(3), EDPB Guidelines 05/2020