American Express is just another violator in the eyes of France’s privacy enforcer. While we see CalPrivacy going after both domestic and international companies it’s going to be a cross boarder tit for tat of fines as companies violate other countries data subject rights. France’s privacy enforcement body is not playing games and they continue to fine violators and the best way to protect is to use a consent management platform like Captain Compliance to avoid a headline like this:

Cookies: CNIL Fines American Express €1.5 Million

On November 27, 2025, the CNIL sanctioned the company AMERICAN EXPRESS CARTE FRANCE, a French subsidiary of the AMERICAN EXPRESS group, with a fine of €1.5 million for non-compliance with the rules applicable to trackers (cookies).

The Context

The AMERICAN EXPRESS group, whose parent company is based in the United States, is the third-largest issuer of payment cards in the world. In France, American Express products are distributed by the company AMERICAN EXPRESS CARTE FRANCE, through third-party banks but also via the website “www.americanexpress.com/fr-fr/“.

In January 2023, the CNIL conducted several checks starting from this site and within the company’s premises.

Based on the findings made, the restricted formation – the CNIL body responsible for issuing sanctions – considered that the company AMERICAN EXPRESS CARTE FRANCE had failed to comply with the rules governing trackers (Article 82 of the Data Processing and Freedoms Law) and imposed a fine of €1.5 million on it.

The amount of this fine takes into account the fact that the company violated several consent-protecting obligations for internet users: by depositing trackers without obtaining this consent or despite their refusal to consent, or by continuing to read previously deposited trackers despite the withdrawal of their consent. It also takes into account the fact that the rules on trackers are well known, due to their age and wide dissemination by the CNIL, but also that the company has brought itself into compliance during the procedure.

The Sanctioned Violations

Violations of the rules governing trackers (Article 82 of the Data Processing and Freedoms Law)

The CNIL has sanctioned several practices by the company that are contrary to Article 82 of the Data Processing and Freedoms Law:

• Deposit of trackers without user consent: The CNIL found that, upon the user’s arrival on the website “www.americanexpress.com/fr-fr/” and even before they interacted with the window allowing them to express a choice, several trackers, including those for advertising purposes, were deposited on their device.
• Deposit of trackers despite user refusal: The CNIL also found that advertising-purpose trackers were deposited on the user’s device despite their expressed refusal.
• Reading of trackers despite withdrawal of consent: Finally, the CNIL found that when a user accepted the deposit and reading of trackers, then withdrew their consent, the previously deposited trackers continued to be read by the company.

Reference Text: Article 82 of the Data Processing and Freedoms Law

The Deliberation

Deliberation SAN-2025-011 of November 27, 2025 – Legifrance