On September 1, 2025, the French Data Protection Authority (CNIL) announced a €150 million fine against INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of the SHEIN group, for breaches of cookie regulations.
The case is significant not only because of the penalty amount, but also because of the lessons it provides on what not to do when managing user consent. The shein.com website, which attracts nearly 12 million monthly visitors from France, was found to place advertising cookies without obtaining valid consent.
Beyond the headline figure, the decision highlights several critical pitfalls and four main takeaways stand out.
Cookie purposes must be clearly communicated
During its inspections, the CNIL found that neither of the two consent interfaces used on shein.com properly informed users about the purposes of the trackers, i.e. why their data would be collected.
On their first visit, users encountered a banner offering the three expected options (“Cookie settings,” “Reject all,” and “Accept all”), but it failed to mention any advertising purposes.
This omission goes against a cornerstone of the ePrivacy framework: consent must be tied to specific, identified purposes. Without transparency on objectives, consent cannot be regarded as informed and therefore carries no legal weight.
Avoid multiplying consent interfaces
The authority also took issue with the simultaneous presence of two different widgets: the incomplete cookie banner previously mentioned, and a pop-up headed “Welcome to the French website.”
This setup raised several problems. First, it created unnecessary information overload and user confusion. Second, the pop-up, presented as a neutral welcome screen, was in fact used to capture consent via a “I accept” button, without offering any refusal option. Finally, just like the former banner, it gave no meaningful details about the purposes of the cookies.
By layering multiple non-compliant interfaces, the site for obtaining consent that was both informed and freely given, as required under the law.
Identify all vendors and never drop advertising cookies before consent
The CNIL also noted that the second-level information provided by SHEIN did not list the third parties involved in cookie placement. This omission left users unaware of which companies would be receiving their data.
The principle is straightforward: valid consent requires not only a clear explanation of the purposes but also the identification of all third parties responsible for processing. The chain of responsibility cannot remain hidden from the end user. In other words, naming partners is not optional, it is a condition for lawful processing.
In practice, this means presenting a clear and exhaustive list of both purposes and vendors, exactly the type of functionality a CMP (Consent Management Platform) like Axeptio is designed to handle.
Refusal and withdrawal of consent must be technically effective
Perhaps the most serious breach uncovered was that cookies continued to be placed even when users clicked “Reject all.”
The CNIL’s investigation identified several categories of trackers installed without consent:
- three advertising cookies linked to Pinterest and Microsoft,
- six ad-capping cookies used to limit the frequency of an advert,
- and a ten-year audience measurement cookie, which SHEIN claimed was used for A/B testing.
Worse still, withdrawing consent did not remove cookies but added more. In one test, after initially accepting cookies (75 were placed) and then withdrawing consent, the site not only retained the existing cookies but deposited ten additional ones, including some tied to Bing.
In short, user choices were not respected. The law is explicit here: refusal mechanisms must be simple, immediate, and technically reliable.
This sanction against SHEIN should not be read only in terms of the fine imposed. It underlines three fundamental obligations in cookie management: to inform users of the purposes, to identify all actors involved, and to ensure that refusal is effective.
A properly configured CMP ensures compliance with these principles. More than that, it builds trust, strengthens brand integrity, and ultimately drives performance.
Jérôme Perani CRO, Axeptio.
Use Shake to automatically analyze your website's cookies and compliance!
