American Express Fined €1.5 Million for Cookie Law Breaches in France
Despite years of regulatory guidance and enforcement, cookie compliance continues to be an area where even sophisticated organisations fall short. A recent €1.5 million fine imposed by the French data protection authority (CNIL) on American Express Carte France is a clear example of how technical missteps in consent mechanisms can translate into significant regulatory risk.
Background to the CNIL Investigation
American Express Carte France, the French subsidiary of the American Express group, operates the group’s French-facing website and distributes payment products through partner banks and its own online channels. In early 2023, the CNIL carried out a series of inspections of the company’s website and on-site operations, focusing on how cookies and similar tracking technologies were used.
Those inspections led to formal enforcement action. In November 2025, the CNIL concluded that the company had breached Article 82 of the French Data Protection Act, which requires prior user consent for the placement and reading of most non-essential cookies.
The Practices Criticised by the CNIL
The CNIL identified three core failures. First, advertising cookies were placed as soon as users landed on the website, before they had interacted with the cookie banner or expressed any preference. In practical terms, users were tracked before being given a real choice.
Second, the CNIL found that advertising cookies were still deployed even where users had explicitly refused consent. This undermined the purpose of the consent mechanism and, in the regulator’s view, rendered the refusal meaningless.
Third, where users initially accepted cookies and later withdrew their consent, cookies that had already been placed continued to be read. Withdrawal of consent, which should be just as easy and effective as giving it, was therefore not properly respected.
In setting the level of the fine, the CNIL made it clear that these were not novel or uncertain legal issues. Cookie rules have been in force for many years and have been extensively clarified through guidance and prior enforcement decisions. While the authority acknowledged that the company corrected its practices during the investigation, this did not eliminate the seriousness of the underlying breaches.
Key Takeaways for Businesses
The American Express case highlights a recurring theme in cookie enforcement, that the gap between what a consent banner promises and what actually happens behind the scenes.
For businesses, the key takeaways are practical rather than theoretical. Consent must be technically enforced, not just visually communicated. If cookies fire before a choice is made, or continue to operate after a refusal or withdrawal, the compliance framework is likely defective.
It is also a reminder that responsibility does not stop at the banner. Third-party advertising tools, analytics services and tag management systems must all be configured to respect user choices in real time.
Finally, this decision reinforces that regulators expect organisations to treat cookie compliance as a mature area of data protection law. For businesses with complex digital ecosystems, regular testing, audits and cross-functional coordination between legal, marketing and IT teams are essential. Cookie compliance may feel operational, but as this case shows, the regulatory and financial consequences of getting it wrong can be substantial.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.