INFINITE STYLES SERVICES CO. LIMITED – €150,000,000 Fine (France, 2025)

€150,000,000Commission Nationale de l'Informatique et des Libertés1 September 2025France
final
ePrivacy
Fine

INFINITE STYLES SERVICES CO. LIMITED was fined €150 million for violating cookie consent rules on its website. The company made it hard for users to reject cookies and placed them without proper consent. This ruling serves as a warning for online businesses to ensure clear cookie consent practices.

What happened

The company was fined for placing cookies on its website without obtaining user consent.

Who was affected

Website visitors who were tracked by cookies on the SHEIN website without their consent.

What the authority found

The French Data Protection Authority found that the company failed to comply with ePrivacy rules regarding cookie consent.

Why this matters

This significant fine shows that companies must prioritize user consent for cookies. Online businesses should review their cookie practices to avoid similar penalties.

National Law Articles

AI-identified

Article 82 of the French Data Protection Act
Source verified 2 April 2026
articles corrected
national law identified
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll INFINITE STYLES SERVICES CO. LIMITED actions
Full Legal Summary
Detailed

SHEIN is a company that sells clothing via its website “shein.com”. This website is managed by INFINITE STYLES SERVICES CO. LIMITED (based in Ireland, the controller) for the European territory. It is a subsidiary of by ROADGET BUSINESS PTE, which is based in Singapore. Its French establishment INFINITE STYLES ECOMMERCE FRANCE is wholly owned by the Irish subsidiary, and promotes SHEIN products in France. The DPA carried out an ex-officio investigation in July 2023, regarding the controller’s website and cookie related violations. The controller argued that the DPA was not competent, because the cookies involved processing of personal data and therefore the GDPR was applicable. This meant the Irish DPA was competent under the one-stop-shop mechanism. In addition, the controller argued that INFINITE STYLES ECOMMERCE FRANCE cannot be considered an establishment within the meaning of the CJEU’s decision in Weltimmo. In addition, the controller denied placing cookies without the data subjects’ consent. The DPA first established INFINITE STYLES SERVICES CO. LIMITED as the controller, in accordance with Article 4(7) GDPR. This is because the company manages the website domains in the EU, a fact that is specified in its privacy policy. The CNIL also clarified matters of material and territorial competence; the case fell under the scope of the ePrivacy Directive, as setting cookies were set in the context of publicly available electronic communications services through a public electronic communications network. In the absence of a one stop shop mechanism, the DPA was responsible for monitoring the application of the ePrivacy Directive regarding processing in the context of the activities of an establishment of a cross-border entity on French territory. The DPA dismissed the controller’s arguments on the lack of establishment in France, as the French location belonged to the same group as the controller and pursued the same economic interests. The DPA also referred to th

Violations (6)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Reject Harder Than Accept
critical

Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.

Art. 7 GDPR

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

Unclear Cookie Information
high

The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.

Art. 12, 13 GDPR

Cannot Withdraw Cookie Consent
critical

No accessible mechanism exists for users to withdraw previously given cookie consent.

Art. 7(3) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for INFINITE STYLES SERVICES CO. LIMITED in FR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

unknown (claimant)

2021 · DPA OLGLinz

Details

Fine Date

1 September 2025

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€150,000,000

GDPRhub ID

gdprhub-9506

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 100%

Cite as: Cookie Fines. INFINITE STYLES SERVICES CO. LIMITED - France (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: