Cookies placed without consent: SHEIN fined 150 million euros by the CNIL

Background information

The SHEIN group sells clothing, footwear and accessories via the website "shein.com", which is managed by INFINITE STYLES SERVICES CO. LIMITED, based in Ireland, for the European territory.

In August 2023, the CNIL carried out an inspection of the website "shein.com". Based on its findings, the restricted committee – the CNIL body responsible for imposing sanctions – considered that INFINITE STYLES SERVICES CO. LIMITED had failed to comply with its obligations regarding cookies (Article 82 of the French Data Protection Act) and imposed a fine of 150 million euros on the company.
The amount of this fine took into account the fact that the company failed to comply with several obligations by placing some cookies without the consent of internet users, by not respecting their choices and by not informing them properly. The restricted committee recalled that, since 2020, it has repeatedly sanctioned organisations for similar breaches and has made its decisions public. The massive scale of the processing in question – given the company's central position in the online ready-to-wear clothing sector, with an average of 12 million people residing in France visiting the "shein.com" website each month – was also taken into consideration.

The breaches sanctioned

The restricted committee sanctioned several of the company's practices that were contrary to the French Data Protection Act (Article 82):

• Failure to obtain users consent before placing cookies: the CNIL found that several cookies, particularly with advertising purposes, were placed on the devices of users visiting "shein.com" as soon as they arrived on the site, even before they interacted with the information banner to express a choice.
• Two incomplete information banners: two interfaces related to the management of cookies were displayed on the "shein.com" website, but both were incomplete. The first banner had three buttons labelled "Cookie settings", "Reject all" and "Accept" but did not contain any information about the advertising purpose of cookies. A second pop-up window, containing only a button to accept cookies, did not provide any information about their purpose either.
• Insufficient second-level information: no information on the identity of third parties likely to place cookies was provided at this second level of information, accessible by clicking on the "Cookie settings" button.
• Inadequate mechanisms for refusing and withdrawing consent: when a user visiting the "shein.com" website clicked on the "Refuse all" button in the banner, or when they decided to withdraw their consent to the registration of cookies on their device, new cookies were still placed and others, already present, continued to be read.

In its deliberations, the restricted committee noted that the company had made changes to its website during the proceedings and that it was therefore not necessary to issue compliance orders.

The jurisdiction of the CNIL

The CNIL has material jurisdiction to carry out investigations and sanction operations related to cookies placed on the devices of internet users located in France. The cooperation mechanism provided for in the GDPR (the "one-stop shop" mechanism) does not apply in this case, as operations related to the use of cookies fall under the ePrivacy Directive, transposed into Article 82 of the French Data Protection Act, rather than the GDPR.

The restricted committee considered that the CNIL also has territorial jurisdiction pursuant to Article 3 of the French Data Protection Act because cookies are used within the "framework of the activities" of INFINITE STYLES ECOMMERCE FRANCE, which constitutes the "establishment" on French territory of INFINITE STYLES SERVICES CO. LIMITED.