[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQVF4ZBWNPIyfh5KDUCBQIzVv6J2AKMt4jE1nhDuvr1E":3},{"article":4,"iocs":45},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"184e9fc7-49dd-4f16-8636-a9df47808738","BVwG - W171 2303402-1\u002F7E","bvwg-w171-2303402-1-7e-45b6bb","Created page with \"{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_Original_Name=Bundesverwaltungsgericht |Court_English_Name=Federal Administrative Court |Court_With_Country=BVwG (Austria) |Case_Number_Name=W171 2303402-1\u002F7E |ECLI= |Original_Source_Name_1=BVwG |Original_Source_Link_1=https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fa\u002Fae\u002FW171_2303402_17E_Redacted.pdf |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Or...\" New page {{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_Original_Name=Bundesverwaltungsgericht |Court_English_Name=Federal Administrative Court |Court_With_Country=BVwG (Austria) |Case_Number_Name=W171 2303402-1\u002F7E |ECLI= |Original_Source_Name_1=BVwG |Original_Source_Link_1=https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fa\u002Fae\u002FW171_2303402_17E_Redacted.pdf |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Date_Decided=23.04.2026 |Date_Published= |Year=2026 |GDPR_Article_1=Article 4(11) GDPR |GDPR_Article_Link_1=Article 4 GDPR#11 |GDPR_Article_2=Article 5(1)(a) GDPR |GDPR_Article_Link_2=Article 5 GDPR#1a |GDPR_Article_3=Article 6(1)(a) GDPR |GDPR_Article_Link_3=Article 6 GDPR#1a |GDPR_Article_4=Article 7(1) GDPR |GDPR_Article_Link_4=Article 7 GDPR#1 |GDPR_Article_5=Article 58(2)(d) GDPR |GDPR_Article_Link_5=Article 58 GDPR#2d |GDPR_Article_6= |GDPR_Article_Link_6= |GDPR_Article_7= |GDPR_Article_Link_7= |EU_Law_Name_1= |EU_Law_Link_1= |EU_Law_Name_2= |EU_Law_Link_2= |National_Law_Name_1= |National_Law_Link_1= |National_Law_Name_2= |National_Law_Link_2= |Party_Name_1= |Party_Link_1= |Party_Name_2= |Party_Link_2= |Appeal_From_Body=DSB |Appeal_From_Case_Number_Name=D124.0507\u002F24 2024-0.633.166 |Appeal_From_Status= |Appeal_From_Link=https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F9\u002F9e\u002F202406331662AErledigungBescheid28102024p_schw.pdf |Appeal_To_Body= |Appeal_To_Case_Number_Name= |Appeal_To_Status= |Appeal_To_Link= |Initial_Contributor=ds | }} The court upheld a DPA order requiring the Austrian public broadcaster to redesign its cookie banner, finding that visually highlighting the “Accept All Cookies” button nudged users towards consent and undermined its validity. == English Summary == === Facts === On 28 October 2024, the DPA issued a decision concerning a complaint lodged by a data subject against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). It dismissed the part of the data subject’s complaint concerning the request for erasure as it found no violation of [[Article 17 GDPR|Article 17 GDPR]] by the ORF (the controller). The data subject had also argued that the cookie banner did not offer an equivalent rejection option on the first layer and that refusing consent was more difficult than accepting it. Although the erasure complaint was dismissed, the DPA, acting on its own initiative within the same proceedings, examined the controller’s cookie banner. It found that its design could not lead to a freely given, specific, informed and unambiguous indication of the data subject’s wishes within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. Accordingly, the DPA ordered the controller to amend its consent request for data processing within a period of six weeks in such a way that the data subject would be offered an equivalent choice between \"Accept all cookies\" and \"Only necessary cookies, so valid consent could be obtained. It stressed that it should be ensured that both options were equivalent in terms of visual design, including colour, size, contrast, placement, and highlighting. The controller appealed this decision on 25 November 2024. It claimed that the DPA’s order regarding the redesign of its cookie banner was unlawful. The controller argued that the authority had exceeded its jurisdiction by making an ex officio decision without informing it first of its intention. Furthermore, the controller argued that the GDPR does not lay down binding rules on the visual design of cookie banners and that the DPA had relied on non-binding guidance and literature rather than legally binding provisions. === Holding === Regarding the DPA’s jurisdiction in issuing the ex officio order for the modification of the controller’s cookie banner, the court held that this was permissible, both under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] and relevant CJEU case law, irrespective of whether the proceeding was initiated by a data subject’s complaint. The court maintained the position that when a DPA notices GDPR violations during its investigation, it is in its powers to adopt on its own initiative the appropriate measures to remedy the identified infringements. The court rejected the controller’s argument that its procedural rights were violated. It further stated that the controller was given the opportunity to comment on the ex officio matter and found that a lack of impartiality on the part of the DPA could not be established. Regarding the DPA’s order of redesign of the controller’s cookie banner, the court first noted that it had to assess whether the cookie banner allowed users to give valid consent