1. Introduction

The French data protection authority (CNIL) has delivered its most significant enforcement action to date, imposing a combined €475 million in fines across two landmark decisions published on September 4, 2025. The sanctions against Google (€325 million total) and SHEIN’s European operations (€150 million) represent not merely record-breaking penalties, but a fundamental shift in how regulators approach cookie consent and electronic marketing violations in an increasingly complex digital ecosystem.

These decisions, emerging from extensive multi-year investigations, demonstrate the CNIL’s evolving enforcement philosophy and provide crucial guidance on the intersection of the ePrivacy Directive, GDPR compliance, and emerging technologies. For legal practitioners and compliance professionals, these cases offer essential insights into the regulatory landscape’s trajectory and the heightened expectations for digital consent mechanisms.

2. Legal Framework and Jurisdictional Innovation

2.1. Territorial Competence in Cross-Border Digital Services

Both decisions showcase the CNIL’s sophisticated approach to establishing territorial jurisdiction over multinational technology companies. In the Google case, the authority rejected arguments that Ireland’s Data Protection Commission should handle the matter under GDPR’s “one-stop-shop” mechanism, emphasizing that ePrivacy Directive violations fall outside this framework.

The CNIL relied on the Council of State’s precedential decisions in Google LLC (2022) and Amazon Europe Core (2022), which established that cookie-related enforcement remains within national authorities’ competence regardless of a service’s cross-border nature. This jurisdictional approach enables the CNIL to address violations affecting French users directly, without engaging in potentially lengthy cross-border cooperation procedures.

2.2. The “Economic Establishment” Doctrine

In both cases, the CNIL applied an expansive interpretation of what constitutes a “French establishment” for jurisdictional purposes. For SHEIN, the authority found that INFINITE STYLES ECOMMERCE FRANCE constituted an establishment of the Irish controller INFINITE STYLES SERVICES CO. LIMITED, despite the absence of direct legal ownership links. The decision relied on the companies’ economic integration within the same corporate group and their shared commercial objectives.

This “economic establishment” approach, drawing from EU competition law principles, enables regulators to pierce corporate structures that might otherwise shield foreign entities from local enforcement. The implications extend beyond data protection, potentially affecting how multinational companies structure their European operations.

3. Cookie Consent: Beyond Technical Compliance

3.1. The Evolution of “Free” Consent Standards

The Google decision provides the most comprehensive analysis to date of what constitutes genuinely “free” consent in the context of cookie walls. Prior to October 2023, Google’s account creation process required six clicks to refuse personalized advertising cookies compared to just two clicks to accept them. The CNIL found this asymmetry fundamentally undermined user choice, regardless of whether a technical refusal option existed.

The decision builds on the European Data Protection Board’s guidance on “consent or pay” models, emphasizing that consent validity depends not merely on the availability of alternatives, but on their practical accessibility and the absence of manipulative design patterns. This standard significantly raises the bar for platforms seeking to monetize through advertising while claiming valid consent.

3.2. Information Transparency Requirements

Both decisions reveal the CNIL’s increasingly demanding approach to consent transparency. In SHEIN’s case, the authority found multiple information deficiencies, including:

• Failure to clearly explain that service access requires accepting advertising cookies
• Inadequate identification of third-party cookie providers
• Misleading terminology suggesting optional consent when cookie acceptance was actually mandatory

The Google decision went further, requiring explicit information that advertising cookies are “necessarily” deposited during account creation. This language suggests that vague or implicit disclosure of cookie usage will no longer satisfy regulatory expectations.

4. Electronic Prospecting: Expanding Regulatory Scope

4.1. The Gmail Advertising Decision: A Paradigm Shift

Perhaps the most legally significant aspect of the Google decision concerns email advertising within Gmail. The CNIL applied the Court of Justice’s StWL judgment (2021) to find that advertisements inserted between emails constitute electronic prospecting requiring prior consent, even when displayed in dedicated “Promotions” or “Social Networks” tabs.

This interpretation dramatically expands the scope of electronic prospecting regulation beyond traditional email marketing. The decision establishes that any advertising content appearing within a user’s private messaging interface requires explicit consent, regardless of visual distinctions or technical implementation details.

4.2. Technical Implementation vs. User Experience

The CNIL rejected Google’s argument that Gmail advertisements should escape prospecting rules because they don’t technically constitute “emails.” Instead, the authority focused on user experience and the reasonable expectations of privacy within messaging interfaces. This functional approach suggests that regulators will increasingly scrutinize advertising practices based on their practical impact rather than their technical classification.

5. Enforcement Philosophy and Penalty Calculation

5.1. The “Enterprise” Concept in Sanctions

Both decisions demonstrate the CNIL’s adoption of EU competition law principles for calculating administrative fines. Rather than limiting penalties to the specific subsidiaries responsible for violations, the authority considered the entire corporate group’s turnover when determining proportionate sanctions.

For Google, this meant considering Alphabet Inc.’s €312 billion turnover rather than limiting calculations to the directly responsible entities. This approach, validated by the Court of Justice in recent decisions, enables regulators to impose truly dissuasive penalties on multinational technology companies.

5.2. Aggravating and Mitigating Factors

The decisions reveal sophisticated penalty calculations considering multiple factors:

5.2.1. Aggravating factors:

• Previous violations (Google had been sanctioned in 2021 for similar cookie issues)
• Market dominance and technical sophistication
• Financial benefits derived from non-compliant practices
• Massive scale affecting millions of users

5.2.2. Mitigating factors:

• Partial compliance efforts during proceedings
• Cooperation with investigations
• Technical modifications to reduce user confusion

6. Practical Implications for Digital Businesses

6.1. Immediate Compliance Priorities

Organizations operating in France must reassess their digital consent mechanisms in light of these decisions:

1. Cookie Consent Interfaces: Ensure equal prominence and accessibility for acceptance and refusal options
2. Information Transparency: Provide explicit, unambiguous disclosure of advertising cookie requirements
3. Third-Party Identification: Clearly identify all entities that may access user data through cookies
4. Alternative Services: Consider whether genuinely equivalent alternatives exist for users refusing cookies

6.2. Email Marketing and Platform Advertising

The Gmail decision’s implications extend far beyond Google. Any platform displaying advertising content within user communication interfaces should review whether explicit prospecting consent is required. This includes:

• Social media platforms showing ads within message feeds
• Email providers displaying promotional content
• Communication tools with integrated advertising features

6.3. Design and UX Considerations

Both decisions emphasize that compliance extends beyond legal documentation to encompass user interface design. “Dark patterns” that manipulate user choice through design will face increasing regulatory scrutiny. Organizations should audit their consent flows for:

• Visual equality between acceptance and refusal options
• Clear, unambiguous language avoiding manipulative terminology
• Logical information flow that enables informed decision-making

7. Conclusion

These landmark CNIL decisions signal a maturation in European privacy enforcement, moving beyond early GDPR implementation toward sophisticated, technologically-informed regulation. The €350 million (Google) and €125 million (Shein) penalties reflects not merely punitive enforcement, but a regulatory strategy designed to reshape industry practices through economic incentives.

For legal practitioners, these decisions provide essential guidance on several fronts. First, they confirm that jurisdictional complexity cannot shield multinational companies from local enforcement when services target local users. Second, they establish that genuine consent requires more than technical compliance—it demands user-centric design that respects individual autonomy.

Perhaps most significantly, these decisions demonstrate regulators’ willingness to apply functional rather than formalistic analysis to digital practices. Whether addressing cookie walls, email advertising, or corporate structure, the CNIL focused on practical impact rather than technical categorization.

As the digital economy continues evolving, these decisions provide a roadmap for compliance that prioritizes substance over form. Organizations that embrace this approach—designing services that genuinely respect user choice rather than merely satisfying technical requirements—will be best positioned to navigate the increasingly sophisticated privacy enforcement landscape.

The message from these decisions is clear: the era of privacy as an afterthought in digital product design has definitively ended. The question for businesses is not whether to prioritize genuine privacy compliance, but how quickly they can adapt their practices to meet regulators’ evolving expectations.

On behalf of the “Stergios Konstantinou & Associates Law Office – SGKLegal”