American Express Carte France, the French division of American Express, has been fined €1.5 million for violating French data protection rules regarding cookie usage. During inspections conducted in 2023 by France’s data protection authority CNIL, investigators discovered that the company’s website installed cookies before users had a chance to accept or reject them.
The regulator found that advertising cookies were placed on user devices even after explicit refusal. Additionally, when users initially consented but later withdrew it, previously installed cookies continued collecting data, which directly violates legal requirements.
Article 82 of the French Data Protection Act sets strict rules for cookie placement, and CNIL has long communicated these guidelines to companies of all sizes. The authority highlighted that American Express failed to comply with several core obligations related to protecting user consent.
However, CNIL noted that during the proceedings American Express Carte France updated its processes to comply with data protection requirements, which was taken into consideration when determining the fine.
The €1.5 million penalty serves as a reminder that even major financial institutions are not exempt from strict privacy regulations. The case underscores the importance of proper consent management and transparency in online tracking. American Express representatives stated that the company “takes CNIL’s findings very seriously” and remains fully committed to respecting data protection standards.
