On 3 September 2025, the French regulator CNIL issued two of its largest fines to date: €325 million against Google and €150 million against Shein. Both cases have one thing in common: user consent was ignored.
Google was fined €325 million for inserting ads between Gmail emails without prior consent and for cookie choices during account creation that didn’t meet valid consent standards. CNIL also ordered the company to correct these practices within six months, with a penalty of €100,000 per day applying thereafter if it fails to comply.
Shein’s case was different but equally clear. The retailer was fined €150 million for placing cookies on arrival, continuing after ‘reject all,’ and providing incomplete information.
The Commission nationale de l’informatique et des libertés (CNIL) is France’s independent data protection authority, responsible for enforcing the GDPR and the ePrivacy Directive. CNIL reported that more than 74 million accounts in France were affected, and 53 million users saw Gmail ads in their inbox tabs. Its rulings underline one principle: consent cannot be a surface exercise – a banner alone does not equal compliance. It must be enforced as a technical requirement.
When consent fails, compliance fails
Under GDPR and the ePrivacy Directive (Article 5(3)), no tracking should take place until a user has given explicit, informed agreement. That means banners alone are not enough. The technical setup behind them must guarantee that “reject” means no tracking at all, and that consent can be withdrawn at any time.
CNIL’s latest decisions make clear that shortcuts will not be tolerated. When regulators investigate, they are looking not just at how a banner looks on screen, but at whether scripts, cookies, and pixels are blocked until the visitor has agreed.
The problem of “consent theatre”
These fines also highlight a wider issue across the web: consent theatre. This is when websites present users with a choice, but still allow trackers to fire in the background or make it harder to refuse than to accept. Shein’s cookies placed on arrival (and after refusal) and Google’s advertising inside Gmail are both examples of practices that look legitimate on the surface but fail the test of real compliance.
For regulators, this gap between appearance and enforcement undermines the entire idea of informed consent. For businesses, it creates a legal and reputational risk that is now measured in hundreds of millions of euros.
CMPs under scrutiny
With €475 million in fines handed down in a single day, CNIL has made its position clear. Consent must be enforced, not performed. Businesses that fail to recognise this are taking risks that can no longer be ignored, exposing themselves to escalating penalties and loss of user trust.
The lesson is simple: a compliant Consent Management Platform (CMP) with privacy-first enforcement built in is essential. Check your consent setup carefully, because if your CMP isn’t technically blocking trackers until consent, it isn’t protecting you.
How AesirX Consent Management Platform helps you stay compliant
AesirX CMP was built to address the exact compliance gaps exposed by CNIL’s rulings. Here’s how it works in practice: It blocks every non-essential tracker until consent is given, records each decision in verifiable logs, and keeps those records under the site owner’s control as first-party data.
This design avoids pre-consent leakage and provides the audit trail regulators expect. It means compliance is not just a banner but a working system that respects user choice at every stage.
The features below show how AesirX CMP delivers the enforcement regulators demand in practice:
Feature | Benefit |
AesirX CMP | |
AI Privacy Advisor | Scans before and after consent, detects all unauthorized tracking, and blocks it from the first page load. |
1-Click AI Auto-Blocking |
Apply blocking rules in one click with AI setup to block non-essential tracking for GDPR/ ePD 5(3). |
Audit-Ready Logs |
Log every consent, rejection, and withdrawal with timestamps, export reports, and optional anchor records on blockchain for tamper-resistant verification. |
Region-Based Rules |
Adapt consent logic by region, time zone, browser language, or GPC signals; choose opt-in, opt-out, or hybrid models. |
Cookie Declaration & Privacy Policy Generator |
Generate editable templates based on actual scan data to match your live site setup. |
Category-Based Tracking Control |
Let users consent to specific (and clear) categories such as Analytics, Advertising, Functional, or Custom so you meet granular consent requirements under privacy laws. |
ID Verification |
Verify a user's age or country using ZKPs and digital wallets without revealing personal data or creating a tracking trail. |
Customizable Consent Banners |
Edit banners in 40+ languages, choose from templates, and tailor text to your site's tone and UX. |
These safeguards highlight the difference between banners that look compliant and systems that actually enforce it.
How to get AesirX CMP for WordPress
AesirX CMP: Lifetime deal exclusive to AppSumo
Most CMPs on the market charge $50–$100 per month based on site traffic – over €1,200 per year for a single domain, often without delivering full compliance. AesirX offers a different choice: with the current AppSumo Lifetime Deal, WordPress site owners pay once from just $69 for 1 domain (saving up to 79%) and own the CMP forever, with no recurring bills, no visitor limits, and all future updates included.
It’s a permanent, regulation-ready consent management solution that you own outright, built to keep your site compliant without draining your budget.