News

💸 €1.5 million fine for American Express

Regulator: CNIL
Source: SAN-2025-011 of 27 November 2025

On 27 November 2025, the CNIL fined American Express Carte France €1.5 million for failing to comply with the rules applicable to trackers (Article 82 of the French Data Protection Act).

At issue:
• Cookies set before any genuine user consent
• Trackers for advertising purposes installed as soon as the user arrived on the website
• Information deemed insufficient regarding the use of cookies

👉 Very clear message from the CNIL:
No non-essential cookies without explicit, freely given, informed… and prior consent.

Key takeaways for organisations:

1.     Compliant consent banners (refusing must be as easy as accepting)

2.     No marketing cookies set before the user’s consent

3.     Full transparency on purposes and partners

4.     Traceability of consent (evidence, logs, CMP configuration)

🔍 Are you sure your cookies aren’t costing you €1.5 million?
Cookies are no longer just a “technical” or “marketing” topic.
The consequences can be very serious, both financially and in terms of reputation.