The Austrian data protection authority ('DSB') published, on 25 May 2022, FAQs on cookies and data protection, aiming to clarify the legal framework around the use of cookies under EU and Austrian law. In particular, the FAQs outline that the use of cookies is generally subject to prior user consent, unless cookies are strictly necessary, as stipulated by Article 5(3) of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') and Section 165(3) of the Telecommunications Act 2021 ('TKG'), the conditions for which are regulated by the consent provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Additionally, the FAQs set out requirements and best practices for the implementation of such legal framework, specifying, among other things, the types of cookies that are deemed as 'strictly necessary', as well as best practices for the design of cookie banners to ensure that transparency and consent conditions are fully complied with.

Furthermore, the FAQs outline the DSB's position regarding cookie walls and the so-called 'pay or okay' approach. Specifically, the DSB reiterated its previously stated position that it is in principle permissible to offer payment for access to a website as an alternative to consent, though with the caveat that this is only the 'current' view of the DSB, as for the time being there is no case law from the Court of Justice of the European Union on this topic.

However, the DSB highlighted that the following conditions must be met in order for such an approach to be lawful:

• compliance with data protection legislation, in particular the GDPR, must be ensured for data processing that takes place on the basis of consent;
• the service provider must not be a state official or other public body;
• there cannot be exclusivity in relation to the content or services offered, i.e. companies with an explicit public (utility) mission or universal service providers, cannot legitimately use 'pay or okay';
• the service provider cannot have a monopoly or quasi-monopoly position on the market;
• an appropriate and fair price for the payment alternative, i.e. the payment alternative must not be offered pro forma at a completely unrealistically high price; and
• if a user accesses the website using the payment alternative, no personal data may be processed for the purpose of personalised advertising.

Notably, the DSB's guidance on this matter comes shortly after the guidance issued by the French data protection authority ('CNIL'), which set out its own criteria for determining the lawfulness of the 'pay or okay' method on 16 May 2022.

You can read the FAQs here.