In the first instalment of this series we reviewed the lower‑value fines imposed for cookie‑consent violations. The remaining cases involve significantly higher penalties and illustrate how regulators respond to persistent or large‑scale infringements. Below are the top five cases with the largest fines, ordered from lowest to highest.
6 – Facebook Ireland – fine of €60 million (CNIL, France, 2022)
On 11 January 2022, CNIL announced that the websites facebook.com, google.fr and youtube.com provided a one‑click button to accept cookies but no equivalent mechanism to refuse them. Users had to make several clicks to refuse cookies, which affected the freedom of their consent. CNIL’s restricted committee ruled that this practice violated Article 82 of the French Data Protection Act and fined Facebook Ireland Limited €60 million. The company was ordered to implement a refusal option that is as simple as the acceptance button; otherwise it would face additional daily penalties.
7 – Google (search engine – 2020) – fine of €100 million (CNIL/Conseil d’État, France)
In December 2020, CNIL fined Google LLC and Google Ireland Limited €100 million in total for setting advertising cookies on google.fr without valid consent. The authority’s audit found that seven cookies were automatically installed when a user visited the site; four were used only for advertising, and users were not clearly informed of their purposes or how to object. Google challenged the decision, but in January 2022 the French Conseil d’État upheld CNIL’s findings: it ruled that Google lacked clear information, failed to obtain prior consent and provided a defective refusal mechanism. The decision confirmed that the fine was proportionate given the profits generated from advertising cookies and Google’s dominant market position in France.
8 – Google LLC & Google Ireland Limited – fine of €150 million (CNIL, France, 2022)
During the same 2022 enforcement wave, CNIL determined that Google’s websites made it significantly easier to accept cookies than to refuse them. The cookie banner on google.fr, youtube.com and other services allowed users to accept cookies with a single click but required several clicks to decline them. CNIL held that this asymmetry undermined the user’s freedom of choice, contravening Article 82. Consequently the regulator imposed a combined €150 million fine — €90 million on Google LLC and €60 million on Google Ireland Limited. Google was given three months to provide a clear “refuse all” option or face a penalty of €100 000 per day.
9 – Shein (Infinite Styles Services Co., Shein’s Irish subsidiary) – fine of €150 million (CNIL, France, 2025)
Fast‑fashion giant Shein was sanctioned by CNIL in September 2025 for multiple cookie breaches. Investigators found that the company’s Irish subsidiary, Infinite Styles Services Co. Ltd., placed advertising cookies without consent, displayed incomplete cookie banners and failed to respect users’ choices. CNIL noted that Shein’s site attracted around 12 million monthly visitors, underscoring the scale of the processing. Because of these serious and repeated violations, CNIL imposed a record €150 million fine. The decision emphasised the company’s central role in online fashion and ordered it to bring its cookie practices into compliance.
10 – Google – Gmail ads and account creation – fine of €325 million (CNIL, France, 2025)
The largest cookie‑related sanction to date was issued in September 2025. CNIL fined Google LLC €200 million and Google Ireland Limited €125 million — €325 million in total — for inserting advertisements into Gmail’s “Promotions” and “Social” tabs and for collecting invalid consent when users created Google accounts. The authority found that the ads resembled private emails and constituted direct marketing requiring prior consent, while the account‑creation process nudged users into accepting personalised advertising cookies through dark patterns. CNIL’s decision explained that consent was neither free nor informed and highlighted Google’s large market share and prior cookie fines as aggravating factors. The regulator ordered Google to stop displaying email‑like ads without consent and to implement valid cookie consent mechanisms.
Conclusion of Part 2
The high‑value fines against Facebook, Google and Shein demonstrate that regulators will impose substantial penalties when companies persistently violate cookie‑consent rules or leverage their market dominance to collect data unfairly. The €325 million sanction against Google underscores a growing intolerance of “dark patterns” and embedded advertising. Together, these cases show that compliant cookie banners, clear information and respect for user choices are essential to avoid costly litigation and protect user privacy.