The Austrian Data Protection Authority (DPA) has ordered the Austrian Broadcasting Corporation (ORF) to modify its cookie consent mechanism following a decision issued on October 28, 2024, which is currently not legally binding.
According to the decision, ORF must redesign its cookie banner within six weeks to ensure that all consent options are presented with equal visual prominence. The authority specifically mandates that the options "Accept all cookies" and "Only necessary cookies" must have equivalent visual treatment in terms of color, size, contrast, placement, and highlighting.
The case emerged after an investigation into ORF's website practices revealed that certain cookies containing unique identifiers were being deployed without proper user consent. These cookies were utilized for statistical analysis, device recognition, and advertising purposes.
"The legal exception, according to which cookies can be used without consent if they are necessary for the provision of an expressly requested service, should be interpreted restrictively," states the DPA in its decision. The authority explicitly clarifies that processing based on economic necessity falls outside this exception.
In its technical assessment, the DPA found specific issues with the contrast ratio of certain cookie banner elements. The authority referenced technical standards requiring a minimum contrast ratio of 3:1, which the current implementation failed to achieve. The decision particularly criticized the poor contrast ratio between the options "Cookie preferences" and "Only necessary cookies" against their background.
The ruling sets forth specific design requirements that ORF must implement:
- Visual elements such as color, size, contrast, and placement must be equivalent for all options
- No selection option may be emphasized through eye-catching design
- Highlighting through color or font size differences is not permitted
The decision addresses broader implications for website operators in Austria, establishing clear guidelines for cookie consent mechanisms. The authority emphasizes that the visual design of consent options must not influence user choice through preferential treatment of certain options.
Looking at the technical details, the DPA identified several cookies being set without prior consent, including:
- Cookies for determining statistical values
- Cookies for recognizing end devices
- Cookies for advertising purposes
According to privacy experts reviewing the decision, this ruling aligns with the broader European trend toward stricter interpretation of cookie consent requirements under the GDPR and ePrivacy Directive. The emphasis on equal visual treatment of consent options reflects growing regulatory focus on ensuring genuine user choice in digital privacy matters.
For compliance, ORF must implement these changes while maintaining its ability to measure audience reach as required by Austrian broadcasting law. The authority clarified that such legal obligations do not override the requirement for user consent for non-essential cookies.
The DPA's decision builds upon established case law regarding cookie consent mechanisms, particularly emphasizing that economic considerations cannot justify the deployment of tracking cookies without explicit user consent. This interpretation strengthens the position that technical necessity, rather than business necessity, must be the determining factor for cookie deployment without consent.
This ruling represents a significant development in Austrian data protection enforcement, establishing concrete design requirements for cookie consent mechanisms. It provides specific guidance for organizations operating websites in Austria, potentially influencing similar decisions across the European Union.
Legal experts note that this decision reinforces the trend toward more stringent interpretation of privacy requirements in digital interfaces, particularly emphasizing the importance of genuine user choice uninfluenced by interface design elements.
The case number for this decision is DSB-D124.0507/24, documented on October 28, 2024, by the Austrian Data Protection Authority.