The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.
Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision.
“When creating a Google account, users were encouraged to choose cookies linked to the display of personalized advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google’s services,” the CNIL noted.
The consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82), it added. It’s worth noting that while this was the default behavior until October 2023, when the company added an option to refuse cookies, “the lack of informed consent still persisted.”
Google has also been called out for placing advertisements in the form of emails among other emails in the “Promotions” and “Social” tabs of Gmail, stating that the display of such ads required users’ explicit consent in accordance with the French Postal and Electronic Communications Code (CPCE).
French telecommunications operator Orange was fined €50 million back in December 2024 for similarly displaying ads between actual email messages without users’ consent. Google has been ordered to bring its systems into compliance within six months, or risk facing penalties of €100,000 per day.
The development comes as a U.S. jury found Google to have violated users’ privacy by collecting their data even after they opted out of Web & App Activity tracking. The decision, which awards $425 million in compensatory damages, is the culmination of a class action lawsuit filed against the company in July 2020.
In a statement shared with Reuters, the tech giant said the ruling “misunderstands how [their] products work,” adding the company’s privacy tools give users control over their data and emphasized that their choice to turn off personalization are honored. It also said it plans to appeal.
In related privacy-related announcements, the U.S. Federal Trade Commission (FTC) said Disney has agreed to pay $10 million to settle allegations that it collected personal data from children watching YouTube videos without parental notification or consent, thus violating the U.S. Children’s Online Privacy Protection Rule (COPPA).
The agency said Disney failed to properly label some videos that it uploaded to YouTube as “Made for Kids,” thus allowing it to gather data from children under 13 who watched that content and use it to serve targeted ads.
In addition to the $10 million fine, the proposed settlement requires Disney to begin alerting parents before collecting personal data from children under age 13 and obtain their consent in accordance with COPPA. Disney is also required to start a program to ensure that videos it uploads to YouTube are properly designated as intended for kids.
Separately, the FTC is also taking action against a China-based robot toy maker, Apitor Technology, over allegedly permitting a third-party called JPush to collect children’s geolocation data without their knowledge and parental consent in violation of COPPA.
“Apitor integrated a third-party software development kit called JPush into its [Android] app that allowed JPush’s developer to collect location data and use it for any purpose, including advertising,” FTC said. “After Android users download the Apitor app, it begins collecting and sharing users’ precise location data with JPush’s servers, unbeknownst to child users and their parents.”
