---
title: "Legal Requirements for a Business Website in Austria"
description: "What an Austrian business website legally needs: Impressum, privacy policy, and cookie consent explained, plus why a page generated once quietly falls behind."
date: 2026-06-29
author: "David Wippel"
tags: ["maintenance"]
locale: en
translation: https://www.essentialweb.eu/de/blog/rechtliche-pflichten-firmenwebsite-oesterreich/
url: https://www.essentialweb.eu/blog/legal-requirements-business-website-austria/
---

# Legal Requirements for a Business Website in Austria

> What an Austrian business website legally needs: Impressum, privacy policy, and cookie consent explained, plus why a page generated once quietly falls behind.

<aside class="bg-accent rounded-2xl px-6 py-6 md:px-8 md:py-8">
  <div class="text-primary mb-3 font-sans text-base font-bold tracking-[0.25rem] uppercase">TL;DR</div>
  <p>Every commercial website in Austria needs three things: a complete Impressum with the Offenlegung details (ECG §5 and the Mediengesetz), a privacy policy (Art. 13 GDPR), and active cookie consent before any non-essential cookie loads (TKG 2021). That is the easy part. The hard part is that these requirements keep shifting while your site sits online unchanged. A legal page generated two years ago is often already behind. Compliance is not a checkbox you tick once. It is a state someone has to maintain.</p>
</aside>

Two years ago you had your website built. The Impressum and privacy policy came out of a generator, the cookie banner went in quickly, and that was that. It was perfectly reasonable at the time. Nobody expects a carpenter or a tax adviser to read amendments to the data-protection act on the side. The catch is that the law underneath your website keeps moving, and a page nobody has touched since launch eventually falls behind. Without you having done anything wrong.

One thing up front, in plain terms: this piece gets you oriented and sorts out the main points. The specifics for your own situation are best confirmed with your legal adviser or directly with the WKO.

## What does an Austrian business website legally need?

Three obligations apply to almost every commercial website in Austria: a complete Impressum with Offenlegung details, a privacy policy, and cookie consent that is given actively, before any non-essential cookie loads. The legal bases behind them are the E-Commerce-Gesetz, the Mediengesetz, the GDPR, and the Telekommunikationsgesetz. Here is the short version, then we go through each one.

| Requirement               | Legal basis                      | What minimally satisfies it                                                                                                                    |
| ------------------------- | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| Impressum and Offenlegung | ECG §5, Mediengesetz §24 and §25 | Name or company name, address, email plus one more contact method, Firmenbuch number and UID if you have them, the responsible trade authority |
| Privacy policy            | Art. 13 GDPR, Austrian DSG       | Who processes data, for what purpose, on what legal basis, who receives it, and what rights visitors have                                      |
| Cookie consent            | TKG 2021 §165 para. 3, GDPR      | Active opt-in before non-essential cookies are set, with no pre-ticked boxes                                                                   |

### The Impressum: what belongs on every Austrian business website

Every commercial website must carry an Impressum that is easy and immediately accessible. The duty comes from two laws, and you have to satisfy both. The E-Commerce-Gesetz (§5 ECG) requires a name or company name, a deliverable address, an email address and at least one further contact method, plus your Firmenbuch number and UID where they exist, and the responsible trade authority. A phone number alone is not enough under EuGH case law. The email address has to be there.

On top of that comes the Offenlegung under the Mediengesetz (§24 and §25). For an ordinary company site without opinion-forming content, the small version is enough: name or company name, registered seat, and business purpose. Cover both cleanly and you are on solid ground. If the Impressum is missing, the statutory penalty is modest, up to € 3.000 (§26 ECG). What deserves more attention is that a missing Impressum is also open to challenge under competition law in Austria, more on that below.

### The privacy policy: the moment you process data, you need one

In practice every business website needs a privacy policy, because nearly every site processes personal data. A contact form collects names and email addresses, server logs capture IP addresses, and both fall under the GDPR. The moment you collect data directly from visitors, the information duty under Art. 13 GDPR applies.

The policy has to make clear who is responsible for the processing, for what purpose and on what legal basis you process data, which services receive it (an analytics tool or your email provider, say), how long you keep it, and what rights visitors have, including the right to complain to the Datenschutzbehörde. It belongs in the footer as its own page, separate from the Impressum. A generic template off the internet rarely covers it, because it does not reflect the tools you actually run. This is where the first quiet gap opens up, when your setup changes and the policy stays the same.

