Privacy & Information Security Law Blog

On November 30, 2018, the Austrian Data Protection Authority (“DPA”) published a decision in response to a complaint received from an individual regarding the cookie consent options offered on an Austrian newspaper’s website. As a factual matter, the Austrian newspaper offered three options to individuals who sought to access content on the site: (1) accept the use of cookies for analytics and advertising purposes and have full, complimentary website access; (2) refuse cookies and obtain access to only limited content on the website; or (3) pay a monthly subscription of €6 to obtain full access to the website without accepting the use of cookies and similar tracking technologies.

The complainant argued that this approach by the newspaper did not comply with the requirements for valid consent under the EU General Data Protection Regulation (“GDPR”) since access to site content was conditional on an individual consenting to the processing of personal data that is not necessary for the newspaper to provide the service.

The DPA’s decision

The Austrian DPA decided to dismiss the complaint, positing that the consent solution offered by the newspaper met the conditions for freely-given, valid consent under the GDPR. In reaching this conclusion, the DPA referred to the Article 29 Working Party’s Guidelines on Consent, which state that consent is not freely given if there is a risk of deception, intimidation, coercion or significant negative consequences if the individual does not consent. The DPA reasoned that in this case, individuals did not face significant negative consequences since they could choose to subscribe to the site for a small fee or simply choose another online newspaper as a source of information.

This decision under the GDPR by the Austrian DPA is favorable to newspapers and other media publishers who provide online content financed by advertising. The UK Information Commissioner’s Office (the “ICO”) recently took a different view in a case concerning a similar online subscription model from the Washington Post (see here for our blog on this case). In the Washington Post case, the ICO reasoned under the GDPR that individuals must be offered a complimentary alternative to accepting cookies and should be able to opt out from cookies at all subscription levels. The differing approaches taken by the Austrian DPA and the UK ICO demonstrates a lack of alignment on this issue, and it remains to be seen how other DPAs will decide on the issue.