Cookie Consent and Analytics in Austria: What Austrian Website Owners Need to Know in 2026

Austria was the only EU country to vote against the GDPR. Not because Austrian lawmakers didn't care about privacy, but because the regulation wasn't strict enough for their constitutional standards. Then a Vienna nonprofit, noyb, filed 101 complaints that triggered the first Google Analytics ban in Europe. By 2024, litigation originating from that same nonprofit was responsible for 40% of all GDPR fines ever issued across the entire European Union: 1.69 billion euros.

I'm David, founder of Clickport. I build privacy-first analytics that don't use cookies or require consent banners. This article is specifically for Austrian website owners: what the DSB actually requires, why Austria has no analytics exemption (unlike France), where Google Analytics stands after the Data Privacy Framework, and what's coming next.

If you run a website that serves Austrian visitors, this is the regulatory landscape you're operating in. And it's stricter than you think.

Austria's privacy DNA

Austria passed its first data protection law in 1978, making it one of the earliest countries in the world with comprehensive data protection legislation. What made it unusual: Section 1 of the DSG (Datenschutzgesetz) has constitutional status, enshrining data secrecy as a fundamental right. It also extends data protection rights to legal persons, not just individuals. Broader than the GDPR in scope from day one.

That constitutional commitment didn't come from nowhere. Before WWII, IBM's Viennese subsidiary helped catalog Austrian citizens on Hollerith punch cards before the 1938 Anschluss, enabling the identification of 220,000 people classified as Jewish under the Nuremberg Laws. The weaponization of personal data against a civilian population happened in Austria, on Austrian infrastructure. During the Cold War, Vienna sat at the intersection of NATO and Warsaw Pact interests, becoming one of the world's great espionage capitals. The NSA allegedly operated a listening post from a villa overlooking the city. Decades of being a surveillance target created cultural sensitivity to data collection that runs deeper than regulation.

That's why Max Schrems, noyb, and epicenter.works (the NGO that successfully abolished the EU Data Retention Directive at the CJEU in 2014) all emerged from Vienna. And why Andrea Jelinek, head of Austria's data protection authority since 2014, was elected to chair the European Data Protection Board, the EU's top privacy body.

Austria doesn't follow European privacy standards. It sets them.

The DSB: 53 people protecting 9 million

The Datenschutzbehorde (DSB) is Austria's data protection authority. It has 53 employees and approximately 20 administrative interns, working on a budget of EUR 5.9 million. For comparison, Ireland's Data Protection Commission has a budget of EUR 28 million, and Germany deploys around 1,200 DPA staff across its federal and state authorities.

The numbers paint a stark picture. Since 2017, individual complaints to the DSB have increased by 769%, reaching 3,813 in 2024. But in 2023, only 55 fines were issued out of 4,030 proceedings. That's a 1.36% conversion rate. In 2024, 62 fines were issued, totaling approximately EUR 1.7 million. Most were small.

Starting July 2025, most of the DSB's intern positions could not be replaced. The DSB announced it would only initiate ex officio proceedings when an external submission indicates a "sufficiently concrete suspicion of a serious violation." Proactive investigations have been abandoned entirely. NOYB and epicenter.works filed a formal complaint with the European Commission about the chronic underfunding.

But don't let the small budget mislead you. This is the same authority whose Google Analytics ruling triggered a wave of bans across Europe. And what the DSB lacks in resources, Vienna's privacy NGOs more than compensate for. NOYB alone has over 5,250 supporting members, 20+ legal and IT experts, and a track record of forcing outcomes that no individual DPA could achieve alone. If your cookie banner isn't compliant, the complaint is more likely to come from NOYB's automated scanning system than from the DSB itself.

The rules you're actually subject to

Cookie consent in Austria is governed by Section 165(3) of the TKG 2021 (Telekommunikationsgesetz), Austria's implementation of the EU ePrivacy Directive. The rules are clear and strict.

Prior consent is required for all non-essential cookies. If it reads from or writes to a visitor's device and isn't technically necessary to deliver the service they requested, you need opt-in consent before it fires. That applies to HTTP cookies, local storage, fingerprinting, pixel tags, and device identifiers. The law is technology-neutral.

