CNIL (France) - SAN-2025-011

Summary

France's CNIL data protection authority fined American Express Carte France €1.5 million for placing optional cookies without user consent on its website and failing to delete them when users withdrew consent. The investigation also found that the company recorded customer service calls beyond necessary scope, but no fine was imposed for that violation after the controller demonstrated the issue stemmed from misconfiguration rather than intent. The case involved breaches of Article 5(3) of the ePrivacy Directive (transposed into French law) and the GDPR's data minimization principle.

Full text

Help CNIL (France) - SAN-2025-011: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:40, 10 December 2025 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators898 editsm Tag: Visual edit← Older edit Latest revision as of 13:48, 28 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators378 editsmTag: Visual edit Line 61: Line 61: |Appeal_To_Link=|Appeal_To_Link= |Initial_Contributor=|Initial_Contributor=dt || }}}} Latest revision as of 13:48, 28 April 2026 CNIL - SAN-2025-011 Authority: CNIL (France) Jurisdiction: France Relevant Law: Article 5(1)(c) GDPR Article 5(3) Directive 2000/38/ECArticle 82 French Data Protection Act Type: Investigation Outcome: Violation Found Started: Decided: 27.11.2025 Published: Fine: 1,500,000 EUR Parties: American Express Carte France National Case Number/Name: SAN-2025-011 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): French Original Source: CNIL (in FR) Initial Contributor: dt The DPA fined a credit card company €1.5 million for placing optional cookies without consent on users’ devices and for not deleting them when users withdrew their consent. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts American Express Carte France (the controller) is a subsidiary of American Express Company, the third largest issuer of payment cards in the world. The French DPA (CNIL) carried out an on-site inspection at the controller’s headquarters on 26 January and 27 January 2023 and an online inspection of the website americanexpress.com/fr-fr/ on 30 January 2023. Following discussions under the one-stop shop mechanism, several data protections authorities from the EU expressed their concern regarding the processing operations carried out by the controller, since the controller had customers in these Member States. The rapporteur in charge ended the investigation and notified the controller on 10 April 2025 of the outcome. The rapporteur proposed the imposition of an administrative fine on the controller, along with an injunction for it to bring its practices into compliance. The controller submitted a response to the report on 12 May 2025. The DPA carried out a subsequent online inspection of the same website on 13 May 2025. After the controller submitted additional comments, the rapporteur informed the controller that the investigation ended. The DPA investigated the practice of the controller of recording telephone calls made by customers (the data subjects), as well as the placement of cookies when visitors accessed the controller’s website. Holding Data minimisation The DPA found that the controller breached Article 5(1)(c) GDPR (i.e. the principle of data minimisation) by recording the phone calls made by data subjects to the controller’s customer service department beginning as soon as the voice server information ended and without being paused while the data subject was on hold. The DPA pointed out that private conversations between the data subject and third parties found in the vicinity were likely to be recorded. The controller generally kept the recordings for 60 days for the purposes of training, monitoring compliance and handling customer complaints. Furthermore, the controller received nearly 1.2 million customer support calls in the year 2022, recording half of them. The data subjects were informed in the beginning of their call of their right to object to the recording of the call. The DPA held that the recordings carried out outside of the exchange between data subjects and the controller’s employees were in violation of Article 5(1)(c) GDPR since they were not adequate, relevant nor limited to what was necessary for the stated processing purposes. However, the DPA took into consideration the evidence submitted by the controller in reaching a decision on sanctions. This way, the DPA noted the fact that the number of private conversations recorded was small. Moreover, the DPA took into account that the breach was a result of an incorrect configuration of the recording tool used and not the intention of the controller. Finally, the controller took the necessary steps to ensure compliance with Article 5(1)(c) GDPR. Therefore, the DPA did not impose a fine on the controller for breaching Article 5(1)(c) GDPR. Placement of cookies on the website Storage and reading of cookies on a user’s device before any action on its part, despite the user’s refusal and after withdrawing consent. As soon as the user opens the website, 31 cookies were placed on its device, out of which 8 cookies were optional. Breach of Article 82 French Data Protection Act, transposing Article 5(3) e-Privacy Directive 2000/38/EC When the user did not provide consent to cookies, 6 new optional cookies were placed on its device. The DPA took into consideration the explanations of the controller and found that this particular issue was no longer supported. After refusing optional cookies, when opening a new tab in a specific section of the website, 10 new cookies were stored on the device, out of which 3 were optional. Finally, when the user withdrew consent for previously accepted optional cookies but continued to browse the website, the optional cookies previously accepted were still present. Therefore, the DPA imposed a fine of €1.5 million on the controller for the violation of Article 82 French Data Protection Act. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the French original. Please refer to the French original for more details. Decision SAN-2025-011 of November 27, 2025 National Commission for Information Technology and Civil Liberties Nature of the decision: Sanction Legal status: In force Date of publication on Légifrance: Wednesday, December 3, 2025 Decision of the restricted panel No. SAN-2025-011 of November 27, 2025 concerning the company AMERICAN EXPRESS CARTE FRANCE The National Commission for Information Technology and Civil Liberties, meeting in its restricted panel composed of Mr. Philippe-Pierre CABOURDIN, Chairman, Mr. Vincent LESCLOUS, Vice-Chairman, Ms. Laurence FRANCESCHINI and Mr. Didier KLING, Members, Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data; Having regard to Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, in particular Articles 20 et seq.; Having regard to Decree No. 2019-536 of 29 May 2019 implementing Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties; Having regard to Resolution No. 2013-175 of 4 July 2013 adopting the Rules of Procedure of the National Commission for Information Technology and Civil Liberties; Having regard to Decision No. 2025-1154 QPC of 8 August 2025 of the Constitutional Council; Having regard to Decision No. 2023-006C of 25 January 2023 by the Vice-President of the French Data Protection Authority (CNIL) instructing the Secretary General to conduct or have conducted an audit of the data processing operations implemented by or on behalf of AMERICAN EXPRESS CARTE FRANCE; Having regard to the decision of the Vice-President of the French Data Protection Authority (CNIL) of 6 March 2025 appointing a rapporteur to the restricted panel; Having regard to the report of Mr. Fabien TARISSAN, rapporteur, served on AMERICAN EXPRESS CARTE FRANCE on 10 April 2025; Having regard to the written observations submitted by the Board of AMERICAN EXPRESS CARTE FRANCE on 12 May 2025; Having regard to Decision No. 2025-095C of May 14, 2025, by the Vice-President of the French Data Pro

Entities