France’s data protection authority, CNIL, fined American Express Carte France €1.5 million for placing advertising cookies on user devices without prior consent. Inspectors found that the company’s website installed tracking cookies as soon as visitors accessed the homepage. The cookies were active before a consent banner appeared and continued to operate even when users selected refusal options. CNIL said some cookies also remained active after consent was withdrawn.
American Express Carte France offers card and financial services through its online platform. CNIL stated that the company failed to meet its legal obligations under French data protection law, which requires that advertising and tracking cookies be installed only after users have given explicit consent. These rules apply to cookies used for behavioural analysis, targeted advertising or other non-essential functions.
The authority carried out inspections in January 2023. According to its decision, the company did not correctly manage consent collection, did not prevent non-essential cookies from loading automatically and did not stop processing when users opted out. CNIL emphasised that these requirements have been in place for several years and that organisations are expected to implement effective consent mechanisms.
Under EU and French privacy regulations, consent must be given freely and in advance. Users must also be able to withdraw consent easily. CNIL said American Express Carte France did not meet these standards. The authority noted that violations related to cookies are a recurring focus of enforcement because tracking technologies can reveal browsing patterns and personal preferences.
American Express said it has made changes to meet compliance requirements. The authority confirmed that some corrective measures had already been implemented by the time the decision was issued.
The case adds to a series of enforcement actions across Europe targeting companies that fail to follow cookie rules. CNIL has issued several fines to firms in sectors including retail, media and technology. Analysts said the fine demonstrates that compliance obligations apply equally to financial institutions and non-financial companies.
Users who visited the affected website may wish to review their browser settings and remove unwanted cookies. Privacy specialists recommend that users check consent banners carefully and refuse non-essential tracking if they prefer limited data exposure.