Österreichischer Rundfunk - ORF – Complaint Upheld (Austria, 2024)
Austria's data protection authority found that Österreichischer Rundfunk (ORF) did not allow users to easily refuse cookies on its website. This matters because it shows that companies must make it clear how users can reject cookie tracking. ORF has since updated its cookie banner, but the ruling emphasizes the importance of user consent.
What happened
Österreichischer Rundfunk's cookie banner lacked a clear option for users to reject cookies.
Who was affected
Website visitors who encountered the cookie banner on ORF's site.
What the authority found
The authority ruled that ORF's cookie practices violated GDPR's requirements for clear consent.
Why this matters
This case highlights that companies must ensure users can easily refuse cookies. It sets a precedent for stricter cookie consent practices across the industry.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On the 11 August 2021, the data subject, represented by noyb filed a complaint against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). The data subject visited the website of the controller (www.orf.at) on the 21 January 2021 and was confronted with a cookie banner which lacked any clear option to refuse the placement of cookies. Further, the controller had placed cookies ahead of any interaction with the cookie banner. The complaint highlighted that through the design of the cookie banner, the controller could not rely on the unambiguous consent of users for the processing of personal data and requested the erasure of their personal data gathered through the cookies. The data subject therefore requested the DPA to order the controller to delete the data subject's personal data in accordance with Article 17 GDPR and to cease the unlawful processing of personal data of users. Throughout the course of the proceedings, the controller revised the cookie banner and included two buttons, one to reject the placement of cookies and one to set certain preferences. The two added buttons were set with the same colour as the cookie banner background. The button to accept all cookies however was equipped with a dark blue colour. The controller argued, that the difference in colour made the selection process easier for the user. Further, none of the data gathered through cookies was stored by the controller and during the course of the proceedings the controller informed recipients of the data subject's request for erasure. Design of the cookie banner Primarily, the DSB reiterated that economic necessity such as personalized advertising does not equate to the technological necessity of cookies for the functioning of the website. The cookies placed before any interaction with the cookie banner were for statistical and analytical purposes and not technologically necessary for the functioning of the website. Therefore, prior consent of the user is required.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (4)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Enforcement Actions (1)
Other enforcement actions involving Österreichischer Rundfunk - ORF in AT
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Österreichischer Rundfunk - ORF - Austria (2024). Retrieved from cookiefines.eu
Last updated: