The French Data Protection Authority, CNIL, issues guidance on credit card data in remote transactions:

  • Merchants who collect credit card detail to facilitate a transaction, need the consent of their customers to keep their bank details beyond such transaction, to facilitate their subsequent purchases.
  • This consent is not presumed and must take the form of