In a significant enforcement of data privacy regulations, the French National Commission on Informatics and Liberty (CNIL) has imposed a fine of $379 million (€325 million) on Google for breaching cookie consent rules. Chinese e-commerce company Shein has also been fined $175 million (€150 million) for similar infractions.
The CNIL’s investigation revealed that both companies placed advertising cookies on users’ browsers without obtaining prior consent, a direct violation of the French Data Protection Act (Article 82). Shein has since updated its systems to comply with the regulations, though it plans to appeal the decision.
The CNIL highlighted that when users created a Google account, they were encouraged to accept cookies associated with personalized advertisements over those linked to generic ads. Users were not clearly informed that accepting advertising cookies was a prerequisite for accessing Google’s services. This practice rendered the obtained consent invalid under French law. Although Google introduced an option to refuse cookies in October 2023, the CNIL noted that the issue of informed consent persisted.
Additionally, Google faced criticism for embedding advertisements within the Promotions and Social tabs of Gmail without explicit user consent, contravening the French Postal and Electronic Communications Code (CPCE). This practice mirrors a previous case where French telecommunications operator Orange was fined €50 million in December 2024 for displaying ads among email messages without user consent.
The CNIL has mandated that Google rectify these issues within six months to avoid further penalties of €100,000 per day.
This development coincides with a U.S. jury’s finding that Google violated user privacy by collecting data even after users opted out of Web & App Activity tracking. The jury awarded $425 million in compensatory damages in this class-action lawsuit initiated in July 2020.
In related news, the U.S. Federal Trade Commission (FTC) announced that Disney agreed to pay a $10 million fine for collecting personal data from children watching YouTube videos without parental consent, violating the Children’s Online Privacy Protection Rule (COPPA). Disney failed to label certain videos as Made for Kids, allowing data collection from viewers under 13 for targeted advertising. The settlement requires Disney to notify parents before collecting data from children under 13 and to ensure proper designation of content intended for children.
Separately, the FTC is addressing concerns with Apitor Technology, a China-based robot toy manufacturer, for allegedly allowing a third-party, JPush, to collect children’s geolocation data without parental consent, also violating COPPA. Apitor integrated JPush’s software development kit into its Android app, enabling the collection and use of precise location data for advertising purposes without the knowledge of child users or their parents.
