Lou Castera
Shein sanctioned by the CNIL: GDPR lessons for retail brands
Shein sanctioned in France: a serious alert for digital retail players
On July 10, 2025, the CNIL hit hard by demanding a record fine of 150 million euros against Shein, for non-compliance with cookie rules. An emblematic case that goes beyond the simple legal framework: it questions all brands — whether digital or physical — about their responsibility for personal data. In a context where the RGPD is establishing itself as an essential European standard, this decision sounds like A warning for modern retail, including in its most innovative formats such as Pop-up stores.
A fine of 150 million euros for violating cookie rules
The Chinese low-cost fashion giant Shein is in the spotlight after the CNIL requested a financial penalty of 150 million euros. The reason: the non-compliance with the French legal framework concerning the use of cookies and advertising trackers. According to the investigation carried out, Shein would have collected the browsing data of its users without their explicit consent, a serious offense under RGPD. This indictment illustrates to what extent the protection of personal data has become a major compliance issue for brands, especially those that operate massively online.
A warning for international e-retailers
While Shein is regularly criticized for its production conditions or its ecological impact, this The case highlights a more technical but just as crucial facet: respect for the privacy of Internet users. For international retailers who aim to set up in France or Europe, this type of sanction is a reminder that local standards — in particular in terms of data — cannot be ignored. It also confirms the rise in power of European supervisory authorities in the face of digital giants.
Pop-up stores and respect for data: a growing challenge for brands
Even for brands operating in physical form via ephemeral formats such as Pop-up stores, the collection of customer data (WiFi, tablets, tablets, CRM, analytics) has become essential. This requires the implementation of systems that respect the standards of the RGPD: clear consent, transparency, visible privacy policy.
GDPR & retail: what the law says, what brands should do
Key figures to remember:
- €150 MILLION : fine required against Shein by the CNIL for non-compliance with cookie rules.
- 62% of French people say they are concerned about the use of their personal data (source: IFOP 2024).
- +70% connected pop-up stores collect customer data (via QR codes, tablets, newsletters, etc.).
GDPR best practices for retail brands (physical and digital):
- Inform clearly visitors (in-store signage, mentions on screen or tablet).
- Obtaining explicit consent before any collection (via pop-up cookie or check box).
- Allow access, modification, and deletion data at any time.
- Limiting shelf life personal data to what is strictly necessary.
- Working with compliant providers (CRM, analytics tools, hosts...).
In summary, the Shein case recalls that the digital compliance is no longer optional, even for international leaders. For physical and digital brands, integrating the requirements of the GDPR into their retail strategies — including pop-up stores — is becoming a guarantee of credibility and performance. By adopting a transparent and responsible approach, retailers are strengthening the trust of their customers and protect themselves against sanctions. At Nestore, we believe that innovative retail is above all respectful retail.
.webp)
