BVwG - W252 2282050-1/12E: Difference between revisions
m (→Facts) |
m (added link) |
||
Line 62: | Line 62: | ||
}} | }} | ||
A court | A court held that a cookie banner that nudges users to accept cookies by using a more prominent accept option violates the transparency principle and is insufficient to obtain users’ consent. | ||
== English Summary == | == English Summary == | ||
Line 73: | Line 73: | ||
On the 22 September 2023, the DSB issued a decision on the following three points: | On the 22 September 2023, the DSB issued a decision on the following three points: | ||
Point 1: The data subject’s right to erasure had been violated under [[Article 17 GDPR]]. | <u>Point 1:</u> The data subject’s right to erasure had been violated under [[Article 17 GDPR]]. | ||
Point 2: The data subject’s right to privacy had <u>not</u> been violated. | Point 2: The data subject’s right to privacy had <u>not</u> been violated under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&FassungVom=04-11-2022 §1(1) of the Austrian Data Protection Act] (''Datenschutzgesetz - DSG''). | ||
Point 3.a: The DSB ordered the controller to alter its cookie banner to make the “reject all cookies” appear in equal format to the “accept all cookies” option. | <u>Point 3.a:</u> The DSB ordered the controller to alter its cookie banner to make the “reject all cookies” appear in equal format to the “accept all cookies” option. | ||
Point 3.b: The controller must implement a function, which makes the revocation of consent just as simple as its declaration. | <u>Point 3.b:</u> The controller must implement a function, which makes the revocation of consent just as simple as its declaration. | ||
The controller appealed points 1, 3a and 3b of the decision to the Austrian Federal Administrative Court (''[[:Category:BVwG (Austria)|Bundesverwaltungsgericht – BVwG]]''). The controller posited that the GDPR does not require the “accept” and “reject” buttons to be displayed in an equal format. Further, it added that the revocation of consent was available through a footer link on the website which lead to the cookie settings. | The controller appealed points 1, 3a and 3b of the decision to the Austrian Federal Administrative Court (''[[:Category:BVwG (Austria)|Bundesverwaltungsgericht – BVwG]]''). The controller posited that the GDPR does not require the “accept” and “reject” buttons to be displayed in an equal format. Further, it added that the revocation of consent was available through a footer link on the website which lead to the cookie settings. | ||
Line 86: | Line 86: | ||
The court rejected the controller’s appeal. | The court rejected the controller’s appeal. | ||
Point 1: | <u>Point 1:</u> | ||
The data of the data subject, at the latest, had to be deleted when the complaint was filed as it clearly showed a revocation of consent to the data processing under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]]. | The data of the data subject, at the latest, had to be deleted when the complaint was filed as it clearly showed a revocation of consent to the data processing under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]]. | ||
Point 3.a: | <u>Point 3.a:</u> | ||
The court acknowledged that the cookie banner impairs users because of its size and they would quickly click on the highlighted accept option. In particular, they will not have understood the implications of the data processing. | The court acknowledged that the cookie banner impairs users because of its size and they would quickly click on the highlighted accept option. In particular, they will not have understood the implications of the data processing. | ||
Line 100: | Line 100: | ||
The court concluded that the controller could not prove that the data subject gave unambiguous consent as per [[Article 7 GDPR]]. | The court concluded that the controller could not prove that the data subject gave unambiguous consent as per [[Article 7 GDPR]]. | ||
Point 3b: | <u>Point 3b:</u> | ||
The court highlighted that under [[Article 7 GDPR#3|Article 7(3) GDPR]], withdrawing consent should be as easy as giving consent meaning that the action required to revoke consent must be just as simple as the action for agreeing to the data processing. | The court highlighted that under [[Article 7 GDPR#3|Article 7(3) GDPR]], withdrawing consent should be as easy as giving consent meaning that the action required to revoke consent must be just as simple as the action for agreeing to the data processing. |
Revision as of 10:05, 4 December 2024
BVwG - W252 2282050-1/12E | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 7 GDPR Article 17 GDPR |
Decided: | 25.11.2024 |
Published: | |
Parties: | |
National Case Number/Name: | W252 2282050-1/12E |
European Case Law Identifier: | |
Appeal from: | DSB (AT) |
Appeal to: | |
Original Language(s): | German |
Original Source: | GDPRhub (in German) |
Initial Contributor: | ao |
A court held that a cookie banner that nudges users to accept cookies by using a more prominent accept option violates the transparency principle and is insufficient to obtain users’ consent.
English Summary
Facts
On the 09 August 2022, a data subject filed a complaint with the Austrian DPA (Datenschutzbehörde – DSB) alleging that the controller unlawfully processed their personal data without the data subjects valid consent. The data subject alleged that, due to the use of dark patterns by the controller, the principle of transparency was violated and that the withdrawal of consent was not as easy as its issuance. Therefore, the data subject requested the erasure of their personal data.
The option to reject cookies was a link, which was only identifiable as a link when hovering over it with the mouse. The accept button on the other hand was strongly highlighted by being placed in the middle of the banner and in a colour with strong contrast to the background.
On the 22 September 2023, the DSB issued a decision on the following three points:
Point 1: The data subject’s right to erasure had been violated under Article 17 GDPR.
Point 2: The data subject’s right to privacy had not been violated under §1(1) of the Austrian Data Protection Act (Datenschutzgesetz - DSG).
Point 3.a: The DSB ordered the controller to alter its cookie banner to make the “reject all cookies” appear in equal format to the “accept all cookies” option.
Point 3.b: The controller must implement a function, which makes the revocation of consent just as simple as its declaration.
The controller appealed points 1, 3a and 3b of the decision to the Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG). The controller posited that the GDPR does not require the “accept” and “reject” buttons to be displayed in an equal format. Further, it added that the revocation of consent was available through a footer link on the website which lead to the cookie settings.
Holding
The court rejected the controller’s appeal.
Point 1:
The data of the data subject, at the latest, had to be deleted when the complaint was filed as it clearly showed a revocation of consent to the data processing under Article 17(1)(b) GDPR.
Point 3.a:
The court acknowledged that the cookie banner impairs users because of its size and they would quickly click on the highlighted accept option. In particular, they will not have understood the implications of the data processing.
Furthermore, consent is not unambiguous as users are clearly nudged by the design. This is also contrary to the principle of transparency, as it points users towards the more invasive data processing option.
In addition, the cookie banner creates a situation "where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected" (Recital 58 GDPR).
The court concluded that the controller could not prove that the data subject gave unambiguous consent as per Article 7 GDPR.
Point 3b:
The court highlighted that under Article 7(3) GDPR, withdrawing consent should be as easy as giving consent meaning that the action required to revoke consent must be just as simple as the action for agreeing to the data processing.
The court agreed with the DSB stating that it is not clear where exactly consent can be withdrawn based on the information provided in the cookie banner.
The court considered that a floating icon is not necessary to withdraw consent because otherwise the option to withdraw consent would constantly block a big part of the screen.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.