BVwG - W171 2303402-1/7E

Summary

Austria's Federal Administrative Court (BVwG) upheld a Data Protection Authority decision ordering the Austrian public broadcaster ORF to redesign its cookie banner to provide equally prominent 'Accept All' and 'Only Necessary' options. The court found that ORF's original design, which used visual emphasis (blue background) on the 'Accept All' button versus less prominent alternatives, violated GDPR Article 4(11) by nudging users toward consent rather than enabling free and genuine choice. The ruling reinforces that cookie banner design must ensure visual equivalence between consent and rejection options to satisfy GDPR transparency and consent requirements.

Full text

Help BVwG - W171 2303402-1/7E: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:09, 13 May 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators31 editsm Tag: Visual edit← Older edit Latest revision as of 08:50, 13 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators31 editsmTag: Visual edit (2 intermediate revisions by the same user not shown)Line 73: Line 73: === Facts ====== Facts === On 28 October 2024, the DPA issued a decision concerning a complaint lodged by a data subject, represented by noyb, against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). It dismissed the part of the data subject’s complaint concerning the request for erasure as it found no violation of [[Article 17 GDPR]] by the ORF (the controller). The data subject had also argued that the cookie banner did not offer an equivalent rejection option on the first layer and that refusing consent was more difficult than accepting it.On 28 October 2024, the DPA issued a decision concerning a complaint lodged by a data subject, represented by noyb, against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). It dismissed the part of the data subject’s complaint concerning the request for erasure as it found no violation of [[Article 17 GDPR]] by the ORF (the controller) as the DPA considered that the controller had deleted the data already. The data subject had also argued that the cookie banner did not offer an equally prominent rejection option on the first layer and that refusing consent was more difficult than accepting it. Although the erasure complaint was dismissed, the DPA, acting on its own initiative within the same proceedings, examined the controller’s cookie banner. It found that its design could not lead to a freely given, specific, informed and unambiguous indication of the data subject’s wishes within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. Accordingly, the DPA ordered the controller to amend its consent request for data processing within a period of six weeks in such a way that the data subject would be offered an equivalent choice between "Accept all cookies" and "Only necessary cookies, so valid consent could be obtained. It stressed that it should be ensured that both options were equivalent in terms of visual design, including colour, size, contrast, placement, and highlighting. Although the erasure complaint was dismissed, the DPA, acting on its own initiative within the same proceedings, examined the controller’s cookie banner. It found that its design could not lead to a freely given, specific, informed and unambiguous indication of the data subject’s wishes within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. Accordingly, the DPA ordered the controller to amend its consent request for data processing within a period of six weeks in such a way that the data subject would be offered an equally prominent (gleichwertig) choice between "Accept all cookies" and "Only necessary cookies", so valid consent could be obtained. It stressed that it should be ensured that both options were equivalent in terms of visual design, including colour, size, contrast, placement, and highlighting. The controller appealed this decision on 25 November 2024. It claimed that the DPA’s order regarding the redesign of its cookie banner was unlawful.The controller appealed this decision on 25 November 2024. It claimed that the DPA’s order regarding the redesign of its cookie banner was unlawful. Line 88: Line 88: Regarding the DPA’s order of redesign of the controller’s cookie banner, the court first noted that it had to assess whether the cookie banner allowed users to give valid consent within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. It emphasised that consent requires a freely given, specific, informed and unambiguous indication of the user’s wishes and that, under [[Article 7 GDPR#1|Article 7(1) GDPR]], the controller must be able to demonstrate that such consent was obtained.Regarding the DPA’s order of redesign of the controller’s cookie banner, the court first noted that it had to assess whether the cookie banner allowed users to give valid consent within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. It emphasised that consent requires a freely given, specific, informed and unambiguous indication of the user’s wishes and that, under [[Article 7 GDPR#1|Article 7(1) GDPR]], the controller must be able to demonstrate that such consent was obtained. The court examined its latest version which had not changed since the DPA’s decision. It found that the controller’s website was designed is such a way that, when the site was accessed, a pop-up window opened displaying black text on a light grey background. On this cookie banner, there were three buttons: “Cookie Preferences”, “Only Necessary Cookies” and “Accept All Cookies” and users could not navigate through the website without selecting one of these options. The court noted that the buttons had the same size but different colour scheme. While the first two buttons displayed blue text on a white background and appeared less prominent against the light grey pop-up background, the “Accept All Cookies” button displayed white text on a blue background and was therefore visually highlighted through stronger contrastThe court examined its latest version which had not changed since the DPA’s decision. It found that the controller’s website was designed is such a way that, when the site was accessed, a pop-up window opened and on this, there were three buttons: “Cookie Preferences”, “Only Necessary Cookies” and “Accept All Cookies” and users could not navigate through the website without selecting one of these options. The court noted that the buttons had the same size but different colour scheme. While the first two buttons displayed blue text on a white background and appeared less prominent against the light grey pop-up background, the “Accept All Cookies” button displayed white text on a blue background and was therefore visually highlighted through stronger contrast The court confirmed the DPA’s decision that the controller’s cookie banner, including the consent request, had been designed in a such a way that the "Accept all cookies" button would stand out due to its colour scheme, especially compared with the other buttons that were visually less prominent. The court agreed that the visual emphasis placed on the “Accept All Cookies” button nudged users towards consent. Furthermore, it pointed out that a design steering users towards the more invasive option was in violation of the principle of transparency, since the request for consent must be clear, unambiguous and understandable by an average, well-informed and observant consumer.The court confirmed the DPA’s decision that the controller’s cookie banner, including the consent request, had been designed in a such a way that the "Accept all cookies" button would stand out due to its colour scheme, especially compared with the other buttons that were visually less prominent. The court agreed that the visual emphasis placed on the “Accept All Cookies” button nudged users towards consent. Furthermore, it pointed out that a design steering users towards the more invasive option was in violation of the principle of transparency. The court rejected the controller’s argument that the absence of detailed binding provisions on cookie banner design made the DPA’s order unlawful. The issue was not whether the GDPR prescribed a specific design, but whether the design of the banner allowed users to make a voluntary and genuine choice.The court rejected the controller’s argument that the absence of detailed binding provisions on cookie banner design made the DPA’s order unlawful. The issue was not whether the GDPR prescribed a spec

Entities