Court case W108 2280724-1 – Court Ruling (Austria, 2024)
In Austria, a court ruled that a website improperly used cookies without user consent. The cookie banner was confusing, making it hard for users to reject cookies. This case stresses the importance of clear cookie policies and obtaining proper consent from users.
What happened
The website placed third-party cookies without obtaining valid consent from users and had a misleading cookie banner.
Who was affected
Visitors to the website who were tracked by cookies without their consent were affected.
What the authority found
The Austrian data protection authority determined that the website violated GDPR by failing to obtain proper consent for cookie usage.
Why this matters
This ruling reinforces the need for websites to provide clear information and easy options for users regarding cookie consent.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject visited a website, for which the controller was responsible. Upon accessing the website, the data subject was presented with a 'Consent Management Platform (CMP or cookie banner)' that, according to the data subject, violated Article 6 GDPR. The data subject filed a complaint to the Austrian DPA (DSB) on 10 August 2021. The data subject was represented by noyb. During the proceedings before the DPA: * the controller claimed to have reworked the design of the CMP and to have deleted the contested personal data of the data subject; * the data subject replied to this statement claiming that even though the violations identified in the complaint had been remedied by the new design of the CMP, certain cookies were then classified as 'strictly necessary' (within the meaning of Article 5 (3) ePrivacy Directive) and thus set as 'always active'; * in response, the controller claimed not to have processed any personal data without the data subjects consent. In addition, the controller explained that the note 'always active' for certain cookies was incorrect and had only not been removed by the time of the data subject's statement for technical reasons; * the data subject explained that the cookies had still been incorrectly classified and various non-required cookies were set without interaction with the banner. The controller claimed they had revised the cookie settings and the banner again and the contested cookies that were not deemed strictly necessary were not being set anymore if consent was not given; * the data subject stated their data was indeed processed without their consent upon visiting the website and that the processor had not explained in sufficient detail to what extent certain cookies were considered strictly necessary. The DPA dismissed the complaint. However, it also officially instructed the processor in point 3) of their decision to adapt the website and the banner in such a way to be compliant with Article 4(11) GDPR and Article 4(7
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (6)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Cases (0)
No other cases found for Court case W108 2280724-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case W108 2280724-1 - Austria (2024). Retrieved from cookiefines.eu
Last updated: