France’s data protection authority has fined three major companies, Google, Shein, and PayPal, a combined €486 million for violations of national privacy law governing the use of personal data. The penalties follow investigations into how the companies collected and shared information from users’ devices for advertising and analytics purposes without sufficient legal basis or transparency.
The French data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL), said that Google’s fine of €250 million was tied to its use of data collected from users’ Android devices for targeted advertising. CNIL found that Google did not obtain valid consent from users for certain processing operations and failed to present clear and accessible information about those activities.
Shein, the online fashion retailer, received a €150 million fine related to its mobile application and website. CNIL said it identified shortcomings in how Shein informed users about the collection of personal information and how that data was used for personalised marketing. The regulator also cited inadequate mechanisms for obtaining users’ consent.
PayPal was fined €86 million for data practices that involved processing user data without a proper legal basis and failing to provide sufficient transparency about sharing personal information with third parties. CNIL said the violations affected users across France and noted that the level of penalties reflected both the scale of the companies’ operations and the duration of non-compliant processing.
Under the EU’s General Data Protection Regulation (GDPR) and France’s national data protection law, organisations must provide clear information to users about how their personal data is collected, processed, and shared. CNIL said the companies’ privacy notices and consent mechanisms did not meet those requirements.
CNIL said it considered factors including the number of users affected, the nature of the data involved, and the duration of the violations in determining the size of each fine. The regulator also imposed deadlines for the companies to bring their data processing practices into compliance and warned that further sanctions could follow if issues persist.
All three companies said they are reviewing the decisions and may contest aspects of the findings. Google said it is committed to user privacy and continually updates its policies and tools. Shein said it engages with regulators and is working to align its practices with applicable law. PayPal said it takes data protection seriously and will assess the ruling.
Privacy advocates welcomed the fines as a reaffirmation of regulators’ authority to enforce transparency and consent requirements. They said clear and accessible information about data use is essential for user control over personal information in digital services.
CNIL’s action is part of a broader regulatory push in Europe this year to hold technology and e-commerce platforms accountable for user privacy practices. Enforcement of GDPR and related national rules has increased scrutiny of how companies leverage personal data for advertising, analytics, and personalised services.