Shein Handed €‎150 million Fine Over Cookie Consent Violations

Another day, another company sanctioned for placing cookies without consent. This time, an Irish subsidiary of the Shein Group called Infinite Styles Services Co. Limited has been hit with a €150 million fine. That’s unfortunate for the company, not just because of the size of the fine, but also because it could’ve been avoided with proper consent monitoring in place.

What Happened?

In early September 2025, France’s data protection authority, the CNIL, issued the record penalty to fast-fashion retailer Shein, including its site Shein.com, due to violations of French cookie and privacy laws.

Key Reasons Behind the Fine

An August 2023 inspection by the CNIL revealed that Shein had failed to comply with Article 82 of the French Data Protection Act. It had placed advertising cookies on the devices of users visiting its French website before obtaining their consent. In some cases, cookies were deposited even after users opted out, which points to a flawed or misleading consent mechanism.

Under GDPR, cookies that can identify or track individuals are deemed to be personal data, so placing them without clear consent from each user breaches the law.

The CNIL emphasized the severity of the violation, citing Shein’s failure to respect multiple obligations: lack of transparent communication, failure to honor user choices, and inadequate consent withdrawal mechanisms.

The size of the fine reflects the number of people affected: as a leading online ready-to-wear clothing retailer, the website receives around 12 million visitors per month. Shein has signaled its intention to appeal the decision, claiming that it’s disproportionate and politically motivated.

Other Troubles

This cookie fine isn’t Shein’s only regulatory setback in France. In July 2025, it was fined €40 million by DGCCRF, France’s consumer protection authority, for misleading discount practices and unsubstantiated environmental claims. The investigation found that 57% of promotions showed no actual discount, 11% even represented a price increase, and many environmental statements on the site lacked evidence.

This action follows broader scrutiny from the European Commission, which is investigating Shein under the Digital Services Act and consumer protection rules. Potential penalties could reach up to 6% of global turnover.

Avoidable Breaches

If Shein had been using the Reflectiz Privacy Dashboard, it would’ve been far better placed to meet its data protection obligations and avoid some of its current regulatory challenges. Let’s look at how:

Full Visibility into Third-Party Cookies and Trackers

Reflectiz automatically detects all cookies, scripts, and trackers running on a website (both first- and third-party). Shein was fined because cookies were dropped before consent was received and sometimes even after opt-out. With Reflectiz, Shein would have had a real-time inventory of every cookie being set, its purpose, and whether it respected consent signals.

Continuous Monitoring of Consent Behavior

Reflectiz simulates the user journey to see exactly when and how cookies are placed. It would have flagged that advertising cookies were being set before consent (and after opt-out), alerting Shein to the problem before regulators intervened.

This proactive detection allows quick remediation, ensuring alignment with GDPR and ePrivacy Directive requirements.

Compliance Validation for CMPs (Consent Management Platforms)

Many companies rely on a CMP banner, but improper integration can mean cookies still drop too early. Reflectiz validates that the CMP works correctly, checking that no cookies are triggered until proper consent is captured. In Shein’s case, this could have prevented the misleading “opt-out still triggers cookies” problem.

Risk Prioritization and Automated Reporting

CNIL criticized Shein for a lack of transparency. Reflectiz offers clear dashboards and compliance reports showing:

What data is collected, by whom, and why
Which cookies are non-compliant
Regulatory risk exposure

These reports could have demonstrated due diligence to regulators and avoided claims of negligence.

Early-Warning System for Global Operations

Reflectiz tracks regulatory changes by region (France, EU, etc.). For a company like Shein with 12+ million monthly visitors in France, it would have issued alerts on local cookie consent standards (CNIL has stricter interpretations than some other EU regulators).

This ensures global sites adapt to each jurisdiction, rather than just taking a one-size-fits-all approach.

Outcome If Shein Had Used Reflectiz

Non-compliant cookie practices identified early
CMP integration verified and fixed before launch
Evidence of proactive compliance ready for CNIL, showing good faith
Potential avoidance of the €150 million fine and the reputational damage

In addition, the platform could have delivered additional security benefits: it evaluates if components access or transmit PII and sensitive data, tracks the destination of data flows from third parties, prioritizes alerts, offers smart approvals of scripts with AI-driven risk justifications, non-intrusive, continuous remote monitoring and behavior analysis, and a centralized view of privacy risks that’s export-ready for audits and compliance.

In short: Reflectiz could have helped Shein demonstrate control, compliance, and accountability, the very things CNIL said were missing. If you’d like that level of protection, register here today.