France France CNIL GDPR enforcement Big Tech

CNIL's €475 Million September 2025 Enforcement Wave Locked In France as Europe's Second-Biggest Privacy Enforcer — 2026 Will Test Whether Fines Produce Compliance

Following record fines against Google and Shein, France's data watchdog is leading a pan-European transparency drive in 2026, extending pressure well beyond cookie consent.

CNIL's Big Tech Enforcement in Numbers People of Internet Research · France €325M Google CNIL Fine Largest single-company fine in Fre… €150M Shein CNIL Fine Penalty for placing advertising co… €487M CNIL 2025 Total Fines Total sanctions issued by CNIL acr… €7.1B Cumulative GDPR Fines Total GDPR penalties across Europe… peopleofinternet.com

Key Takeaways

France's Data Watchdog Found Its Fine Schedule

France's Commission Nationale de l'Informatique et des Libertés (CNIL) concluded September 2025 with two decisions that reshaped the European privacy enforcement landscape. Google received a combined €325 million fine — €200 million against Google LLC and €125 million against Google Ireland Limited — for embedding ads inside Gmail without prior consent and using asymmetric interface design to steer users toward accepting advertising cookies. Within the same month, Chinese fast-fashion retailer Shein was handed a €150 million penalty for placing advertising cookies on users' devices the moment they arrived at shein.com, before any consent interaction had taken place. The two decisions, together worth €475 million, pushed France past the billion-euro threshold in total lifetime GDPR and ePrivacy fines, making it only the second European country after Ireland to reach that mark.

These were not isolated incidents. The Google fine was the third cookie-related sanction CNIL has imposed on the company, following a €100 million fine in 2020 and a €150 million fine in 2021. The restricted committee — the CNIL body responsible for issuing sanctions — explicitly cited those earlier decisions as aggravating factors, noting that Google's dominant position in online advertising magnified the harm from each violation. The compliance order accompanying the fine required Google to stop displaying Gmail ads without prior consent and to redesign its account-creation cookie consent flow within six months, subject to a €100,000-per-day penalty for non-compliance.

Why France, Not Ireland?

The most consequential legal point in the Google decision may not be the fine amount at all. It is the regulator's confirmation that France's ePrivacy rules — transposed from the EU's 2002 ePrivacy Directive via Article 82 of the French Data Protection Act — operate entirely outside the GDPR's one-stop-shop mechanism. Under GDPR, companies designating Ireland or Luxembourg as their EU lead establishment can funnel most cross-border data complaints to those countries' DPAs, which has historically concentrated Big Tech enforcement in Dublin. But ePrivacy complaints belong to national regulators acting alone. Google could not invoke Ireland's Data Protection Commission as a shield. The same logic applied to Shein's Irish subsidiary: the ePrivacy violation was France's to prosecute.

This jurisdictional independence has significant strategic implications. Companies that assumed a favorable lead-authority relationship in Dublin now face a fragmented enforcement map across 27 member states for any conduct touching cookies, commercial prospecting, or device-level tracking. Germany, Spain, and Italy each have their own ePrivacy transpositions, and their enforcement records are growing.

The Strongest Case for CNIL's Approach

It is worth stating the regulators' argument on its own terms. The Google violations were not technical paperwork failures. CNIL found that 53 million French people were exposed to Gmail ads that mimicked personal email — triggering direct-marketing consent requirements under French law — while 74 million accounts had cookies set through interface designs that made refusal harder than acceptance. Shein's violations were more straightforward: advertising cookies loaded before users had any opportunity to express a preference. These are genuine consent failures at enormous scale.

The CNIL's escalating fine schedule for Google — €100 million, then €150 million, then €325 million — reflects a rational enforcement logic: a regulated entity that repeats the same violation after a formal sanction has demonstrated that the initial penalty was insufficient deterrence. On those facts, the proportionality argument in CNIL's favor is strong.

Where Enforcement Risks Overreach

That said, the direction of travel raises proportionality questions worth tracking. The Gmail ad case turned on a creative application of direct-marketing consent rules to what Google characterises as a user-interface design choice about sponsored messages within a free service. The legal analysis is defensible, but the enforcement outcome — requiring a redesign of core product features touching 74 million accounts — moves CNIL into territory where regulatory mandates begin shaping product architecture. France has not released detailed guidance on what a compliant Gmail ad interface would actually look like, creating genuine uncertainty for any platform running ad-supported free services.

The Shein fine is cleaner as a legal matter: pre-consent cookie loading is an unambiguous violation. But a €150 million figure for conduct remediable through a straightforward consent-mechanism update raises a calibration question. Regulatory penalties that exceed the cost of compliance by orders of magnitude shift the DPA's role from enforcement body to revenue institution — a dynamic that can corrode legitimacy over time and create perverse incentives to fight rather than fix.

What 2026 Brings

France is not finished. CNIL's 2026 domestic enforcement priorities include recruitment practices — particularly large employers' use of automated decision-making tools in hiring — and sports federations handling health data. Its 2026 total sanctions, including a €27 million fine against Free Mobile and a €15 million fine against Free Landline for data security failures in January, are already accumulating.

More significantly, the European Data Protection Board selected GDPR transparency — Articles 12, 13, and 14, which govern how data subjects are informed about processing — as the focus of its 2026 Coordinated Enforcement Framework (CEF). Twenty-five European DPAs are participating, and CNIL is a leading contributor. The EDPB expects to pool national findings in the second half of 2026, with a report that will guide follow-up enforcement across member states.

For Big Tech platforms, this means 2026 enforcement attention shifts from cookie banners specifically to whether privacy notices adequately describe processing purposes, retention periods, and third-party sharing arrangements. That obligation is harder to satisfy with a one-time disclosure redesign because it requires continuous maintenance as data practices evolve.

Cumulative GDPR fines across Europe have now reached €7.1 billion since the regulation took effect in May 2018, with the first half of 2026 adding more than €600 million to that total and breach notification volume running 22% higher year-on-year. France is positioned as a primary contributor to that acceleration. Whether the aggregate pressure produces meaningfully better data practices for European users — or primarily redirects compliance budgets toward lawyers rather than product improvements — remains the open question that European privacy law has never cleanly resolved.

Sources & Citations

  1. CNIL — Google €325M Fine Decision
  2. EDPB — CNIL Shein €150M Fine Notice
  3. EDPB — 2026 Coordinated Enforcement Framework Topic
  4. CNIL — Sanctions Issued by CNIL (2025–2026)
  5. Goodwin Law — CNIL €325M Google Fine Analysis
  6. ComplianceHub — GDPR Enforcement Mid-Year 2026 Reckoning