The French data protection authority, the National Commission on Informatics and Liberty (CNIL), has imposed significant fines on tech giants Google and Shein for their failure to comply with strict cookie regulations. Google faces a fine of $379 million, while the Chinese e-commerce company Shein has been penalized $175 million. The CNIL found that both companies were setting advertising cookies on users’ browsers without first obtaining their consent, a direct violation of French data protection laws. While Shein has since updated its systems to adhere to the regulation, the company has reportedly announced plans to appeal the decision, signaling a potential ongoing legal battle.
In the case of Google, the CNIL’s investigation revealed that when users created an account, they were steered towards accepting cookies for personalized advertisements. This practice was seen as undermining the user’s ability to freely choose, as the option to accept generic advertisements was not presented as an equally clear alternative. The CNIL also highlighted that users were not adequately informed that the use of advertising cookies was a prerequisite for accessing Google’s services. This method of obtaining consent was deemed invalid and in violation of Article 82 of the French Data Protection Act. The authority noted that while Google introduced an option to refuse cookies in October 2023, the fundamental issue of a lack of informed consent persisted.
Beyond the cookie violations, Google was also called out for its email advertising practices within Gmail. The CNIL stated that placing advertisements as emails within the “Promotions” and “Social” tabs required explicit user consent, as stipulated by the French Postal and Electronic Communications Code. This finding echoes a similar case in December 2024, when French telecommunications operator Orange was fined $50 million for a comparable offense. As a result of these violations, Google has been ordered to bring its systems into compliance within six months, with the threat of a daily penalty of €100,000 should it fail to do so.
This is not the only recent legal setback for Google concerning user privacy. In the United States, a jury found the company to have violated user privacy by continuing to collect data even from individuals who had opted out of Web & App Activity tracking. The decision resulted in a class action lawsuit filed in July 2020 and awarded $425 million in compensatory damages to the plaintiffs. This verdict, coupled with the French fines, underscores a growing global trend of increased scrutiny and legal action against tech companies regarding their data collection and privacy practices.
The focus on child privacy is also a key part of this broader regulatory push. The U.S. Federal Trade Commission (FTC) recently announced that Disney has agreed to a $10 million settlement for allegedly collecting personal data from children on YouTube without parental consent. The FTC claimed that Disney failed to properly label some videos as “Made for Kids,” leading to the collection of data from children under 13 for targeted advertising, in violation of the U.S. Children’s Online Privacy Protection Rule (COPPA). In a separate but related action, the FTC is also pursuing a case against a China-based robot toy maker, Apitor Technology, for allegedly allowing a third party to collect children’s geolocation data without parental knowledge or consent. These cases highlight the global effort by regulatory bodies to enforce stricter rules and hold companies accountable for their data collection practices, particularly when it concerns vulnerable users.
Reference:
