€150 million. That’s what broken cookie banners cost SHEIN in September 2025. French regulators found the company tracking users before they consented. The “Reject all” button? It didn’t actually reject anything. About 12 million monthly visitors had their data collected illegally. SHEIN legal issues keep piling up – from data breaches to labor scandals to copyright lawsuits. If you run an online store, their mistakes are your warning signs. Keep reading to learn what went wrong.
What SHEIN Did Wrong
The CNIL inspected shein.com back in August 2023. They found several problems.
- Cookies dropped before consent. When shoppers landed on shein.com, advertising cookies started tracking them right away. This happened before visitors could even click anything on the cookie banner.
- Cookie banners hid key details. The site showed two different cookie pop-ups. Neither one explained that cookies were used for advertising. The first banner had buttons for “Cookie settings,” “Reject all,” and “Accept”—but no real information. The second pop-up only had an accept button with zero explanation.
- No details about third parties. Clicking “Cookie settings” should show who else gets your data. SHEIN didn’t provide this information.
- “Reject all” didn’t work. Here’s the big one. When visitors clicked “Reject all” or tried to withdraw consent later, cookies kept loading anyway. Old cookies stayed active too.
Why the Fine Was So Large
The CNIL considered several factors when setting the €150 million penalty.
Multiple violations at once. SHEIN didn’t just make one mistake. They placed cookies without consent, ignored user choices, and failed to give proper information. Each problem broke a different part of French privacy law. The regulator noted they’ve been punishing companies for these exact violations since 2020. SHEIN had plenty of warning.
Massive scale. About 12 million people in France visit shein.com every month. SHEIN holds a major position in online fashion retail. When a company tracks that many users illegally, regulators take it seriously. With that reach comes responsibility.
Revenue-based calculation. The fine works out to roughly 2% of SHEIN’s 2023 European revenue. Privacy regulators often tie penalties to company size. Bigger companies pay bigger fines.
SHEIN’s Response
The company pushed back hard. SHEIN called the fine “wholly disproportionate” and announced plans to appeal. They even suggested political motivations were behind the decision.
The CNIL did note that SHEIN made changes to its website during the investigation. Because of those fixes, regulators didn’t issue additional compliance orders. But the fine still stands for past violations.
How France Took Action on SHEIN Legal Issues
Cookie rules in this case fall under the ePrivacy Directive, not the GDPR. That’s important because under the GDPR’s “one‑stop shop” mechanism, a company is usually overseen by a single lead authority in the country of its EU headquarters.
Cookies are handled differently. Since ePrivacy is enforced at the national level, France’s CNIL could act directly on tracking that affected French users, without having to coordinate with Ireland – even though SHEIN’s European headquarters is based there.
The CNIL also claimed territorial jurisdiction. SHEIN operates INFINITE STYLES ECOMMERCE FRANCE on French soil. Since cookies were used as part of that French operation, French regulators had full authority to investigate and fine the company.
This means any country can go after cookie violations that affect their citizens. Companies can’t hide behind headquarters in privacy-friendly locations.
Part of a Bigger Pattern
This cookie fine adds to SHEIN’s growing list of legal troubles across multiple areas.
Data Breach Cover-Up
The company already paid $1.9 million in New York for mishandling a 2018 data breach. Hackers stole data from 39 million customer accounts. But SHEIN told users only 6.4 million were affected. They denied credit card information was stolen when evidence showed otherwise.
Investigators found weak security practices too. SHEIN used outdated password protection and stored payment data in plain text files. The settlement required them to upgrade their cybersecurity.
Labor Scandals
A 2022 UK documentary called “Untold: Inside the Shein Machine” showed hidden camera footage from supplier factories. Workers put in 18-hour days for pennies per item. Some had just one day off per month.
SHEIN hired independent auditors who confirmed two factories broke labor laws. Staff worked 12-13 hour shifts with barely any rest days.
The company cut orders to problem suppliers by 75% and pledged $15 million to improve conditions. The Rolling Stones canceled a merchandise deal after the story broke.
Questions about forced labor keep coming up too. UK Parliament asked SHEIN directly if they use cotton from Xinjiang, where human rights concerns exist. The company’s lawyer dodged the question repeatedly. One lawmaker said the answers “bordered on contempt.”
Copyright Lawsuits
Independent designers sued SHEIN under racketeering laws for copying their work exactly. Not similar designs – exact copies of original artwork and patterns.
The lawsuit claimed SHEIN uses algorithms to find trending designs, then reproduces them without permission. When caught, they’d offer tiny settlements and blame third-party sellers.
SHEIN settled out of court in late 2023. Terms stayed private, but settling suggests they wanted to avoid a bad verdict.
Major brands like H&M and Uniqlo have also taken legal action against SHEIN for design theft.
Illegal Products
French authorities have separately investigated SHEIN for selling products that should be restricted from minors. Some officials have called for banning SHEIN from France entirely.
Safety tests found SHEIN products with lead levels far above legal limits. One toddler jacket had nearly 20 times the allowable lead content.
Shipping Violations
In July 2025, SHEIN paid $700,000 to settle a California lawsuit over shipping delays. They took more than 30 days to ship orders without notifying customers or offering refunds—both required by state law.
Avoid SHEIN’s Cookie Mistakes with Consentik
SHEIN got hit with €150 million because their cookie system was broken. Tracking started before people agreed. The “Reject all” button did nothing. Visitors had no idea who was collecting their data.
You probably don’t want to spend your days reading privacy regulations. But ignoring cookie rules can drain your bank account fast. 
Consentik GDPR Cookie Banner makes compliance simple. No coding. No legal degree required. Plus, Consentik holds Google CMP Partner and Microsoft CMP approval status. You can install it on multiple platforms like Shopify, Wix, or Shopline.
Consentik CMP puts up cookie banners, gets consent first, then lets tracking tools run. Google Analytics, Facebook Pixel, and similar scripts stay blocked until shoppers click accept. This is what the law demands – and what SHEIN skipped.
What you get:
- Pre-built templates: Launch a clean cookie banner within minutes
- Flexible layouts: Choose from multiple layouts and customize your banner and preferences pop-up
- Script blocking: Google Analytics, Meta Pixel, and other trackers wait for consent
- Auto-translation: Banners appear in each visitor’s language across different countries
- Consent reports: Track accept and reject rates with advanced tracking and clear dashboards
- Geo-blocking option: Block users until consent is given and show cookie categories
- Google Consent Mode V2: Accurate gcd parameter to increase consent rate and ads performance
- Microsoft Consent Mode: Full Clarity integration for better analytics
- IAB TCF v2.3 support: Complete industry compliance for advertising
- Hydrogen storefront integration: Works seamlessly with Shopify’s headless solution
- Multi-regulation coverage: Handles GDPR, CCPA/CPA, LGPD, and more
SHEIN paid €150 million for cookie violations. French regulators are watching closely. Don’t become the next headline.
Final Words
SHEIN’s €150 million fine didn’t happen overnight. Small compliance gaps grew into massive penalties. Broken cookie banners. Ignored user choices. Missing information. Privacy laws apply to everyone. Size won’t protect you. Only compliance will. Learn from SHEIN’s expensive mistakes, or risk making your own. The tools exist to get this right. What happens next is up to you. Good luck!
Read More: LinkedIn GDPR Fine: What It Means for Your Online Business
