Austria's cookie law lives in §165 TKG 2021 — scan your site for trackers that fire before consent.
In Austria, cookie consent is governed by Section 165(3) of the Telekommunikationsgesetz 2021 (TKG 2021), which transposes the EU ePrivacy Directive (2002/58/EC), read together with the Datenschutzgesetz (DSG) and the GDPR. The provision requires that storing or reading information on a user's device — cookies, pixels, fingerprinting and similar trackers — is permitted only with the user's prior, informed consent, unless the technology is strictly necessary to deliver a service the user expressly requested. Austria's supervisory authority, the Datenschutzbehörde (DSB), enforces these rules and made global headlines with its 2022 Google Analytics ruling, the first national decision in the EU to hold a standard analytics deployment unlawful.
§ 165 Abs. 3 TKG 2021 permits storing or reading data on a user's terminal equipment only with prior informed consent, except where strictly necessary to provide an explicitly requested service.
Applicable laws
€50,000
Maximum fine for cookie/ePrivacy breaches under § 109 TKG 2021, separate from GDPR penalties
Telekommunikationsgesetz 2021 (TKG 2021)
13 Jan 2022
Date the DSB ruled an Austrian website's use of Google Analytics unlawful — the first such EU decision
Österreichische Datenschutzbehörde / noyb
§ 165(3)
The TKG 2021 provision requiring prior consent before non-essential cookies are set
Telekommunikationsgesetz 2021, § 165 Abs. 3
101 complaints
noyb model complaints across the EEA that began with Austria's Google Analytics case
noyb.eu
Under § 165(3) TKG 2021, non-essential cookies and trackers may only be set after the user actively agrees. Pre-ticked boxes and implied consent from continued browsing are invalid, consistent with the CJEU's Planet49 ruling (C-673/17).
The DSB's cookie guidance requires that a clear rejection option appears on the first banner layer alongside 'Accept', and that the accept button is not designed to be more visually prominent than reject. Manipulative 'nudging' design undermines valid consent.
Consent is not needed only for cookies absolutely necessary to deliver a service the user explicitly requested — for example session management, shopping-cart state, or storing the consent choice itself. Analytics and advertising never qualify.
Before consenting, users must receive clear information about which cookies are used, their purposes, duration and any third parties. Consent must be specific and granular so users can agree to some purposes and refuse others.
Withdrawing consent must be as easy as giving it, and controllers must be able to demonstrate that valid consent was obtained (GDPR Art. 7). This makes records and evidence of the pre-consent state essential.
Austrian cookie compliance sits at the intersection of two regimes. Section 165(3) of the TKG 2021 is the 'cookie law' proper — it implements the EU ePrivacy Directive and sets the rule that information may only be stored on or read from a user's device after prior informed consent, unless it is strictly necessary for a service the user expressly requested. This is the gatekeeping provision that decides whether a tracker is allowed to fire at all.
The GDPR then defines what 'consent' actually means. Article 4(11) requires a freely given, specific, informed and unambiguous indication of the user's wishes through a clear affirmative act, and Article 7 sets the conditions, including that withdrawal must be as easy as giving consent. The Datenschutzgesetz (DSG) supplements the GDPR domestically and designates the supervisory authority. In practice, a website operator in Austria must satisfy both § 165 TKG 2021 and the GDPR's consent standard simultaneously.
The Österreichische Datenschutzbehörde (DSB), based at Barichgasse 40-42 in Vienna, is the national supervisory authority. It has published FAQs and guidance on cookies setting out concrete design expectations: both accept and reject options must be visible on the first layer, the reject path may not be hidden behind extra clicks, pre-ticked checkboxes are invalid, and consent must be as easy to withdraw as to give.
Austria is also where European cookie and transfer enforcement turned decisive. On 13 January 2022, the DSB ruled that an Austrian website's standard use of Google Analytics unlawfully transferred personal data to the United States — the first of the 101 noyb model complaints filed across the EEA after the CJEU's Schrems II judgment to result in a decision. The case put every operator on notice that simply having a banner is not enough if trackers load before consent or send data abroad without adequate safeguards.
The hardest part of § 165 TKG 2021 compliance is proving what actually happens before a visitor clicks anything. CookieSentry loads your live site the way a real Austrian visitor would and flags every cookie and tracker that fires before consent, naming its source — so you can see whether Google Analytics, Meta Pixel or other scripts are breaching the prior-consent rule. The free public scan needs no signup and produces an exportable report and PDF evidence.
CookieSentry is not a consent banner and does not replace your CMP. Keep the banner you already run, and use CookieSentry to audit it against Austrian requirements and to generate localized GDPR documents — privacy and cookie policies and records — that reflect the TKG 2021 and DSG framework. The goal is demonstrable proof of the pre-consent state, which is exactly what GDPR Art. 7 and the DSB expect you to be able to show.
The use of Google Analytics by the Austrian website operator and the resulting transfer of personal data to the United States did not comply with the requirements of Chapter V of the GDPR.
Austria's cookie rule lives in Section 165(3) of the Telekommunikationsgesetz 2021, which transposes the ePrivacy Directive. It allows storing or reading data on a user's device only with prior informed consent, unless strictly necessary for an explicitly requested service.
The Österreichische Datenschutzbehörde in Vienna is Austria's data-protection supervisory authority. It publishes cookie FAQs and enforces both the GDPR/DSG and the cookie consent requirements, including banner design rules requiring an equal-prominence reject option.
On 13 January 2022 the DSB issued the EU's first decision finding a standard Google Analytics deployment unlawful, because data transfers to the US lacked adequate safeguards after Schrems II. It triggered a wave of parallel rulings across Europe.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure DSB is most likely to act on — and names the source so you can fix it. Run the free public scan to get exportable evidence of what fires before consent, mapped to Austria's rules. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Section 165(3) of the Telekommunikationsgesetz 2021 (TKG 2021) is the core cookie provision, transposing the EU ePrivacy Directive. It applies alongside the GDPR — which defines what valid consent is — and the Austrian Datenschutzgesetz (DSG). Together they require prior, informed, opt-in consent before any non-essential cookie or tracker is set.
No. Cookies that are strictly necessary to provide a service the user explicitly requested — such as session management, shopping-cart state, or remembering the consent choice — do not require consent. Everything else, including analytics and advertising trackers, requires prior opt-in consent under § 165(3) TKG 2021.
The Österreichische Datenschutzbehörde (DSB) is the supervisory authority. Cookie and ePrivacy breaches under the TKG 2021 can be fined up to €50,000, and where personal data is involved the GDPR's much higher penalties also apply. The DSB's 2022 Google Analytics decision shows it actively enforces these rules.
CookieSentry scans your live site to detect cookies and trackers that fire before consent — the exact breach § 165(3) TKG 2021 targets — naming each source and producing exportable PDF evidence. It also generates localized GDPR documents. It is not a consent banner or CMP; you keep your banner and use CookieSentry to audit it and prove your pre-consent state.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Austria's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Austria cookie rules, not legal advice; verify current requirements with DSB or qualified counsel.