### Cookie consent: consent first, cookie second

Non-essential cookies may only load after the person has actively consented. That follows from §165 para. 3 TKG 2021 together with the GDPR. In the Planet49 ruling (1 October 2019), the EuGH made clear that pre-ticked boxes are not valid consent. Consent means an active, deliberate action, and the cookie comes after it, not before.

Technically necessary cookies are exempt, such as session management for a shopping cart or storing the cookie choice itself. You need consent for analytics cookies, advertising pixels, embedded social media, and the like. One detail that makes life easier for a lot of owners: if you measure traffic without cookies, you never trigger the consent duty in the first place. No cookie, no banner.

## Why a site that was finished once slowly drifts out of compliance

Here is the real point. The three obligations above are done in a day. What changes is the requirements behind them, and they change after launch, without anyone touching your site. Cookie rules have tightened over the years, expectations for privacy policies have grown, and new topics arrive. A legal page that was correct two years ago might now describe tools you no longer use, or miss ones you have added.

External resources are the clearest example. If your site loads fonts, maps, or scripts dynamically from someone else's server, the visitor's IP address travels there, and an IP address is personal data. Around Google Fonts there was a wave of demand letters in Austria in 2022, with roughly 33,000 businesses receiving a payment claim by post. The courts have since shut that business model down: in April 2025 a Vienna court dismissed such a claim as an abuse of rights, because the claimant had deliberately triggered the data transfers for his own gain. That ruling is first-instance and not yet final. The point for you is not the demand letter that got knocked back. It is the principle underneath it. Data that leaves your site without a legal basis is a legitimate concern, and the Datenschutzbehörde recommends self-hosting fonts rather than loading them externally. Exactly these gaps accumulate on a site that has stayed unchanged since launch.

<aside class="bg-accent rounded-2xl px-6 py-6 md:px-8 md:py-8">
  <div class="text-primary mb-3 font-sans text-base font-bold tracking-[0.25rem] uppercase">Side note: accessibility</div>
  <p>Since 28 June 2025, Austria's Barrierefreiheitsgesetz (its implementation of the European Accessibility Act) has been in force. It concerns how a website is built, not which legal pages it carries, so it is a topic of its own. The microenterprise exemption matters for many smaller businesses: a service provider with fewer than 10 employees and under € 2 million in annual turnover or balance-sheet total is exempt. From 10 employees up, the exemption no longer applies. Whether you fall under it is something to check for your own case, it cannot be settled with a blanket rule. The full breakdown, including the microenterprise exemption in detail, is in our post [Does My Small Business Website Need to Be Accessible?](/blog/does-my-business-website-need-to-be-accessible/).</p>
</aside>

## What actually happens in Austria when something is missing

So this does not tip into scaremongering, the sober view of enforcement helps. Anyone who wants to complain turns to the Datenschutzbehörde (DSB). The complaint procedure is free and runs as a two-party process in which you, as the operator, have to respond. The DSB can find a violation and order changes. It does not impose a fine within the complaint procedure itself, that requires a separate administrative penalty process.

Austria differs clearly from Germany here. In Germany, competitors can issue cease-and-desist letters over GDPR breaches under competition law, which has grown into a whole industry. In Austria, the OGH ruled in 2019 that, as things currently stand, competitors cannot pursue GDPR breaches through a UWG cease-and-desist (4 Ob 84/19k). So there is no blanket wave of competitor letters over data-protection issues. The Impressum is a different matter: a missing or incomplete Impressum under the ECG can indeed be pursued under competition law. The bottom line is that the obligations are the same as in Germany. The way they reach you is different, usually through a complaint from one individual rather than a wave of litigation.

## What this means for you as an owner

The honest answer is not that you should become a compliance expert yourself. You run a business, not a law firm. What you need is someone whose job is to keep the legal layer of your website current as the rules shift. That is exactly the invisible work that starts after launch and belongs to no one under a one-off project. A subscription model covers it: the privacy policy grows with your tools, the cookie mechanism stays clean, and choices like cookieless analytics or self-hosted fonts are made from the start so an entire class of problem never appears. If you want to see what that looks like in practice, [take a look at the ongoing plan](/#plan).

Getting a business website legally off the ground is manageable, as you saw above. Keeping it legally current over the years is the real job, and it does not end on launch day. If you are just [getting a site built](/blog/getting-a-business-website-built-in-austria/), the legal layer is part of what a good provider thinks through. The [five pages every business website needs](/blog/five-pages-every-business-website-needs/) answers the question of which pages sell, while this piece answers which pages the law requires. And [what else comes after launch](/blog/what-happens-to-your-website-after-launch/) shows why a website is an ongoing service rather than a one-time project.