The watchdog said Carrefour France and Carrefour Banque, the French retailer's financial services subsidiary, had failed to properly inform internet users about loyalty programmes and credit card applications on their respective websites.

It said information was also lacking on how long Carrefour France intended to keep customers' personal data. The initial data retention period of four years was deemed excessive by the watchdog.

The data privacy authority also found that Carrefour France didn't make it easy for customers to see personal data collected from them by the company, one of the EU's General Data Protection Regulation (GDPR) requirements.

The CNIL noted that Carrefour had made changes to its online procedures to be fully compliant with current privacy rules, including to the online trackers that Carrefour had saved without the user's prior consent.

The watchdog also said Carrefour had met all the requests from people who asked to have access to their personal data, or to have it deleted.

"The CNIL's decision concerns past and isolated failures," Carrefour said on Twitter. "They are now fully corrected." )

($1 = 0.8408 euros)

(Reporting by Mathieu Rosemain; Editing by Mark Potter)