On 1 September 2025, the French data protection authority CNIL imposed a fine of €150 million on the Irish SHEIN subsidiary INFINITE STYLES SERVICES CO. LIMITED. The reason: SHEIN used cookies and other tracking tools on its online shop ‘shein.com’ without the effective consent of users, did not provide them with sufficient information and did not respect the decisions they had made. This violates ePrivacy Directive and the GDPR requirements on consent and transparency in the use of cookies.
The CNIL highlighted the massive scale of the data processing – an average of 12 million people in France visit the SHEIN website every month. The authority is closely monitoring the sector and has repeatedly imposed severe penalties for similar breaches in the past.
No one-stop-shop principle here
The decision is also significant for international businesses, as the so-called one-stop-shop procedure applies to cross-border data processing: in principle, the data protection authorities of the country in which the business has its main establishment in the EU (in this case, Ireland) is responsible. The CNIL was responsible, even though the European SHEIN company is based in Ireland, because the proceedings concerned the ePrivacy Directive (in Germany, the TDDDG), which, unlike the GDPR, does not provide for a one-stop shop.
Review your cookie banners
Current developments make it clear that cookie banners remain the focus of data protection supervisory authorities. Regular reviews of your own compliance are essential to avoid severe penalties. Please feel free to contact us if you would like us to review your cookie banner for compliance with the current requirements of the GDPR and ePrivacy Directive.