within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. It emphasised that consent requires a freely given, specific, informed and unambiguous indication of the user’s wishes and that, under [[Article 7 GDPR#1|Article 7(1) GDPR]], the controller must be able to demonstrate that such consent was obtained. The court examined its latest version which had not changed since the DPA’s decision. It found that the controller’s website was designed is such a way that, when the site was accessed, a pop-up window opened displaying black text on a light grey background. On this cookie banner, there were three buttons: “Cookie Preferences”, “Only Necessary Cookies” and “Accept All Cookies” and users could not navigate through the website without selecting one of these options. The court noted that the buttons had the same size but different colour scheme. While the first two buttons displayed blue text on a white background and appeared less prominent against the light grey pop-up background, the “Accept All Cookies” button displayed white text on a blue background and was therefore visually highlighted through stronger contrast The court confirmed the DPA’s decision that the controller’s cookie banner, including the consent request, had been designed in a such a way that the \"Accept all cookies\" button would stand out due to its colour scheme, especially compared with the other buttons that were visually less prominent. The court agreed that the visual emphasis placed on the “Accept All Cookies” button nudged users towards consent. Furthermore, it pointed out that a design steering users towards the more invasive option was in violation of the principle of transparency, since the request for consent must be clear, unambiguous and understandable by an average, well-informed and observant consumer. The court rejected the controller’s argument that the absence of detailed binding provisions on cookie banner design made the DPA’s order unlawful. The issue was not whether the GDPR prescribed a specific design, but whether the design of the banner allowed users to make a voluntary and genuine choice. Consequently, the court upheld the DPA’s order and dismissed the controller’s appeal as unfounded. == Comment == ''Share your comments here!'' == Further Resources == ''Share blogs or news articles here!'' == English Machine Translation of the Decision == The decision below is a machine translation of the German original. Please refer to the German original for more details. Summary BVwG W171 2303402-1\u002F7E File history Click on a date\u002Ftime to view the file as it appeared at that time. Date\u002FTimeDimensionsUserComment current15:14, 12 May 2026 (5.23 MB)Ds (talk | contribs)BVwG W171 2303402-1\u002F7E You cannot overwrite this file.File usage There are no pages that use this file.","Austria's Federal Administrative Court (BVwG) upheld a Data Protection Authority (DPA) order requiring the Austrian public broadcaster ORF to redesign its cookie banner to ensure valid consent under GDPR. The court found that the original design visually highlighted the \"Accept All Cookies\" button with stronger contrast and color, nudging users toward consent in violation of Article 4(11) GDPR. The court rejected ORF's arguments that the DPA exceeded its jurisdiction and that GDPR lacks binding design rules, confirming that consent mechanisms must offer genuinely equivalent visual treatment between acceptance and rejection options.","Austrian court upholds DPA order requiring ORF to redesign cookie banner with balanced consent options.","Help BVwG - W171 2303402-1\u002F7E: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 15:55, 12 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators41 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 15:55, 12 May 2026 BVwG - W171 2303402-1\u002F7E Court: BVwG (Austria) Jurisdiction: Austria Relevant Law: Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 7(1) GDPR Article 58(2)(d) GDPR Decided: 23.04.2026 Published: Parties: National Case Number\u002FName: W171 2303402-1\u002F7E European Case Law Identifier: Appeal from: DSBD124.0507\u002F24 2024-0.633.166 Appeal to: Original Language(s): German Original Source: BVwG (in German) Initial Contributor: ds The court upheld a DPA order requiring the Austrian public broadcaster to redesign its cookie banner, finding that visually highlighting the “Accept All Cookies” button nudged users towards consent and undermined its validity. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 28 October 2024, the DPA issued a decision concerning a complaint lodged by a data subject against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). It dismissed the part of the data subject’s complaint concerning the request for erasure as it found no violation of Article 17 GDPR by the ORF (the controller). The data subject had also argued that the cookie banner did not offer an equivalent rejection option on the first layer and that refusing consent was more difficult than accepting it. Although the erasure complaint was dismissed, the DPA, acting on its own initiative within the same proceedings, examined the controller’s cookie banner. It found that its design could not lead to a freely given, specific, informed and unambiguous indication of the data subject’s wishes within the meaning of Article 4(11) GDPR. Accordingly, the DPA ordered the controller to amend its consent request for data processing within a