There are only two exemptions. A cookie is exempt if its sole purpose is transmitting a communication over a network, or if it's strictly necessary to provide a service the user explicitly requested (session management, shopping carts, consent status storage). That's it.

Analytics cookies are not exempt. The DSB's official FAQ is unambiguous: "The controller's use of analytics cookies cannot in any case be considered technically necessary cookies." Not for first-party analytics. Not for privacy-friendly analytics. Not for self-hosted analytics. If your tool sets a cookie, you need consent.

This is the critical difference from France. CNIL maintains a formal exemption framework that allows 18 analytics tools to operate without consent if they meet strict conditions (first-party only, no cross-site tracking, 13-month cookie limit). Austria has no such framework. The DSB does not maintain an approved list. The DSB does not evaluate analytics tools for consent exemption. Every analytics cookie requires consent, period.

"Legitimate interest" does not bypass cookie consent. Even if you argue legitimate interest as your GDPR legal basis for processing analytics data, that doesn't help. The TKG 2021 consent requirement applies independently at the device-access layer. Consent is the only legal basis for placing a non-essential cookie on an Austrian visitor's device.

Enforcement is split between two authorities. The Telecommunications Office (Fernmeldeburo) handles TKG 2021 violations with fines up to EUR 50,000. The DSB handles GDPR violations on top of that. A single non-compliant cookie banner could trigger enforcement from both.

Cookie consent: what gets you in trouble

The DSB published detailed cookie FAQs establishing concrete design requirements. Both "Accept" and "Reject" must be visible on the first layer. Pre-ticked checkboxes are invalid. Withdrawing consent must be as easy as giving it. And the accept button cannot be more visually prominent than the reject option.

That last point got Austria's biggest website into trouble.

ORF (orf.at), Austria's public broadcaster, was ordered by the DSB in October 2024 to redesign its cookie banner. The site was placing cookies before any user interaction and lacked a clear reject option. The "Accept all cookies" button was displayed in dark blue while alternative options used a pale color that blended into the background. The DSB mandated equal visual prominence for all options and set a minimum 3:1 contrast ratio (per ISO 9241-303). ORF was given six weeks to comply.

DerStandard (derstandard.at) went further with a "pay or consent" model. Visitors could either accept all tracking or pay EUR 9.90 per month for a subscription. No middle option. No granular consent. Over 99.9% of readers clicked "consent." In August 2025, the Federal Administrative Court (BVwG) ruled this illegal because consent must be granular: users must be able to accept analytics but reject advertising, or vice versa. Blanket consent is not valid consent. The court compared DerStandard's approach to Krone.at, which offered separate toggles for advertising, analytics, and external resources, and found Krone's approach compliant.

Google reCAPTCHA was also ruled unlawful without consent by the BVwG in September 2024. A political party's website had transferred 615 data packets to Google after the user had explicitly declined consent. The court ruled that reCAPTCHA cookies are not technically necessary and cannot rely on legitimate interest.

The pattern is consistent: Austrian courts treat consent as a genuine choice, not a design exercise. If your banner makes rejection harder than acceptance, the consent is invalid. If your consent model removes granularity, the consent is invalid. If your service loads tracking after refusal, the consent is invalid.

NOYB's automated scanning system has filed over 500 cookie banner complaints across Europe. They found that 81% of scanned websites had no "reject" option on the first banner layer, and that only 3% of users actually want to consent when given a fair choice. Dark patterns push that number above 90%. If your consent rate seems unusually high, your banner probably isn't compliant.

Google Analytics: the domino started here

On December 22, 2021, the Austrian DSB issued a partial decision (case D155.027) finding that an Austrian website's use of Google Analytics violated GDPR Chapter V. The website was NetDoktor.at, an Austrian health portal. NOYB published the decision on January 13, 2022. It was the first ruling of its kind in the EU.

