Background information
- Date of final decision: September 1st, 2025
- National case
- Controller: INFINITE STYLES SERVICES CO. LIMITED
- Legal Reference: The French Data Protection Act (Article 82): failure to obtain user consent before placing cookies; incomplete information banners, insufficient second-level information, inadequate mechanisms for refusing and withdrawing consent
- Decision: Infringement of the French Data Protection Act, Administrative fine
- Key words: Cookies
Summary of the Decision
Origin of the case
In August 2023, the French supervisory authority (CNIL) carried out an inspection of the website "shein.com". Based on its findings, the CNIL considered that INFINITE STYLES SERVICES CO. LIMITED had failed to comply with its obligations regarding cookies (Article 82 of the French Data Protection Act).
Key Findings
- Failure to obtain user consent before placing cookies: several cookies, particularly with advertising purposes, were placed on the devices of users visiting "shein.com" as soon as they arrived on the website.
- Incomplete information banners: two interfaces related to the management of cookies were displayed on "shein.com", but both were incomplete.
- Insufficient second-level information: no information on the identity of third parties likely to place cookies was provided at this 2nd level of information, accessible by clicking on the "Cookie settings" button.
- Inadequate mechanisms for refusing and withdrawing consent: when a user visiting "shein.com" clicked on the "Refuse all" button in the banner, or when they decided to withdraw their consent to the registration of cookies on their device, new cookies were still placed and others, already present, continued to be read.
Decision
The CNIL imposed a fine of 150 000 000 EUR on SHEIN.
The amount of this fine took into account the fact that the company failed to comply with several obligations by placing some cookies without the consent of internet users, by not respecting their choices and by not informing them properly. The restricted committee recalled that, since 2020, it has repeatedly sanctioned organisations for similar breaches and has made its decisions public. The massive scale of the processing in question – given the company's central position in the online ready-to-wear clothing sector, with an average of 12 million people residing in France visiting the "shein.com" website each month – was also taken into consideration.
For further information: Decision:
- https://www.cnil.fr/fr/cookies-deposes-sans-consentement-la-cnil-sanctionne-shein-dune-amende-de-150-millions-deuros (French)
- https://www.cnil.fr/en/cookies-placed-without-consent-shein-fined-150-million-euros-cnil (English)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.