What initially appeared to be a simple design problem turned out to be a data protection stumbling block: A cookie banner that does not offer users the same easy option to reject cookies as to accept them on the first level violates the GDPR.
A user of the online edition of an Austrian newspaper complained to the data protection authority. The cookie banner on the newspaper's website only offers the option to "accept” and their purposes. A refusal (“Reject all") is only possible after another click on the second level. Furthermore, no "floating icon" for quickly changing cookie settings was implemented directly in the banner; instead, the user had to use a link in the website footer to return to the settings. The media outlet deleted the user's data at his request, and the data protection authority intervened within the scope of its remedial powers.
From a legal perspective, the key question was which requirements cookie banners must meet to comply with Article 7 (3) of the General Data Protection Regulation (GDPR). Article 7 (3) GDPR stipulates that consent to the processing of personal data can be revoked at any time, and revocation must be just as easy as granting consent. Furthermore, the application of the media privilege pursuant to Section 9 (1) of the Data Protection Act (DSG) had to be examined. This privilege protects personal data processing in the field of journalistic activity and media reporting, as long as it serves the dissemination of information, opinions, or ideas on public issues.
By order of Article 58 (2) (d) GDPR, the data protection authority ordered the newspaper to modify the cookie banner within ten weeks so that a visually equivalent option for rejecting cookies or closing the banner without consent was offered on the first level. The newspaper appealed against this to the Federal Administrative Court (BVwG). The BVwG shared the data protection authority's view: It was inadmissible to make rejecting cookies only possible after multiple clicks and visually subordinate links, while a single click was sufficient for consent. The BVwG also clarified that the media privilege (Section 9 (1) DSG) for journalistic activities did not apply here, as the processing of personal data through cookies for marketing and analysis purposes did not constitute journalistic activity. The Higher Administrative Court (VwGH) also saw no reason for an appeal: The design of cookie banners was a case-by-case question with no fundamental significance. There is no evidence of an error of judgment by the administrative court – the decision is legally sound.
The Administrative Court thus confirms: A cookie banner that makes it technically or visually difficult to refuse consent violates the GDPR. Consent must be genuine, voluntary, and equally easy to grant and refuse. Anyone who ignores this not only risks action by the data protection authority but also significant reputational damage. It is therefore advisable to ensure in advance that websites comply with data protection regulations and to have existing websites regularly audited according to legal standards.
Administrative Court 16.01.2025, Ra 2024/04/0424
10.04.2025