Back to Blog
GDPRCookie FinesEnforcement

Biggest GDPR Cookie Fines in 2026

From Google's EUR 325M to SHEIN's EUR 150M. The largest GDPR cookie fines of 2025-2026 and what they mean for your website.

By CookieCompliance Team||5 min read
ENESDEFRIT
Gavel on a desk with EU flag representing GDPR enforcement and cookie fines

EUR 7.1 Billion and Counting

Since GDPR came into force in May 2018, European regulators have issued over EUR 7.1 billion in total fines. And 2025 was a turning point: cookie violations became the fastest-growing category of enforcement, with authorities across the EU making it clear that non-compliant cookie banners are no longer a minor oversight. They are a financial risk.

If you run a website that serves European visitors, this article is your wake-up call. Here are the biggest cookie-related fines from the past year and what you need to do to avoid being next.

Infographic showing the largest GDPR cookie fines issued in 2025-2026

The Biggest Cookie Fines of 2025

Google - EUR 325 Million (France, September 2025)

The French data protection authority CNIL fined Google EUR 325 million for displaying promotional ads inside Gmail without user consent. The ruling also found that Google's consent designs were specifically engineered to steer users toward accepting personalized advertising. This fine reinforced that consent must be freely given, not nudged through dark patterns.

SHEIN - EUR 150 Million (France, September 2025)

Fast-fashion giant SHEIN received a EUR 150 million fine for one of the most basic violations: loading advertising cookies before users could even see the cookie banner. On top of that, CNIL found that the "Reject All" button simply did not work, and the cookie banner failed to mention the advertising purpose of the tracking. This case is a landmark because it proves that regulators test what actually happens in the browser, not just what the banner says.

TikTok - EUR 530 Million (France, 2025)

While primarily focused on children's data handling, TikTok's EUR 530 million fine included consent mechanism violations. Accounts were set to public by default, and TikTok's approach to obtaining consent did not meet GDPR standards.

Orange - EUR 50 Million (France, November 2024)

Telecom giant Orange was fined for inserting advertising messages into users' email inboxes without consent, affecting 7.8 million people. Critically, the CNIL found that cookies continued to be read and transmitted even after users withdrew their consent. Orange was ordered to fix this within 3 months or face EUR 100,000 per day in penalties.

Conde Nast - EUR 750,000 (France, November 2025)

Vanity Fair France's publisher was fined for placing cookies on visitors' devices without any consent at all. A straightforward violation that shows even well-known media companies get caught.

Coolblue - EUR 40,000 (Netherlands, December 2024)

Dutch retailer Coolblue was fined for using pre-checked consent boxes, assuming consent by default. The Dutch DPA had already warned them, making this a case of ignoring regulators.

The Patterns That Get You Fined

Looking at these cases, a clear pattern emerges. Regulators are targeting:

  • Pre-consent tracking: Loading cookies or trackers before the user has a chance to accept or reject. This was the core of the SHEIN case.
  • Asymmetric consent: Making "Accept" one click while burying "Reject" behind multiple screens. Facebook, Google, and TikTok have all been fined for this.
  • Dark patterns: Using color contrast, button size, or wording to push users toward accepting. Sweden's privacy authority (IMY) formally reprimanded ATG, Aller Media, and Warner Music for this in April 2025.
  • Ignoring consent withdrawal: Continuing to read cookies after a user revokes consent, as in the Orange case.
  • Non-functional reject buttons: Having a "Reject" option that does not actually block cookies, as proven in the SHEIN fine.

Laptop showing a non-compliant cookie banner with a red warning alert overlay

The New Rules Coming in 2026

In November 2025, the EU published the Digital Omnibus Proposal, which will fundamentally change how cookie consent works:

Single-click rejection: Users must be able to refuse cookies with a single click. No more hiding the reject option behind "Manage preferences" screens.

Six-month cool-down: If a user declines consent, the website cannot ask again for the same purpose for at least six months. The era of asking on every page visit is ending.

Machine-readable consent signals: The proposal will codify automated consent signals (like Global Privacy Control), allowing browsers to communicate consent preferences on behalf of users.

Cookie rules move into the GDPR: Article 88a will integrate cookie tracking rules directly into the GDPR, replacing the patchwork of national ePrivacy implementations. This means a single, enforceable standard across all 27 EU member states.

These rules are expected to take effect in mid-to-late 2026.

It's Not Just Big Tech Anymore

One of the most important trends in 2025-2026 is that enforcement has expanded far beyond Google and Meta. The Dutch DPA sent formal warnings to 50 organizations, including online retailers, media companies, and insurers, giving them three months to fix their cookie practices or face investigation.

In the UK, the ICO reviewed the top 1,000 websites and found that 564 needed to correct their cookie practices. By December 2025, 95% of those sites were compliant.

Meanwhile, advocacy group noyb filed over 560 GDPR complaints targeting websites in 33 countries. Their analysis found that 81% of those sites did not offer a "Reject" option on the first layer of the cookie banner, and 73% used deceptive color contrasts to push users toward accepting.

Spain alone has issued over 1,021 GDPR fines. Italy's DPA is increasingly targeting SMEs. No website is too small to be noticed.

What This Means for Your Website

Under GDPR Article 83, cookie and consent violations can result in fines of up to EUR 20 million or 4% of annual global revenue, whichever is higher. But beyond the fines, there is the reputational damage, the legal costs, and the lost trust of your visitors.

The good news is that most cookie violations are straightforward to fix once you know they exist. The problem is that most website owners have no idea their banner is non-compliant. Their developers set it up once and never tested what actually happens in the browser.

That is exactly what regulators do: they open your site, watch what loads before consent, and check if the reject button actually works.

Check Your Website Now

You do not need to wait for a regulator to find you. Scan your website for free and see exactly what a compliance audit would find: pre-consent cookies, trackers loading before consent, and banner issues. It takes 30 seconds and gives you a clear picture of your risk.

The fines above prove that enforcement is real, growing, and expanding to companies of all sizes. The question is not whether regulators will check your website. It is when.

Is Your Website Compliant?

Scan your website for free and find out if your cookie banner meets GDPR requirements.

Scan Your Website - Free