- within Privacy topic(s)
- in United States
- with readers working within the Transport industries
- within Privacy, Transport and Antitrust/Competition Law topic(s)
On 30 November 2023, the French Data Protection Authority (the "CNIL") issued a EUR 40,000 fine against American Express Carte France for shortcomings in its cookie consent banner. Although the monetary value was modest, the decision highlights the CNIL's increasingly standardised expectations for cookie consent and provides practical guidance for organisations operating in France.
Analysis of Key Violations
The CNIL's enforcement action focused on three key areas, reflecting an alignment with broader European regulatory interpretation:
1. Lack of Prior Consent
Analytics and tracking cookies were deposited before users made any choice—an approach strictly incompatible with Article 82 of the French Data Protection Act. This point reflects the core position set out by the EDPB in Guidelines 05/2020 on Consent, which provides that non-essential cookies require valid, prior, affirmative consent.
2. Imbalanced Choice Presentation (Deceptive Design)
The cookie banner featured a prominently positioned "Accept All" button on the first layer, while the "Refuse All" option was placed in a secondary layer. CNIL views this design asymmetry as an impermissible nudging technique — a form of deceptive design or "dark pattern." This interpretation is fully aligned with the EDPB's Guidelines 03/2022 on Deceptive Design Patterns, which caution against interface designs that steer users toward privacy-invasive outcomes.
3. Insufficient Transparency
Essential information — such as cookie purposes, retention periods, and third-party participation — was not readily accessible upon viewing the banner. While layered notices remain acceptable, this baseline transparency must be clearly signposted on the first layer. This echoes both EDPB Guidelines 05/2020 and 03/2022 (dark patterns) as well as the ICO's 2023 Guidance on Cookies and Similar Technologies, which require transparency to be "clear and easily accessible."
Comparative Snapshot: CNIL vs. EDPB and UK Standards
This comparative view confirms that while CNIL remains among the strictest regulators on interface design, its position is well aligned with broader European trends.
| Requirement | CNIL (France) | EDPB Guidance (EU-Wide but Non-Binding) | ICO (UK) |
| Pre-consent cookies | Prohibited | Prohibited | Prohibited for non-essential cookies |
| Equal prominence of accept/reject | Mandatory on first layer | Encouraged by guidance on dark patterns | Required in principle; more design flexibility allowed |
| Legitimate Interest for Analytics | Not permitted | Not supported as a lawful basis | Limited flexibility for "low-risk analytics," but still consent-oriented |
| Transparency | Layering permitted but certain information required on first layer | Full disclosure required; layering permitted | Emphasis on clarity without strict format rules |
Practical Priorities for Compliance
To mitigate regulatory risk, organisations should prioritise the following enhancements:
- Symmetrical Choice: Ensure "Accept All" and "Reject All" appear on the same layer with comparable size, colour, and visual prominence.
- Prior Consent Guarantee: Block all non-essential cookies and scripts until the user affirmatively consents.
- Strengthen Transparency: Provide concise first-layer explanations and direct links to detailed retention periods and third-party disclosures.
- Periodic Auditing: Regularly review Consent Management Platforms (CMPs) and vendor scripts to prevent accidental, non-compliant pre-consent cookie drops.
Key Takeaway
The CNIL's American Express decision does not signal a shift toward harsher enforcement, but rather confirms stable, predictable regulatory expectations regarding cookie consent, transparency, and the avoidance of deceptive design. Compliance is achievable with certain adjustments: balanced interfaces, accessible information, and clear consent mechanics.
While this decision reinforces the current framework, organisations must monitor the European Commission's proposed EU Digital Omnibus Package (currently under discussion). If adopted, the Omnibus would streamline cookie compliance by requiring single-click opt-outs and mandating the recognition of automated, machine-readable consent signals (e.g., browser settings). This initiative, designed to curb "cookie fatigue," could fundamentally alter how consent is implemented, potentially reducing reliance on repeated banner interactions. For more information on the Digital Omnibus Package proposals, please see our blog post here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