The DSB's legal reasoning was methodical. Google Analytics places cookies (_ga, _gid, and a Client ID) on the visitor's device. The DSB ruled these identifiers constitute personal data because they enable "singling out" a visitor, even without directly identifying them. Google's supplementary measures were rejected one by one:

• IP anonymization: The full IP reaches Google's servers before truncation. US intelligence could access it during that window.
• Encryption: Google holds the keys. Encryption doesn't protect against access requests directed at Google.
• Organizational measures: Google is an "electronic communication service provider" under US law and is subject to FISA Section 702 surveillance. No contractual safeguard can override that.

On April 22, 2022, the DSB issued a second decision (case D155.026) that went further. Google had argued that the probability of US intelligence actually requesting a specific visitor's data was low. The DSB rejected this "risk-based approach" entirely: the legality of data transfers cannot be assessed on case-by-case probability. If the legal mechanism for forced access exists, the transfer is unlawful.

Then the dominos fell.

Then came the Data Privacy Framework. On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF). Google is DPF-certified. This resolved the specific Chapter V transfer violation the DSB identified in 2021.

But the DPF only fixes one problem. There are two layers of compliance:

1. TKG 2021 (cookie placement): You still need consent for analytics cookies. The DPF doesn't change this.
2. GDPR Chapter V (data transfer): The DPF provides a legal basis for transfers to certified US companies.

The DSB's original ruling is effectively moot on the transfer question. But Austrian websites running Google Analytics without proper cookie consent are still violating the TKG 2021. The violation just moved from Chapter V to the cookie layer.

And "currently legal" may not last. The PCLOB (Privacy and Civil Liberties Oversight Board), cited 31 times in the European Commission's adequacy decision as a crucial oversight mechanism, has been gutted by the Trump administration. Three of four members were fired in January 2025. The board can't form a quorum. Meanwhile, Philippe Latombe's appeal to the CJEU to invalidate the DPF is pending, with a ruling expected in late 2026 or 2027. This is the same court that struck down Safe Harbor (2015) and Privacy Shield (2020).

As Schrems put it: "This deal was always built on sand."

For the full EU-wide picture, see our detailed analysis of Google Analytics' legal status.

What the DSB has actually fined

Austria's largest GDPR fines tell you what the DSB prioritizes, and what you're risking by ignoring data protection.

The Austrian Post fine deserves attention. The company algorithmically estimated the political leanings of 2.2 million Austrians ("45% social-democratic, 20% conservative, 5% Green Party") and sold this data to political parties for targeted mailings. The original EUR 18 million fine was imposed in October 2019, overturned on procedural grounds, then re-imposed at EUR 16 million in December 2024. This is the kind of data misuse Austria's constitutional privacy framework was designed to prevent.

The REWE fine is instructive for website operators. The jo Bonus Club registration form was designed so that profiling disclosures appeared below the fold. Users submitted the form before seeing the profiling notice. The DSB ruled this was not valid informed consent. The principle applies directly to cookie banners: if critical information is hidden from the user, consent is invalid.

Also notable: the DSB found that Clearview AI violated GDPR by scraping Austrian citizens' facial images for its 30+ billion image biometric database. No fine was imposed, but data deletion was ordered. And the DSB ruled that Meta's tracking pixel on websites also violates the GDPR under the same Schrems II logic as Google Analytics.

34% switched. The rest are flying blind.

After the DSB's ruling, 34% of Austrian websites removed Google Analytics, according to a study by Dataprovider.com that tracked 167,963 Austrian websites. That's a significant migration, but it means 66% stayed.

Those who stayed face the same data problem that plagues every cookie-dependent analytics tool in Europe. Research from CookieYes (2026) found that fewer than 25% of European users accept analytics cookies when given a fair choice. The eTracker benchmark study found an average of 60% visit data loss with a legally compliant banner design. And noyb's own research found that only 3% of users actually want to consent when dark patterns are removed.

Austria's cookie placement rate is 52% (percentage of websites displaying cookie consent banners), higher than Germany's 43%. But the consent rates tell the real story: most Austrian visitors click "Reject All" when given a fair choice.

