Written by: Haim Ravia, Dotan Hammer
The French Data Protection Authority (CNIL) issued separate sanctions against Google and SHEIN, for failures related to the use of tracers (cookies) and electronic prospecting, under the framework of the French Data Protection Act and the ePrivacy Directive.
The CNIL fined Google LLC €200 million and Google Ireland Limited €125 million for two main infringements.
1. Non-free and uninformed consent for cookies. Until October 2023, the Google account creation path was deemed biased, requiring users who chose the ‘express personalization’ option to take six clicks to refuse personalized advertising cookies versus two clicks to accept them, thereby compromising the free nature of consent. Furthermore, consent was found to be not informed and freely given because Google failed to explicitly indicate that access to services was conditional on the use of advertising cookies.
2. Unsolicited electronic prospecting. Google displayed advertising messages inserted between private emails in the ‘Promotions’ and ‘Social networks’ tabs of the Gmail inbox without obtaining prior consent from users. The CNIL, relying on CJEU case law, held that this constituted ‘use of email for direct marketing purposes’.
The CNIL ordered Google to bring its processing into conformity, including by providing sufficient information regarding the mandatory use of advertising cookies, and obtaining prior consent for Gmail prospecting. The CNIL will also impose a penalty of €100,000 per day of delay following a six-month period granted to Google to come into conformity.
Separately, the CNIL fined SHEIN €150 million for failing to comply with obligations related to cookies.
1. Lack of Prior Consent. SHEIN used 10 different types of cookies—including advertising, advertising capping, and a non-exempt audience measurement cookie—on the user’s terminal immediately upon arrival on the website, before any interaction with the consent banner.
2. Invalid Consent and Withdrawal. SHEIN’s mechanism failed to collect informed consent as it did not clearly state the purposes of the cookies or the identity of third-party controllers. Critically, mechanisms for both refusing and withdrawing consent were ineffective, as cookies subject to consent continued to be read and written after the user explicitly refused or withdrew consent.
The CNIL based the amounts of the fines on the companies’ financial capacity, using the total worldwide turnover of their respective parent companies (Alphabet Inc. for Google and Roadget Business Pte Ltd for SHEIN) to ensure the fines were effective, proportionate, and dissuasive.
Click here to read the CNIL’s decision against Google.
Click here to read the CNIL’s decision against SHIEN.
