Two are better than one?! Kurier forced users to give their consent

Forced Consent & Consent Bypass
 /  05 June 2024

noyb has today lodged a GDPR complaint against Kurier. Just a few months ago, users were forced to consent to Google and other tracking cookies when visiting the website of the Austrian daily newspaper. In doing so, the company clearly violated the GDPR, a fact that was also confirmed by the Austrian data protection authority: The latter had already banned the news magazine Profil (which is part of the same media group) from using such forced consent.

The logo of the Austrian daily newspaper KURIER is placed on a red background and is surrounded with cookies

Forced consent. Only a few months ago, anyone who wanted to read an article on without accepting a huge number of tracking cookies had an unsolvable problem: While consent was given with just one click, access to the website was denied if the well-hidden “Decline” option was selected. Users, such as the complainant at the beginning of March 2024, were forced to consent to tracking. Even the legally required option of easy withdrawal wasn’t implemented. The system has since been changed. Users now have the option to consent or signing up to a paid subscription (Pay or Okay).

Repeated violation of the law. This is not the first time the Austrian data protection authority (DSB) has been confronted with this violation. noyb has filed a complaint concerning an almost identical forced banner on in 2022. Back then, the DSB ordered the news magazine to adapt its website and obtain legally compliant consent. This never happened. Instead, the Kurier media group, to which both Profil and Kurier belong, decided to extend its practice to and challenge the authority’s decision. There’s no final court judgement yet.

GDPR violations without consequence? Meanwhile, the Kurier media group has continued to force consent despite the DSB’s order. The data protection authority should therefore finally make use of its powers and impose an ‘effective, proportionate and dissuasive’ fine. If even the second breach of the GDPR remains without consequences, it could permanently weaken the position of the DPA.