The Legal Framework: TKG 2021 and the GDPR
Austria regulates cookies and tracking technologies through two overlapping instruments. Section 165(3) of the Telekommunikationsgesetz 2021 (TKG 2021) transposes the EU ePrivacy Directive into Austrian law and governs when cookies may be placed on a device. The GDPR (applied domestically through the Datenschutzgesetz, or DSG) covers the processing of personal data collected via those cookies.
The TKG 2021 replaced the earlier TKG 2003 in November 2021, aligning Austrian telecommunications law with the European Electronic Communications Code. For cookie compliance, the core rule remains the same: storing or accessing information on a user's device requires prior, informed consent unless a narrow exemption applies.
The Austrian Data Protection Authority - the Datenschutzbehoerde (DSB) - enforces both the GDPR and the cookie-specific provisions of the TKG 2021. This dual mandate means a single cookie violation can trigger penalties under either or both regimes.
Which Cookies Need Consent Under Austrian Law
The TKG 2021 draws a clear line between cookies that require consent and those that do not.
Cookies that serve the sole purpose of carrying out a communication over an electronic communications network, or that are strictly necessary to provide a service explicitly requested by the user, are exempt from the consent requirement. Session cookies like PHPSESSID, load-balancer cookies, and shopping cart cookies typically fall into this category.
Every other cookie - including analytics cookies such as _ga and _gid, marketing cookies like _fbp and _gcl_au, and social media embeds - requires opt-in consent before being set. The DSB has been explicit that "economic necessity" does not qualify a cookie as technically necessary. Advertising cookies used to finance a website do not become exempt simply because the business depends on ad revenue.
| Cookie Type | Examples | Consent Required | Legal Basis |
|---|---|---|---|
| Strictly necessary | PHPSESSID, cart tokens | No | TKG 2021 Section 165(3) exemption |
| Functional / preferences | pll_language, theme settings | Yes | GDPR Article 6(1)(a) consent |
| Analytics | _ga, _gid | Yes | GDPR Article 6(1)(a) consent |
| Marketing / advertising | _fbp, _gcl_au | Yes | GDPR Article 6(1)(a) consent |
The Landmark Google Analytics Ruling (DSB-D155.027, 2021-0.586.257)
Austria became the first EU member state to rule that the use of Google Analytics violated the GDPR following the Schrems II decision. In its December 2021 ruling (case reference 2021-0.586.257), the DSB found that a medical news website, NetDoktor, had unlawfully transferred personal data to Google LLC servers in the United States by using Google Analytics.
The DSB concluded that Google's IP anonymisation feature was not properly implemented, and that unique identification numbers generated by Google Analytics could be used to single out individual users. Because Google is subject to US surveillance laws, the authority held that contractual safeguards alone were insufficient. The website had failed to implement adequate "supplementary measures" as required by GDPR Chapter V.
This decision triggered a domino effect across Europe. The French CNIL, the Italian Garante, and the Danish Datatilsynet each issued similar findings in the months that followed. The ruling remains a reference point for any Austrian website using analytics tools that transfer data to third countries.
Cookie Banner Rules: DSB Guidance on Dark Patterns
The DSB published detailed FAQs on cookies and data protection in December 2023, setting strict requirements for how cookie banners must be designed.
The reject option cannot be made less prominent than the accept option. Both buttons must appear on the first layer of the banner. The DSB requires equal design in colour, size, contrast, placement, and prominence. A coloured "Accept All" button paired with a grey "Reject" text link does not meet this standard. Austria's higher courts confirmed in 2025 that such asymmetric designs violate GDPR consent requirements.
A minimum contrast ratio of 3:1 applies to all interactive elements on the banner.
Pre-ticked checkboxes do not constitute valid consent, consistent with the CJEU's Planet49 ruling (Case C-673/17). Consent must be freely given, specific, informed, and unambiguous - an affirmative opt-in action from the user. Scrolling, continued browsing, or closing the banner without making a choice does not qualify.
