Austria: DSB publishes FAQs on cookies, outlines conditions for 'pay or okay' mechanism
Furthermore, the FAQs outline the DSB's position regarding cookie walls and the so-called 'pay or okay' approach. Specifically, the DSB reiterated its previously stated position that it is in principle permissible to offer payment for access to a website as an alternative to consent, though with the caveat that this is only the 'current' view of the DSB, as for the time being there is no case law from the Court of Justice of the European Union on this topic.
However, the DSB highlighted that the following conditions must be met in order for such an approach to be lawful:
- compliance with data protection legislation, in particular the GDPR, must be ensured for data processing that takes place on the basis of consent;
- the service provider must not be a state official or other public body;
- there cannot be exclusivity in relation to the content or services offered, i.e. companies with an explicit public (utility) mission or universal service providers, cannot legitimately use 'pay or okay';
- the service provider cannot have a monopoly or quasi-monopoly position on the market;
- an appropriate and fair price for the payment alternative, i.e. the payment alternative must not be offered pro forma at a completely unrealistically high price; and
- if a user accesses the website using the payment alternative, no personal data may be processed for the purpose of personalised advertising.
Notably, the DSB's guidance on this matter comes shortly after the guidance issued by the French data protection authority ('CNIL'), which set out its own criteria for determining the lawfulness of the 'pay or okay' method on 16 May 2022.
You can read the FAQs here.