Fashion and luxury newsletter

CNIL imposes €150 million fine on SHEIN for cookie consent breaches

On September 01, 2025, the French Data Protection Authority (CNIL) fined INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of the SHEIN group, €150 million for failing to comply with rules on cookies placed on users’ devices when visiting shein.com.

The CNIL began its investigation with an inspection carried out in August 2023. After investigating, the CNIL found that the company infringed Article 82 of the French Data Protection Act which governs rights and obligations regarding data processing in the electronic communications sector. In particular, the company placed cookies on users’ devices without their consent, failed to respect users’ choices and did not provide users with adequate information. In reaching its decision, the CNIL also considered the massive scale of the data processing, with shein.com attracting an average of 12 million monthly visitors in France.

Specifically, the CNIL found that:

• Advertising cookies were placed on users’ devices before users gave consent;
• Two cookie banners displayed on the shein.com website were incomplete, as they failed to provide information about the purposes of the cookies;
• The second-level information available through “Cookie settings” did not disclose the identity of third parties likely to place cookies on users’ devices; and
• Mechanisms for users to refuse or withdraw consent were ineffective, with cookies continuing to be placed or read even when users selected “Refuse all” or withdrew consent.

This case confirms the CNIL’s strict approach to cookie compliance and the significant consequences of breaches, both financial and reputational, for companies operating in the French market.

Austria’s BWB requests €400,000 fine against Pfanner Schutzbekleidung for imposing minimum resale prices

On August 25, 2025, the Austrian Federal Competition Authority (BWB) filed an application with Austria’s Cartel Court to impose a fine of €400,000 against Pfanner Schutzbekleidung GmbH, Protos GmbH and their parent company Anton Pfanner Holding AG. According to the BWB, Pfanner Schutzbekleidung required retailers to maintain fixed resale prices for its protective clothing, including trousers, jackets, shirts, safety shoes and helmets, by demanding “price stability” and monitoring compliance when retailers offered lower online prices or complained about competitor retailers’ discounts. The case was investigated in cooperation with the German Federal Cartel Office, which had already fined Pfanner Schutzbekleidung in 2024 for similar conduct.

Under the Austrian Cartel Act, practices that restrict or distort competition, including resale price maintenance agreements, are prohibited. Upon request by the BWB, Austria’s Cartel Court may impose fines of up to 10 per cent of a company’s total turnover in the preceding financial year for an infringement. The actual level of any fine is determined by taking into account, inter alia, the gravity and duration of the infringement, the economic capacity of the company and its cooperation with the authority.

Zalando confirmed as “very large online platform” by EU General Court

On September 03, 2025, the EU General Court (Case T-348/23) dismissed Zalando’s appeal against the European Commission’s 2023 decision designating its platform as a “very large online platform” (VLOP) under Article 33 of the Digital Services Act (DSA). The Commission had found that Zalando had more than 83 million average monthly active recipients in the EU, far above the 45-million threshold for designation.

The General Court held that Zalando qualifies as an “online platform” in relation to its Partner Programme (third-party sellers) but not for its own retail sales. The General Court also rejected Zalando’s arguments that the DSA provisions on VLOP designation violated the principles of legal certainty, equal treatment and proportionality. It underlined that marketplaces can be used to facilitate the marketing of dangerous or illegal products to a significant part of the EU population once the 45-million threshold is reached. Zalando stated that its model does not present the systemic risks of disseminating harmful or illegal content typically associated with VLOPs. The company also highlighted ongoing uncertainty regarding the methodology for calculating “active recipients” and called for clearer, harmonised definitions. Zalando has announced its intention to appeal the General Court’s judgment.

The judgment confirms the Commission’s wide discretion in applying the DSA’s VLOP designation criteria and highlights that platforms surpassing the 45-million threshold must be ready to comply with enhanced obligations regarding consumer protection and tackling illegal content.