In the last three years, very high fines have been issued by the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) to big companies for non-compliance in the area of cookies and tracking devices.
Some examples are: the 35 million euros sanction imposed by the CNIL against Amazon in 2020 for the activation of cookies on users‘ computers without prior consent or satisfactory information; the 10 million euros fine to Yahoo in 2023 for failing to respect the choice of Internet users who refused cookies on its „Yahoo.com“ website and restricting the users ‘choices on the webmail services or the two fines totalling 100 million euros against Google in 2021/2022 for Google’s breach of obligations to obtain the consent of its users regarding the use of online trackers.
Last month, in September 2025, the CNIL issued again two huge fines to big players of the internet: Google and Shein, respectively of 325 million euros and 150 million euros. Big online players were indeed the main target of the plan promoted since 2019 by the CNIL with the publication of guidelines and recommendations on the use of the cookies, to drive online businesses and website owner to a correct use of tracking technologies and to promote compliance.
Some details on the fines:
Fine to Google
Following investigations initiated by a complaint of the non-profit organization nyob in 2022, the CNIL discovered that Google (Irish and US entities) was displaying advertisements in the form of emails among the “promotions” and “social” tabs in Gmail. According to the CNIL, the display of such advertisement would require the specific consent from the users, which was not collected by Google. Further to this, the restricted committee (responsible commission of the CNIL to impose fines) determined that during the registration procedure, the users were driven to accept cookies that activated personalised advertisements, rather than being presented with neutral options.. This practice has been considered as a breach of the consent validity, as provided by the Art. 82 of the French Data protection Act. For those breaches, on top of the fine, the Authority ordered Google to remediate within 6 months to the breaches, in particular: to refrain from displaying advertisements among the emails in Gmail without prior consent and to establish a lawful process to obtain consent from the users during the set-up of a Google account. It is interesting to note that, the obligation to restore compliance is linked to a penalty of €100,000 per day of delay in complying with the order. The high amount of the fine derived from different factors: the number of users who were affected by the breaches (approximately 74 million user accounts, with 53 million belonging to users residing in France.), the dominant position of Google in the market and as advertiser platform and email service provider and the negligence, provided that Google was already fined for breaches of cookies regulations in 2021 and 2022.
It is also interesting to note that Google could not benefit from the “one-stop-shop” mechanism under GDPR, which would have deferred to the Irish Data Protection authority the power to rule, as lead supervisory authority for cross-border data processing. And this is mainly because for cookies compliance, the ePrivacy Directive (Article 82 in French law) would apply, not the GDPR.
Fine to Shein
The Irish subsidiary of the SHEIN group was fined for the breach of different cookies obligations on the website shein.com. the CNIL initiated an inspection on the fast-fashion website in 2023, which lead to the identification of different non-compliant behaviours. Specifically, the breaches of the cookie regulations involved: the activation of advertising cookies on visitors’ devices without explicit consent, incomplete information provided in the cookie banner, and failures in implementing the choices made when clicking on the “refuse all” option.As in the Google case above, the “one-stop-shop” mechanism did not apply; therefore, the CNIL confirmed its jurisdiction in the matter.
Conclusions
Cookies and tracking tools have been on the radar of the European data protection authorises from many years, and the same authorities have issued many guidelines and recommendations in the correct implementation of those tools. Nevertheless, in some cases, the urge to gather valuable information from users and to display advertisement is bigger than the duty to implement tools in a lawful manned and to minimise the processing of data.
- Before publishing a website that intends to collect information from users for purposes other than the functioning of the website, it is always important to:Only place non- essential cookies with prior consent
- Implement a clear and visible cookie banner, giving options to accept or not in a neutral way
- Provide the option to choose the cookies to be installed in a granular way or at least in a meaningful way for the users
- Provide clear information on the cookies and tracking tools
- Allow the change of preferences in an easy and accessible way
Online marketing has been a valuable instrument for the business to foster visibility and to help marketers grow, however advertisement practices should always take into consideration the applicable regulations and recommendations for a processing of personal data that is fair and does not override the rights of the internet users.