Der Standard – Complaint Upheld (Austria, 2023)
Der Standard, an Austrian newspaper, was found to have used a misleading cookie banner that pressured users into consenting to data sharing. This matters because it shows that companies must clearly inform users about their choices and not make consent a condition for accessing content. The ruling emphasizes the importance of user consent in data processing.
What happened
Der Standard's cookie banner forced users to choose between consenting to data sharing or subscribing to access content.
Who was affected
Website visitors who interacted with Der Standard's cookie banner and had their data shared with third parties.
What the authority found
The Austrian DPA ruled that Der Standard's cookie banner did not allow for valid consent, violating GDPR requirements.
Why this matters
This case highlights that companies must provide clear and genuine choices for consent. Website operators should ensure their cookie banners comply with GDPR to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 13 August 2021 the data subject visited the website of Der Standard, an Austrian newspaper. In order to access the content, the website’s cookie banner offered the data subject either the option to consent to targeted advertising or to buy a subscription to the online version of the newspaper. The data subject chose the first option. As a consequence, their data were shared with at least 125 third parties. According to the data subject, consent was invalid as the cookie banner did not meet the requirements established by the GDPR. Among others, the data subject claimed that they were not in the position of freely giving their consent to the processing for advertising purposes, as the only feasible alternative would have been to subscribe to the newspaper. Therefore, the data subject asked the Austrian DPA to declare the unlawfulness of the processing and order the controller to erase data (Article 17 GDPR) and stop processing operations. The data subject also suggested the adoption of a fine. The controller replied that journalism is not free of costs. It also claimed that there was no evidence that the data subject effectively visited the website. The controller also stressed that the price for an alternative to the data subject’s consent (the subscription) was reasonable. Moreover, the practice of sharing data for targeted advertising was not a choice of the controller, as today almost 100% of online advertisement is to some extent personalised. The data subject objected that the fact that a business model is dominant does not make it legal. In particular, consent is not validly given if the only feasible alternative is a binding contract with the controller (“pay or okay”). Data showed that users of the website opted for “consent” in more than 99% of the cases, which is a clear sign that consent was not freely given. The controller denied that these data were applicable to the present case. As a preliminary consideration, the Austrian DPA stressed that no jo
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (5)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
Related Enforcement Actions (1)
Other enforcement actions involving Der Standard in AT
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Der Standard - Austria (2023). Retrieved from cookiefines.eu
Last updated: