FrEnCookies manager
FrEnCookies manager
  1. Home
  2. Cookies: AMERICAN EXPRESS fined €1.5 million by the CNIL

Cookies: AMERICAN EXPRESS fined €1.5 million by the CNIL

03 December 2025

On 27th November 2025, the CNIL sanctioned AMERICAN EXPRESS CARTE FRANCE, the French subsidiary of the AMERICAN EXPRESS group, with a fine of €1.5 million for non-compliance with the rules applicable to cookies.

Background information

The AMERICAN EXPRESS group, whose parent company is located in the United States, is the third largest issuer of payment cards in the world. In France, American Express products are distributed by AMERICAN EXPRESS CARTE FRANCE, through third-party banks and also via the website "www.americanexpress.com/fr-fr/".

In January 2023, the CNIL carried out several inspections of this website and in the company's premises.

Based on its findings, the restricted committee – the CNIL body responsible for issuing sanctions – considered that AMERICAN EXPRESS CARTE FRANCE had failed to comply with the rules regarding cookies (Article 82 of the French Data Protection Act) and imposed a fine of €1.5 million.

The amount of this fine took into account the fact that the company failed to comply with several obligations to protect the consent of internet users: by placing cookies without their consent or despite their refusal to give consent, or by continuing to read previously placed cookies despite the withdrawal of their consent. It also took into account the fact that the rules regarding cookies are well known, due to their long history and widespread dissemination by the CNIL, but also the fact that the company complied with the rules during the proceedings.

Breaches sanctioned

Breaches of the rules regarding cookies (Article 82 of the French Data Protection Act)

The CNIL sanctioned several of the company's practices that violated Article 82 of the French Data Protection Act:

  • Placement of cookies without the user's consent: the CNIL found that, as soon as the user arrived on the website "www.americanexpress.fr/fr/" and even before interacting with the window allowing them to express a choice, several cookies were placed on their device, particularly for advertising purposes.
     
  • Placement of cookies despite the user's refusal: the CNIL also found that cookies for advertising purposes were placed on the user's device despite their expressed refusal.
     
  • Reading of cookies despite withdrawal of consent: finally, the CNIL found that when users accepted the placement and reading of cookies, and then withdrew their consent, the previously placed cookies continued to be read by the company.
Texte reference

Deliberation

Texte reference

Reference texts

Texte reference

Read more

This can also interest you ...

Cookies placed without consent: the company that publishes the website “vanityfair.fr” fined ...

27 November 2025

 Cookies and tracking devices
Hidden cameras: the CNIL sanctions the SAMARITAINE

23 September 2025

 Sanctions
Closure of the injunction issued against ORANGE

18 September 2025

 Sanctions