€150 million fine for SHEIN - Another warning on cookie compliance

The CNIL’s decision represents one of the largest fines ever issued for the unlawful use of cookies and online trackers. The case clearly shows that european data protection authorities are not only theoretically but also in practice taking strong action against dark patterns and improper consent management.

Key findings of the CNIL’s investigation

The investigation revealed that SHEIN’s cookie practices seriously violated users’ data protection rights in several ways:

  • Pre-activation:

Cookies were activated as soon as the website loaded, before the user could make any decision (where prior consent is required rather than implied consent).

  • Lack of choice (Dark Pattern):

The cookie banner did not provide clear, balanced “accept” / “reject” options. The “reject” or “settings” buttons were intentionally designed or positioned in a way that made refusal difficult. This constituted the use of dark patterns-manipulative design elements intended to push users toward decisions contrary to their own interests.

  • Ignoring user decisions:

Certain tracking (analytical/marketing) cookies remained active even when the user opted to reject them. This alone constitutes a serious violation, as the system failed to respect the user’s choice.

Additionally, the CNIL determined that the information provided by SHEIN was neither clear nor comprehensive: the banner did not explain the purpose of each cookie, nor did it adequately describe how users could withdraw their consent.

When determining the amount of the fine, the CNIL took into account as an aggravating factor that SHEIN attracts around 12 million monthly visitors in France, meaning the infringement affected a large and significant number of individuals.

Why is this case particularly important? - A summary of cookie rules

The CNIL’s decision reinforces that cookie management is not just a technical issue but a legal compliance obligation grounded in the GDPR and the ePrivacy Directive.

1. The principle of prior and active consent (ePrivacy Directive)

Under Article 5(3) of the ePrivacy Directive, users’ prior consent is required for any cookies that are not strictly necessary for the technical operation of the service (e.g., cookies storing cart contents or login data).

This is why marketing and analytics cookies must not be activated before the user makes a choice.

2. Conditions for valid consent under the GDPR

User consent must meet the requirements set out in Article 4(11) of the GDPR:

  • Freely given:

Refusal must not lead to denial of the same service. Paywall-type solutions are only allowed under strict conditions.

  • Specific:

Consent must be obtained separately for each processing purpose.

  • Informed:

Users must clearly understand what they are consenting to (hence the need for detailed information).

  • Unambiguous:

Consent cannot be implicit; it must be given through an active, affirmative action (e.g., clicking an “Accept” button). Passive scrolling or the continued use of a website does not constitute valid consent. Likewise, the use of pre-ticked checkboxes is not acceptable - although common in practice, it is unlawful. The invalidity of this practice is clearly confirmed in paragraph 79 of the EDPB Guidelines 5/2020.

SHEIN violated both sets of legal requirements.

Lessons for businesses and relevance for hungarian practice

The SHEIN case serves as a clear warning to all online service providers. Although the case occurred in France, the applicable rules and obligations are set at EU level, meaning they apply equally to Hungarian websites.

Practical steps for compliance:

  • Equal choice options:

The cookie banner must provide a genuine choice. The “reject” button must be just as visible, accessible, and easy to use as the “accept” button (thus avoiding dark patterns).

  • Respecting user decisions:

Systems must genuinely respect user preferences. If users reject cookies, no non-essential (tracking) cookies may be deployed.

  • Clear information:

Cookie notices must clearly and understandably explain the purpose, operation, lifespan of cookies, and how consent can be withdrawn (which must be as easy as giving it).

Hungarian focus - NAIH and cookie compliance

It is important to highlight that the Hungarian Data Protection Authority (NAIH) also regularly reviews Hungarian websites for cookie compliance. While no fine has reached €150 million, NAIH has imposed several significant penalties (even in the tens of millions of forints) for improper consent management and the use of dark patterns. The authority’s practice similarly emphasises the need for equal “accept/reject” choices and the prohibition of activating cookies without prior, active consent.

The CNIL’s decision clearly demonstrates that failure to comply with data protection requirements carries significant financial and reputational risks. Compliance is not a one-time setup but an ongoing process requiring continuous review.

 

 

    Nyelv választás