Record-Breaking Cookie Fines Defined 2025
The year 2025 marked a turning point in cookie consent enforcement. The CNIL - France's data protection authority - issued 83 sanctions totalling approximately EUR 486.8 million, with cookie violations and advertising trackers accounting for the bulk of that figure. Across Europe, regulators sent an unmistakable signal: cookie consent rules under Article 5(3) of the ePrivacy Directive are not optional, and the fines for ignoring them have grown substantially.
This shift did not happen overnight. The CNIL has been escalating cookie-related penalties since 2020, and other European DPAs have followed suit. But the scale of fines in 2025 - and the early signs from 2026 - suggest that enforcement has entered a new phase.
The Biggest Cookie Fines of 2025
Three enforcement actions from September and November 2025 dominated the headlines. Each targeted a different type of violation, but they shared a common thread: cookies fired before consent was given, and refusal mechanisms that did not actually work.
Google - EUR 325 Million (CNIL, September 2025)
The CNIL fined Google EUR 325 million for two distinct violations. Google displayed promotional advertisements between emails in Gmail inboxes without obtaining prior consent - a practice that affected an estimated 53 million people in France. The investigation also found that during Google account creation, the consent interface steered users toward accepting personalised advertising cookies without clearly explaining what they were agreeing to.
This was not Google's first CNIL cookie fine. The authority previously fined Google EUR 100 million in 2020 and EUR 150 million in 2021 for similar violations. The escalating trajectory is worth attention: repeated non-compliance leads to progressively higher penalties.
SHEIN - EUR 150 Million (CNIL, September 2025)
The CNIL fined SHEIN's Irish subsidiary, Infinite Styles Services Co. Limited, EUR 150 million after inspectors found advertising cookies landing on visitor devices the moment they arrived on shein.com - before any interaction with the consent banner. The banner itself offered a "Reject all" button, but clicking it did not prevent new cookies from being placed. Previously deposited cookies continued to be read even after users withdrew consent.
The scale of the processing played a role in determining the fine amount. SHEIN's website attracted an average of 12 million monthly visitors from France alone.
Information provided to users was also inadequate. The banner lacked detail about the advertising purposes of cookies, and no information about third-party cookie providers was available at the second level of the consent interface.
American Express - EUR 1.5 Million (CNIL, November 2025)
A smaller but instructive case came on 27 November 2025, when the CNIL fined American Express Carte France EUR 1.5 million. Inspectors found three separate failures: advertising cookies placed before the user made any choice, cookies placed despite an explicit refusal, and cookies continuing to be read after the user withdrew consent. The investigation originated from inspections carried out in January 2023, illustrating that enforcement timelines can span years.
Summary of Major Cookie Fines in 2025
| Organisation | DPA | Date | Fine (EUR) | Key Violation |
|---|---|---|---|---|
| Google (Gmail ads) | CNIL | Sept 2025 | 325,000,000 | Ads without consent, manipulative consent design |
| SHEIN | CNIL | Sept 2025 | 150,000,000 | Cookies before consent, non-functional reject button |
| American Express | CNIL | Nov 2025 | 1,500,000 | Cookies despite refusal, reading after consent withdrawal |
Early 2026: Enforcement Continues
The pace has not slowed. In January 2026, the CNIL issued fines of EUR 27 million against Free Mobile and EUR 15 million against Free for data protection violations. While these penalties addressed broader data handling issues, they confirm the CNIL's sustained appetite for large-scale enforcement.
Across the Channel, the UK's Information Commissioner's Office took a different approach in 2025. Rather than issuing fines, the ICO launched a compliance review campaign targeting the top 1,000 UK websites. By December 2025, the ICO reported that over 95 per cent of reviewed sites met its cookie compliance standards - a result achieved through engagement rather than penalties.
That said, the regulatory picture in the UK is shifting. The Data Use and Access Act 2025 will align maximum PECR fines with UK GDPR levels - up to GBP 17.5 million or 4 per cent of global turnover. Once commenced, this gives the ICO significantly more firepower for cookie enforcement.
Common Violations Behind the Fines
Patterns repeat across nearly every enforcement action. Understanding these common failures is the most practical way to reduce your own risk.
Cookies Firing Before Consent
The single most frequent violation is placing cookies - particularly advertising trackers like _fbp or _gcl_au - on the user's device before they interact with the consent banner. Both the SHEIN and American Express cases involved this exact issue. Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's device requires prior consent unless the cookie is strictly necessary for the service requested.
