American Express Hit With €1.5 Million Fine in France Over Cookie Consent Failures
INSIGHTRADARIT Security & Privacy
Dec 3, 2025

American Express Hit With €1.5 Million Fine in France Over Cookie Consent Failures

By

GRC Report Staff
Key Takeaways
  • €1.5 Million Penalty: CNIL fined American Express Carte France for violating France’s cookie consent rules.
  • Consent Ignored: Advertising cookies were placed before users could choose, after refusal, and even after consent was withdrawn.
  • Long-Standing Rules: CNIL stressed that cookie requirements are well known and widely communicated to companies operating in France.
  • Remedial Action Taken: American Express corrected the issues during the investigation, which helped limit the fine.
Deep Dive

American Express has landed in the crosshairs of France’s data protection regulator, which says the company repeatedly ignored rules that give internet users control over how they’re tracked online.

The Commission Nationale de l’Informatique et des Libertés (CNIL) fined American Express €1.5 million after finding the company placed and continued reading advertising cookies without user consent. The decision follows inspections of its French website and local offices that began in January 2023.

The violations center on americanexpress.com, where the regulator found that:

  • cookies were dropped onto devices the moment visitors arrived, before they could make a choice,
  • advertising cookies still landed even when visitors said “no,” and
  • cookies already set continued to be read even after users changed their minds and withdrew consent.

These failings violate Article 82 of the French Data Protection Act, which requires companies to ask first before deploying any cookie not strictly needed for a website to function. And CNIL made clear that American Express, one of the world’s biggest card issuers, should have known better. Cookie rules, it noted, have been around for years and are widely communicated to companies operating in France.

The regulator also took into account that the company ultimately fixed the issues during the course of the investigation, a move that helped keep the fine from going even higher.

The case adds another reminder that French authorities remain aggressive on cookie enforcement, particularly when large, globally recognized brands sidestep basic consent requirements. For businesses operating in France, the expectation is if you want to track users, you have to ask and respect the answer.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong
Compliance & Ethics
IT Security & Privacy
INSIGHTRADARIT Security & Privacy
Jan 17, 2025
FTC Takes Action Against GM Over Unseen Tracking of Drivers’ Data
INSIGHTRADARIT Security & Privacy
Aug 1, 2024
Major Data Breach at HealthEquity Affects 4.3 Million Individuals: Key Lessons for Risk, Resilience, & IT Security Professionals
INSIGHTRADARIT Security & Privacy
Jul 17, 2023
Norwegian DPA Threatens Meta with Fines Over Behavioral Advertising: Compliance and Data Security Implications