Austrian DPA Cookie FAQs

The use of cookies can be a tricky subject for websites given the rapid rise in data protection laws and compliance actions from various data protection regulatory authorities all around the world.

On 20 Dec 2023, the Austrian Data Protection Authority (DSB) released a set of Frequently Asked Questions about cookies and data protection outlining the requirements for the use of cookies on websites.

Let’s look into the key points highlighted by the Austrian DSB:

1. What is the legal framework for cookies?

• Article 5(3) of the e-Privacy Directive which is implemented at the national level in Section 165(3) of the Austrian Telecommunication Act 2021 requires prior consent for the use of all technical unnecessary cookies.
• Section 165(3) applies to not just cookies but also similar tracking technologies that access data from end users’ devices.

2. Are cookies personal data?

• Cookies are qualified as personal data where they can identify individuals.
• Cookies may contain universally unique identifiers (UUID) that are used to mark user devices. These identifiers contribute to the classification of cookies as personal data when they have the potential to identify specific individuals.

3. Which cookies are technically necessary?

• The type of cookie that is essential for the proper functioning of a website or for providing an information society service expressly requested by the user.
• Services for which technical cookies can be set includes:
  • Necessary session management (e.g. cookies saving shopping cart information or login status);
  • Entries in an online form if an entry on several subpages of a website is necessary to submit the form;
  • Information about the consent status, unless a clear online identifier is assigned for this.

4. Does your website need a cookie consent banner?

• A cookie banner is a window that appears on a website when a visitor visits the site for the first time.
• Its function is to obtain the user’s consent for the use of cookies.
• Such consent from website visitors is only required if the website uses "technically unnecessary" cookies. If the website doesn't use any of these cookies, there is no need for consent, and consequently, no cookie banner is necessary.

5. How must a cookie banner be designed?

• Ensure no technically unnecessary cookies are dropped on the website before obtaining the user’s consent.
• Browsing the website without any interaction with the consent banner or accidentally selecting a “hidden consent button” does not constitute a valid consent;
• Consent can not be assumed merely because a data subject generally sets their browser settings allowing cookies to be set or read.
• Pre-selected checkboxes do not constitute valid consent.
• To ensure consent is given voluntarily by the user, there must not be any disadvantages to the user for not giving consent to the use of cookies.
• The banner must clearly and precisely indicate how consent can be revoked.
• Withdrawing consent should be as easy as giving consent.
• Refusing consent should be as easy as granting it on a cookie banner, without additional steps or complexity.
• The purposes of cookies must be made clear to the user.
• Data subjects should not be pressured to give consent via banner design choices.

6. Is it mandatory to inform visitors about the use of cookies on a website?

• It depends on the types of cookies used. For "technically unnecessary" cookies, information must be provided about their setting and reading. This obligation applies regardless of whether the cookies involve personal data or not. Additionally, the user must be informed  if the use of cookies leads to the processing of personal data.

7. Can Accept and Reject buttons be of different colors?

• Depends on a case-by-case assessment given both Accept and Reject buttons are equally visible.
  Example: If the background of the banner is white, the Accept button is red and the Reject button is also white, such a banner is not compliant.

8. How can a website fulfill its obligation to inform users about its use of cookies?

• A multi-level approach is recommended.
• The first information layer of the consent banner may include:
  • The identity of the data controller/website operator
  • Brief description of the processing purposes
  • The legal basis for data processing
  • An indication that consent can be revoked at any time without providing any reason and doing so does not affect the legality of prior processing
  •  How and where it can revoked
  • A link to a detailed information or the second information layer.

9. Is the use of cookie walls permitted?

• The use of cookie walls also known as “pay or okay” is permitted if the following conditions are met:
  • Compliance with all data protection regulations particularly GDPR, for data processing based on consent
  • the requirements for the granularity of consent must be taken into account
  • The service provider must not be a public authority or other public bodies
  • There cannot be any exclusivity in relation to the content or services offered
  • The service provider cannot have a monopoly/quasi-monopoly position in the market
  • An appropriate and fair prices for the payment alternative
  • If a user gains access to the website using the payment alternative, no personal data may be processed for advertising purposes.

10. What is paywall and how is it different from a cookie wall?

• A “paywall” requires a user to pay money to access the website when they visit the website, as the website operator can decide whether access to the content of their website is chargeable. While cookie wall presents users with the option to either pay for a website access or provide consent for the use of cookies.

Securiti’s Cookie Consent Management Solution can help you comply with Austrian requirements on the use of cookies by displaying the legally compliant consent banners with automatic cookie scanning & categorization, preference center, and audit trail features.

Request a DEMO

Disclaimer

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is'' without warranty of any kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be consulted prior to making any decision in reliance on the information contained in these materials.