Reject Buttons That Do Not Work
Offering a "Reject all" button that fails to block cookies is worse than not offering one at all, because it creates a false impression of user control. SHEIN's consent banner included a reject option, but new cookies were still placed after the user clicked it. This is a technical failure that regulators treat as a substantive consent violation.
Consent Withdrawal Ignored
Both the SHEIN and American Express cases revealed that cookies continued to be read after users withdrew their consent. Valid consent under GDPR Article 7 requires that withdrawing consent be as easy as giving it - and that withdrawal actually takes effect.
Dark Patterns in Consent Interfaces
Google's fine partly stemmed from a consent design that nudged users toward accepting personalised advertising. Dark patterns in cookie banners - such as hiding the reject option, using confusing language, or making acceptance visually prominent while burying refusal - have become a distinct enforcement target. The EDPB has published guidance making clear that consent obtained through manipulative design is not freely given.
What These Fines Mean for Your Website
You do not need to be a multinational retailer to face enforcement. DPAs have increasingly turned their attention to smaller organisations, and complaint-driven investigations can target any website. The violations that attracted nine-figure fines against Google and SHEIN are technically identical to what happens on thousands of smaller sites every day.
Test Your Implementation, Not Just Your Banner
A consent banner is only compliant if it actually controls cookie behaviour. Use browser developer tools to verify that no marketing cookies or analytics cookies fire before the user grants consent. Testing your cookie banner should be a regular part of your compliance workflow - not a one-off task during initial setup.
Audit Third-Party Scripts Regularly
Third-party tags are the most common source of pre-consent cookie placement. A marketing team adding a new tracking pixel can undo months of compliance work. Run periodic cookie audits to catch scripts that bypass your consent mechanism, and use automated cookie scanning to detect changes between audits.
Document Everything
If a DPA opens an investigation, your consent records and audit trail are your primary defence. Keep logs of when consent was given, what categories were accepted, and when consent was withdrawn. Store scan results and banner configuration history.
Enforcement Trends to Watch in 2026
Several developments suggest that cookie enforcement will intensify rather than plateau.
The CNIL's action plan, running since 2019, continues to prioritise cookies. With total cookie-related fines growing year over year, there is no indication that the authority plans to ease off. The CNIL has explicitly stated that cookie rules are well established and organisations can no longer claim ignorance.
The EU Omnibus Directive proposal may eventually simplify cookie consent requirements, but any legislative changes are years away from taking effect. Until then, current rules remain fully enforceable.
Cross-border coordination between DPAs is also growing. The TikTok fine of EUR 530 million by Ireland's Data Protection Commission in May 2025 - while focused on data transfers rather than cookies - demonstrated the scale of penalties that the one-stop-shop mechanism can produce.
Repeat offenders face escalating penalties. Google's CNIL fines rose from EUR 100 million in 2020 to EUR 325 million in 2025. Organisations that fail to correct issues after a first sanction should expect substantially higher amounts on subsequent violations.
Frequently Asked Questions
What was the largest cookie consent fine in 2025?
The CNIL fined Google EUR 325 million in September 2025 for displaying advertisements in Gmail without consent and for using manipulative cookie consent interfaces during account creation.
Can small websites receive cookie consent fines?
Yes. DPAs can investigate any organisation that processes personal data, regardless of size. Complaint-driven investigations are common, and the same technical violations found in large-scale cases apply to smaller websites.
What happens if my reject button does not actually block cookies?
Regulators treat non-functional reject mechanisms as a consent violation. Both the SHEIN and American Express fines involved cookies being placed despite users clicking "Reject all". You must verify that your consent mechanism technically prevents cookie placement when users decline.
How do I check if cookies fire before consent on my site?
Open your browser's developer tools, clear all cookies, then load your site without interacting with the consent banner. Check the Application and Network tabs for any non-essential cookies. Automated scanning tools can also detect pre-consent cookie placement.
Does the UK ICO fine websites for cookie violations?
The ICO has historically favoured engagement over fines for cookie violations, with a maximum PECR fine of GBP 500,000. The Data Use and Access Act 2025 will raise this cap to GBP 17.5 million or 4 per cent of global turnover once the relevant provisions are commenced.
Which cookies require consent under the ePrivacy Directive?
All cookies require consent except those strictly necessary for the service explicitly requested by the user. This means analytics, marketing, and personalisation cookies all need prior opt-in consent before being placed on the user's device.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
