CNIL Fines American Express' French Arm $1.7 Million for Cookie Breaches
The French subsidiary of American Express breached cookie rules, said the country's privacy regulator, CNIL, on Wednesday as it fined the company 1.5 million euros ($1.7 million).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
American Express products in France are distributed by American Express Carte France through third-party banks and via the website americanexpress.com/fr-fr, CNIL noted. In January 2023, it conducted inspections of the website and the company's premises, finding several violations of the French Data Protection Act's cookie rules, it said.
The breaches involved the placement of cookies without users' consent, despite users' refusal and despite consent withdrawal, the DPA said. Its fine took into account "that the company had violated several obligations around user consent," and "that cookie rules are well known and that it had complied during the proceedings."
American Express Carte France takes CNIL's findings "very seriously, and we are fully committed to upholding data protection standards and practices," it said in an emailed statement. "As explicitly mentioned in the CNIL's decision, we have already put in place the necessary measures to fully address" the findings.