These rules align closely with the positions taken by the CNIL in France and the German authorities under the TTDSG, though Austria's explicit stance on button parity is particularly detailed.
Enforcement and Fines
Cookie-specific violations under the TKG 2021 carry administrative fines of up to EUR 50,000. GDPR violations processed through the DSB can attract the standard GDPR penalty regime - up to EUR 20 million or 4% of global annual turnover, whichever is higher.
The DSB processed 3,813 complaints in 2024, completing 214 procedures that resulted in 62 fines totalling approximately EUR 1.7 million. The authority faces significant resource constraints: its 2025 budget stood at EUR 6.1 million, and most proceedings exceed the statutory six-month deadline.
While no publicly reported fines have targeted cookie violations specifically under the TKG 2021, enforcement pressure is growing. Activist organisations such as noyb (based in Vienna) have filed hundreds of complaints about dark patterns in cookie banners across the EU, and many of those complaints are directed at the DSB.
How Austrian Rules Compare to Neighbouring Countries
Austria's framework sits within the broader EU cookie consent regime but has distinct characteristics worth noting if your website targets the DACH region and Central Europe.
Germany's TTDSG follows a similar structure, requiring opt-in consent for non-essential cookies under its own ePrivacy transposition. The Czech Republic's UOOU and Hungary's NAIH also mandate prior consent, though enforcement intensity varies. Austria's DSB has been comparatively influential through its early Google Analytics decision and detailed banner design guidance.
One practical difference is the TKG 2021's EUR 50,000 cap on cookie-specific fines, which is lower than the GDPR maximum. German cookie fines under the TTDSG can reach EUR 300,000. Both countries supplement these with GDPR penalties for the underlying data processing.
Compliance Checklist for Austrian Websites
If your website is accessible to Austrian visitors or your organisation is established in Austria, these steps form the baseline for compliance.
Run a cookie scan to identify every cookie and tracker on your site, including those set by third-party scripts
Classify each cookie as strictly necessary, functional, analytics, or marketing
Block all non-essential cookies until the user gives explicit opt-in consent
Present a cookie banner with equally prominent accept and reject buttons on the first layer
Maintain a minimum 3:1 contrast ratio on all banner elements
Provide granular category-level choices so users can consent to specific cookie types
Record and store consent receipts with timestamps
Review all third-country data transfers, especially to the US, and verify adequate safeguards under GDPR Chapter V
Implement Google Consent Mode v2 if using Google services
Publish a clear cookie policy listing each cookie, its purpose, duration, and provider
Frequently Asked Questions
Does Austria require cookie consent for analytics cookies?
Yes. Under Section 165(3) of the TKG 2021, analytics cookies such as _ga are not considered strictly necessary and require prior opt-in consent from the user before being placed on their device.
What is the maximum fine for cookie violations in Austria?
Cookie-specific violations under the TKG 2021 carry fines of up to EUR 50,000. If the cookie use also involves unlawful personal data processing, GDPR fines of up to EUR 20 million or 4% of global turnover may apply on top.
Can I use Google Analytics on an Austrian website?
You can, but only with valid user consent and adequate safeguards for the US data transfer. The DSB ruled in 2021 that using Google Analytics without proper supplementary measures violated the GDPR. Configuring server-side tagging, IP anonymisation, and data processing within the EU can help reduce risk.
Does the reject button need to be the same size as the accept button in Austria?
Yes. The DSB requires that the reject option must match the accept option in colour, size, contrast, and placement. Making the reject option less prominent - for example, a grey text link versus a coloured button - is considered a dark pattern and violates consent requirements.
Which law governs cookies in Austria - the GDPR or the TKG?
Both apply. The TKG 2021 (Section 165) governs the act of placing cookies on a device. The GDPR governs the processing of any personal data collected through those cookies. The DSB enforces both.
Is a cookie wall allowed under Austrian law?
The DSB has indicated that consent must be freely given. Blocking access to a website entirely unless a user accepts all cookies is unlikely to meet this standard, as it effectively forces consent rather than offering a genuine choice.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