On top of consent rejection, ad blockers cut deeper. Safari's ITP blocks virtually all third-party cookies. Firefox partitions cookies by site. Combined, privacy browsers and ad blockers make another 20-25% of Austrian traffic invisible to cookie-dependent analytics.

Add it up: Austria has 8.69 million internet users, 95.3% internet penetration, a EUR 13.45 billion e-commerce market, and nearly 2 million .at domains. If you're running cookie-based analytics, you're making business decisions based on a data sample that misses the majority of your visitors.

What's coming in 2026 and beyond

Three developments will reshape Austria's analytics landscape.

1. The Digital Omnibus would override Austria's strict position.

The Digital Omnibus (proposed November 2025) creates a consent exemption for audience measurement analytics at the EU level through a new Article 88a GDPR. The conditions: first-party only, no cross-site tracking, aggregated data only, used solely by the website operator. Google Analytics would not qualify. Privacy-first tools would.

Because the Digital Omnibus is structured as a Regulation (not a Directive), it would be directly applicable in Austria without any transposition into national law. The TKG 2021's cookie provisions would be superseded automatically. The DSB's position that "analytics cookies cannot in any case be considered technically necessary" would be overridden by the EU-level exemption.

The feedback period closed in January 2026. The EDPB and EDPS issued a joint opinion in February 2026 broadly supporting simplification but warning against weakening individual protections. Trilogue negotiations are expected in spring 2026. If adopted, the analytics exemption could take effect around mid-2027.

2. The Latombe CJEU appeal could invalidate the Data Privacy Framework.

Philippe Latombe's appeal is pending at the CJEU. If it succeeds, EU-to-US data transfers would again lack a legal basis. Google Analytics would face the same illegal transfer status it had in 2022. A ruling is expected in late 2026 or 2027. NOYB has indicated it may bring a separate, broader challenge.

3. NOYB is now authorized for class actions.

In December 2024, NOYB was approved in Austria as a Qualified Entity under the EU Representative Actions Directive. This means NOYB can now bring US-style class actions on behalf of affected individuals across all EU member states. The organization that already drove 40% of all GDPR fines now has a significantly more powerful enforcement tool. First actions are planned for 2025.

The direction is clear: consent requirements are expanding, enforcement tools are getting stronger, and the only analytics tools that will consistently avoid compliance risk are those that don't need consent in the first place.

What this means for your website

If you run a website that serves Austrian visitors, here's a practical assessment.

If you're using Google Analytics with a cookie banner: The data transfer to the US is technically legal under the DPF (for now). But you're losing 70-80% of your visitor data to consent rejection and ad blockers. Austria has no consent exemption for analytics. Your analytics see a biased minority of your actual traffic. And the legal framework supporting US data transfers is being challenged at the CJEU by the same legal movement that started the original ban from Austria.

If your cookie banner isn't compliant: The DSB has set clear standards. Accept and reject must be equally prominent (3:1 contrast minimum). Consent must be granular per purpose. No cookies before consent. NOYB's automated scanning has filed hundreds of complaints across Europe, and they're headquartered in Vienna. The risk isn't theoretical.

If you want to see all your traffic and eliminate the risk: Switch to an analytics tool that doesn't store anything on the visitor's device. If there's no cookie, no local storage, no fingerprint, there's no TKG 2021 consent requirement to trigger. No consent banner needed for analytics. 100% of visitors visible from day one.

Clickport is built for exactly this situation. No cookies, no consent banner required, EU-hosted, first-party only, privacy-first by design. Every visitor is visible. Every session is tracked. No legal dependency on US data transfers. No dependency on the DPF staying valid. You can try it free for 30 days, no credit card required, and see the difference in your data within the first hour.

Austria started this. The country that produced Max Schrems, that housed Europe's first Google Analytics ban, that appointed the chair of the EDPB, that voted against the GDPR because it wasn't strict enough. Austrian website owners, more than anyone in Europe, should understand what privacy-first analytics means. The tools exist. The legal incentives are clear. The question is whether you switch before the next enforcement action or after.