
In early September, the French data protection authority issued a precedent-setting decision: it fined Shein’s Irish subsidiary for serious violations of cookie and user consent regulations. The ruling goes far beyond a single fine and sends a clear message: cookie-related data protection rules must be taken seriously.

The French Case
In August 2023, the French data protection authority conducted an inspection into the cookie practices of Shein, the Chinese e-commerce giant. As a result, on September 1, 2025, it imposed a significant fine of €150 million on the company. The investigation revealed multiple violations related to Shein’s use of cookies and its (non-)acquisition of valid user consent.
Some cookies — including advertising and tracking cookies — were placed on users’ devices the moment they accessed the website, even before any interaction with the cookie consent interface (commonly referred to as the cookie banner) could occur. Certain cookies were activated even when users explicitly rejected them using the “Reject All” option or later withdrew their consent. In some instances, new cookies were set despite the withdrawal of consent.
Furthermore, the cookie banner itself failed to provide adequate information regarding the purposes of the cookies, especially those used for advertising, and did not clearly identify the third parties involved.
In determining the fine, the authority emphasized that Shein had the technical and human resources necessary to ensure compliance but still acted negligently. The scale of the violation was also a decisive factor: Shein’s website attracted around 12 million unique monthly visitors in France. The €150 million fine represents approximately 2% of the company’s European revenue for 2023, clearly indicating that non-compliance carries substantial financial risk for companies of similar size and user reach.
Could This Happen Here as Well?
With this decision, the French authority sent a clear message: compliance with cookie rules is not a mere formality but a prerequisite for operating in the digital space. The decision highlights that simply offering a “Reject All” button or a settings panel is not enough — these tools must also function effectively in practice. It also signals that the authority looks beyond surface-level compliance and investigates how cookie settings work under the hood.
This ruling is relevant for the Hungarian market as well, given that Hungarian laws on cookie storage and usage fully align with EU regulations (such as the ePrivacy Directive and the GDPR) — the same legal foundations relied on by the French authority. Thus, the practices applied by Shein would almost certainly have violated Hungarian law as well. This foreshadows that similar audits could arise in Hungary, and sanctions comparable in scale to Shein’s fine are not out of the question.
What’s Next for Cookie Regulations?
In recent years, the EU’s cookie regulation framework has come under significant criticism. The European Commission has indicated that it may consider reducing the burden on companies regarding cookie compliance. Future EU legislation may move towards simpler, more streamlined solutions — for example, improving how consent is presented and transitioning from per-website consent banners to browser-level consent settings.
Such changes could eventually lead to cleaner, more centralized mechanisms, allowing users to set their preferences once, rather than facing repetitive pop-ups on every visited website.
However, until such reforms are enacted, the ePrivacy Directive and GDPR remain the applicable legal framework, and national authorities retain full powers to enforce compliance. Until new legislative solutions are adopted, the Shein case stands as a stark warning to all digital service providers: obtaining valid consent, ensuring meaningful transparency, and respecting user choice are not optional extras — they are fundamental legal obligations under EU law.
Failing to meet these obligations can result in regulatory action that takes a significant bite out of company revenues.