period of six weeks in such a way that the data subject would be offered an equivalent choice between \"Accept all cookies\" and \"Only necessary cookies, so valid consent could be obtained. It stressed that it should be ensured that both options were equivalent in terms of visual design, including colour, size, contrast, placement, and highlighting. The controller appealed this decision on 25 November 2024. It claimed that the DPA’s order regarding the redesign of its cookie banner was unlawful. The controller argued that the authority had exceeded its jurisdiction by making an ex officio decision without informing it first of its intention. Furthermore, the controller argued that the GDPR does not lay down binding rules on the visual design of cookie banners and that the DPA had relied on non-binding guidance and literature rather than legally binding provisions. Holding Regarding the DPA’s jurisdiction in issuing the ex officio order for the modification of the controller’s cookie banner, the court held that this was permissible, both under Article 58(2)(d) GDPR and relevant CJEU case law, irrespective of whether the proceeding was initiated by a data subject’s complaint. The court maintained the position that when a DPA notices GDPR violations during its investigation, it is in its powers to adopt on its own initiative the appropriate measures to remedy the identified infringements. The court rejected the controller’s argument that its procedural rights were violated. It further stated that the controller was given the opportunity to comment on the ex officio matter and found that a lack of impartiality on the part of the DPA could not be established. Regarding the DPA’s order of redesign of the controller’s cookie banner, the court first noted that it had to assess whether the cookie banner allowed users to give valid consent within the meaning of Article 4(11) GDPR. It emphasised that consent requires a freely given, specific, informed and unambiguous indication of the user’s wishes and that, under Article 7(1) GDPR, the controller must be able to demonstrate that such consent was obtained. The court examined its latest version which had not changed since the DPA’s decision. It found that the controller’s website was designed is such a way that, when the site was accessed, a pop-up window opened displaying black text on a light grey background. On this cookie banner, there were three buttons: “Cookie Preferences”, “Only Necessary Cookies” and “Accept All Cookies” and users could not navigate through the website without selecting one of these options. The court noted that the buttons had the same size but different colour scheme. While the first two buttons displayed blue text on a white background and appeared less prominent against the light grey pop-up background, the “Accept All Cookies” button displayed white text on a blue background and was therefore visually highlighted through stronger contrast The court confirmed the DPA’s decision that the controller’s cookie banner, including the consent request, had been designed in a such a way that the \"Accept all cookies\" button would stand out due to its colour scheme, especially compared with the other buttons that were visually less prominent. The court agreed that the visual emphasis placed on the “Accept All Cookies” button nudged users towards consent. Furthermore, it pointed out that a design steering users towards the more invasive option was in violation of the principle of transparency, since the request for consent must be clear, unambiguous and understandable by an average, well-informed and observant consumer. The court rejected the controller’s argument that the absence of detailed binding provisions on cookie banner design made the DPA’s order unlawful. The issue was not whether the GDPR prescribed a specific design, but whether the design of the banner allowed users to make a voluntary and genuine choice. Consequently, the court upheld the DPA’s order and dismissed the controller’s appeal as unfounded. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. Summary BVwG W171 2303402-1\u002F7E File history Click on a date\u002Ftime to view the file as it appeared at that time. Date\u002FTimeDimensionsUserComment current15:14, 12 May 2026 (5.23 MB)Ds (talk | contribs)BVwG W171 2303402-1\u002F7E You cannot overwrite this file.File usage There are no pages that use this file. Retrieved from \"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W171_2303402-1\u002F7E&oldid=51630\" Categories: BVwG (Austria)AustriaArticle 4(11) GDPRArticle 5(1)(a) GDPRArticle 6(1)(a) GDPRArticle 7(1) GDPRArticle 58(2)(d) GDPR2026German This page was last edited on 12 May 2026, at 15:55. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W171_2303402-1\u002F7E&diff=51630&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-12T15:55:12+00:00","2026-05-12T16:00:12.95808+00:00",7,[18,21],{"name":19,"type":20},"Österreichischer Rundfunk (ORF)","vendor",{"name":22,"type":23},"Cookie Banner \u002F Consent Management","technology","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":24,"icon":26,"name":27,"slug":28},null,"GDPR","gdpr",[30,35,40],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":36},{"id":37,"icon":26,"name":38,"slug":39},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":41},{"id":42,"icon":26,"name":43,"slug":44},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]