Lou Castera
Shein sanctioned by the CNIL: GDPR lessons for retail brands
Shein fined in France: a serious warning for digital retail players
On July 10, 2025, the CNIL struck hard by demanding a record fine of 150 million euros against Shein , for non-compliance with cookie rules. This emblematic case goes beyond the simple legal framework: it questions all brands – whether digital or physical – on their responsibility regarding personal data . In a context where the GDPR is establishing itself as an essential European standard, this decision sounds like a warning for modern retail , including in its most innovative formats such as pop-up stores .
€150 million fine for breaching cookie rules
Chinese low-cost fashion giant Shein is under the spotlight after the CNIL (French Data Protection Authority) requested a €150 million financial penalty . The reason: failure to comply with French legal frameworks regarding the use of cookies and advertising trackers. According to the investigation, Shein allegedly collected users' browsing data without their explicit consent , a serious violation under the GDPR . This accusation illustrates the extent to which personal data protection has become a major compliance issue for brands, particularly those that operate heavily online.
A warning for international e-tailers
While Shein is regularly criticized for its production conditions and its environmental impact, this case highlights a more technical but equally crucial aspect: respect for the privacy of Internet users . For international retailers aiming to establish themselves in France or Europe, this type of sanction reminds us that local standards – particularly regarding data – cannot be ignored . It also confirms the growing power of European supervisory authorities in the face of digital giants.
Pop-up stores and data protection: a growing challenge for brands
Even for brands operating in physical locations through temporary formats like pop-up stores , collecting customer data (WiFi, tablets, CRM, analytics) has become essential. This requires implementing systems that comply with GDPR standards: clear consent, transparency, and a visible privacy policy .
GDPR & Retail: What the Law Says, What Brands Must Do
Key figures to remember:
- €150 million : fine requested against Shein by the CNIL for non-compliance with cookie rules.
- 62% of French people say they are concerned about the use of their personal data (source: IFOP 2024).
- +70% of connected pop-up stores collect customer data (via QR codes, tablets, newsletters, etc.).
GDPR best practices for retail brands (physical and digital):
- Clearly inform visitors (in-store signage, information on screen or tablet).
- Obtain explicit consent before any collection (via pop-up cookie or checkbox).
- Allow access, modification and deletion of data at any time.
- Limit the retention period of personal data to what is strictly necessary.
- Work with compliant service providers (CRM, analytics tools, hosts, etc.).
In short, the Shein case is a reminder that digital compliance is no longer optional , even for international leaders. For both physical and digital brands, integrating GDPR requirements into their retail strategies—including pop-up stores—is becoming a guarantee of credibility and performance . By adopting a transparent and responsible approach, brands strengthen customer trust and protect themselves against sanctions. At Nestore, we believe that innovative retail is, above all, respectful retail.
