Österreichischer Rundfunk - ORF – Complaint Upheld (Austria, 2024)
Austria's public broadcaster ORF faced a complaint for its cookie banner that made it hard for users to refuse cookies. The case underscores the importance of clear consent mechanisms for online privacy.
What happened
ORF's website cookie banner lacked a clear option for users to reject cookies and placed cookies before consent was given.
Who was affected
Website visitors who encountered ORF's cookie banner and had their data processed without proper consent.
What the authority found
The data protection authority upheld the complaint, stating that ORF's cookie practices did not comply with GDPR requirements for user consent.
Why this matters
This case highlights the need for clear and user-friendly consent options for cookies. Other websites should review their cookie banners to ensure they comply with privacy regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On the 11 August 2021, the data subject, represented by noyb filed a complaint against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). The data subject visited the website of the controller (www.orf.at) on the 21 January 2021 and was confronted with a cookie banner which lacked any clear option to refuse the placement of cookies. Further, the controller had placed cookies ahead of any interaction with the cookie banner. The complaint highlighted that through the design of the cookie banner, the controller could not rely on the unambiguous consent of users for the processing of personal data and requested the erasure of their personal data gathered through the cookies. The data subject therefore requested the DPA to order the controller to delete the data subject's personal data in accordance with Article 17 GDPR and to cease the unlawful processing of personal data of users. Throughout the course of the proceedings, the controller revised the cookie banner and included two buttons, one to reject the placement of cookies and one to set certain preferences. The two added buttons were set with the same colour as the cookie banner background. The button to accept all cookies however was equipped with a dark blue colour. The controller argued, that the difference in colour made the selection process easier for the user. Further, none of the data gathered through cookies was stored by the controller and during the course of the proceedings the controller informed recipients of the data subject's request for erasure. Design of the cookie banner Primarily, the DSB reiterated that economic necessity such as personalized advertising does not equate to the technological necessity of cookies for the functioning of the website. The cookies placed before any interaction with the cookie banner were for statistical and analytical purposes and not technologically necessary for the functioning of the website. Therefore, prior consent of the user is required.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (4)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Österreichischer Rundfunk - ORF in AT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Österreichischer Rundfunk - ORF - Austria (2024). Retrieved from cookiefines.eu
Last updated: