American Express (NYSE:AXP) has been hit with a €1.5 million penalty by France’s data protection authority, the CNIL, for failing to comply with rules governing the use of cookies.
The fine follows audits carried out in January 2023, during which the regulator identified several shortcomings in the company’s data-handling practices. According to the CNIL, American Express placed cookies on users’ devices without first securing valid consent.
The authority also reported that the firm continued to install cookies even when users had explicitly rejected them. Investigators further found that American Express kept accessing cookie data despite users having revoked their earlier consent.
The CNIL concluded that these practices breached France’s cookie consent requirements, resulting in the monetary sanction.