Court case W108 2280724-1 – Court Ruling (Austria, 2024)

Court Ruling
Datenschutzbehörde31 July 2024Austria
final
ePrivacy
Court Ruling

An Austrian court ruled that a website's cookie banner did not properly inform visitors about cookie usage and made it difficult to refuse cookies. This matters because it highlights the importance of clear consent mechanisms for website operators. Companies must ensure their cookie banners are user-friendly and comply with privacy laws.

What happened

A website's cookie banner misled users and made rejecting cookies harder than accepting them.

Who was affected

Website visitors who encountered the misleading cookie banner on the site.

What the authority found

The court found that the website did not provide clear and valid consent options for cookie usage, violating GDPR requirements.

Why this matters

This ruling emphasizes that website operators need to create transparent and easy-to-use consent mechanisms for cookies. It sets a precedent for stricter enforcement of cookie consent rules.

GDPR Articles Cited

AI-verified

Art. 7(GDPR)
Art. 4(1) GDPR
Art. 4(2) GDPR
Art. 4(7) GDPR
Art. 4(11) GDPR
Art. 58(1)(b) GDPR
Art. 58(2)(d) GDPR
View original scraped data
Art. 4(1) GDPR
Art. 4(2) GDPR
Art. 4(7) GDPR
Art. 4(11) GDPR
Art. 7(GDPR)
Art. 58(1)(b) GDPR
Art. 58(2)(d) GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

§1 DSG
§133 Abs4 B-VG
Decision AuthorityBVwG
Reviewed AuthorityDSB (Austria)
Source verified 9 April 2026
articles corrected
authority corrected
Austria enforcementDatenschutzbehörde actionsAll Court case W108 2280724-1 actions
Full Legal Summary
Detailed

The data subject visited a website, for which the controller was responsible. Upon accessing the website, the data subject was presented with a 'Consent Management Platform (CMP or cookie banner)' that, according to the data subject, violated Article 6 GDPR. The data subject filed a complaint to the Austrian DPA (DSB) on 10 August 2021. The data subject was represented by noyb. During the proceedings before the DPA: * the controller claimed to have reworked the design of the CMP and to have deleted the contested personal data of the data subject; * the data subject replied to this statement claiming that even though the violations identified in the complaint had been remedied by the new design of the CMP, certain cookies were then classified as 'strictly necessary' (within the meaning of Article 5 (3) ePrivacy Directive) and thus set as 'always active'; * in response, the controller claimed not to have processed any personal data without the data subjects consent. In addition, the controller explained that the note 'always active' for certain cookies was incorrect and had only not been removed by the time of the data subject's statement for technical reasons; * the data subject explained that the cookies had still been incorrectly classified and various non-required cookies were set without interaction with the banner. The controller claimed they had revised the cookie settings and the banner again and the contested cookies that were not deemed strictly necessary were not being set anymore if consent was not given; * the data subject stated their data was indeed processed without their consent upon visiting the website and that the processor had not explained in sufficient detail to what extent certain cookies were considered strictly necessary. The DPA dismissed the complaint. However, it also officially instructed the processor in point 3) of their decision to adapt the website and the banner in such a way to be compliant with Article 4(11) GDPR and Article 4(7

Outcome

Court Ruling

A ruling by a national court on a data-protection matter.

Violations (6)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Pre-ticked Consent Boxes
high

Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.

Art. 4(11) GDPR

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

Unclear Cookie Information
high

The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.

Art. 12, 13 GDPR

Misleading Banner Messaging
critical

The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).

Art. 7 GDPR

Related Cases (0)

No other cases found for Court case W108 2280724-1 in AT

This is the only recorded case for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

unknown (claimant)

2021 · DPA OLGLinz

Details

Ruling Date

31 July 2024

Authority

Datenschutzbehörde

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 100%

Cite as: Cookie Fines. Court case W108 2280724-1 - Austria (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: