On Thursday, July 10, the CNIL rapporteur requested a €150 million fine against the Asian fast fashion giant for failing to comply with the rules applicable to cookie management on its website.
The CNIL (French authority in charge of handling information and freedom matters) conducted an inspection of SHEIN’s website on August 10, 2023, which allegedly revealed a number of breaches.
According to the CNIL rapporteur, the site placed “advertising cookies without obtaining users’ consent” or with “a method of obtaining consent that was confusing,” as the site’s configuration encouraged users not to exercise their right to refuse.
In addition, the cookie mechanism was flawed, particularly as the site did not display a “refuse all” button, equivalent to the “accept all” button.
The rapporteur emphasized “the negligence shown by the company, which has the human and technical resources to comply,” as the company did not respond to a formal notice previously sent by the CNIL.
The rapporteur also noted that the website attracted “an average of 12 million unique visitors per month” in France. He indicated that he would not be seeking “a penalty of $100,000 per day,” as Shein had “recently” brought itself into compliance.
As a reminder, with regard to personal data, rules apply not only to the collection and processing of personal data, but also to the collection of consent from internet users when cookies are placed on a website:
– No advertising or non-strictly necessary trackers may be used without the internet user’s consent;
– Refusing cookies must be as easy as accepting them for the internet user;
– Access to the website cannot be made conditional on the acceptance of cookies;
– Consent must meet several criteria and be documented.
The CNIL may impose penalties of up to 4% of a company’s global annual turnover.
The penalty imposed is not final—the CNIL’s restricted committee will rule on the matter in the coming weeks.
Please do not hesitate to contact us for assistance with your GDPR issues.