Cookie Walls in 2026: Are 'Pay or Consent' Models Actually Legal?

If you run a publisher site or ad-supported platform in Europe, you've probably considered a cookie wall or a "pay or consent" setup: visitors either agree to tracking or pay for an ad-free experience. The pitch is simple. The legal reality is not.

The answer depends on where your visitors are, how big your platform is, what you charge, and how you present the choice. A design that's defensible in Germany may get you fined in the Netherlands or struck down in an Austrian court. This guide maps the 2026 legal terrain country by country and sets out what you need to do to stay compliant. For a general introduction to cookie walls, see our explainer on cookie walls and pay-or-consent models.

The CJEU Precedent That Started It All

The legal foundation for "pay or consent" in Europe traces back to a single paragraph in a single ruling. In Case C-252/21, Meta Platforms v Bundeskartellamt (4 July 2023), the Grand Chamber of the Court of Justice of the European Union addressed whether a dominant platform like Facebook could lawfully rely on consent for behavioural advertising.

The Court held that dominance doesn't automatically invalidate consent — but it is "an important factor" in assessing whether that consent was freely given. Then came the sentence that launched a thousand paywalls. At paragraph 150, the CJEU stated that users must be free to refuse consent to data processing that isn't necessary for the service "without being obliged to refrain entirely from using the service," which means they should be offered, "if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations."

That phrase — "if necessary for an appropriate fee" — gave pay-or-consent models their legal air cover. Publishers and platforms read it as a green light. Privacy advocates read it as a narrow exception hedged by "if necessary" and "appropriate." Both readings have some support. And regulators across Europe have been sorting out what it actually means ever since.

EDPB Opinion 08/2024: The Guardrails Tighten

On 17 April 2024, the European Data Protection Board issued Opinion 08/2024 on "consent or pay" models deployed by large online platforms. The headline finding: in most cases, a binary choice between consenting to behavioural advertising or paying a fee will not produce valid consent. Platforms should consider a third option — an "equivalent alternative" funded by contextual (non-personalised) advertising rather than tracking.

Three things matter for publishers in 2026:

• Scope is (still) limited to large platforms. The EDPB committed to extending this reasoning to smaller websites, but those guidelines haven't landed as of mid-2026. National regulators aren't waiting.
• It's an opinion, not a binding decision. The EU General Court held (in Meta's challenge, Case T-319/24) that EDPB opinions under Article 64 have no direct legal effect. DPAs still follow it, but the legal status is less settled than many commentators suggest.
• Meta challenged it. If the General Court or the CJEU disagrees with the EDPB's analysis, the framework could shift again.

The European Commission's DMA Fine (April 2025)

Separate from the GDPR track, the European Commission fined Meta €200 million under the Digital Markets Act (DMA) for its pay-or-consent implementation between November 2023 and November 2024. The Commission found that Meta failed to offer a genuinely equivalent free alternative and that the subscription price effectively coerced consent. Meta subsequently added a "less personalised ads" free tier.

This is a competition-law action, not a GDPR ruling — but it means a second enforcement channel exists for platforms that meet the DMA gatekeeper threshold.

Country-by-Country: Where Cookie Walls Stand in 2026

The GDPR sets the floor, but national regulators and courts have built very different structures on top of it. Here's where each major jurisdiction stands.

Netherlands: Banned Outright

The Dutch DPA (Autoriteit Persoonsgegevens, or AP) has the clearest position in Europe: cookie walls are not permitted. Any take-it-or-leave-it design is inherently incapable of producing freely given consent. In April 2025, the AP warned 50 organisations — retailers, media companies, insurers — over misleading banners and tracking without valid consent, giving them three months to fix their practices or face investigation. Even a paid alternative doesn't save you if the consent mechanism itself fails the "free choice" test.

Austria: The DerStandard Precedent

Austria has become the test jurisdiction for pay-or-consent, largely thanks to noyb's campaign. The landmark case involves DerStandard.at, which offered visitors a binary choice: consent to tracking or pay €9.90/month.

In February 2026, the Austrian Federal Administrative Court (BVwG) upheld the DSB's finding that DerStandard's model violated the GDPR — but the reasoning matters. The court didn't rule pay-or-consent categorically illegal. The violation was about granularity: DerStandard forced an all-or-nothing choice when the GDPR requires purpose-specific consent.

An appeal to the Supreme Administrative Court (VwGH) is allowed, and a CJEU referral is widely expected — which would produce Europe's first definitive ruling on pay-or-consent. Meanwhile, noyb gained class-action powers under the EU Representative Actions Directive in December 2024. Expect more cases, not fewer.

France: Permissible — With Conditions

France occupies the pragmatic middle. The CNIL initially took a hard line against cookie walls, but a French Administrative Court ruling struck down the blanket ban, finding the CNIL had overstepped its authority. The CNIL then issued revised guidelines that allow cookie walls and consent-or-pay models under certain conditions:

• The fee must be reasonable — not so high that it effectively eliminates choice. The CNIL hasn't specified a number, but publishers must be prepared to justify affordability.
• There must be a genuine alternative to tracker consent. The CNIL aligns with EDPB Opinion 08/2024 in expecting a free option — such as contextual advertising — where possible.
• Consent must still be granular and informed. A single "accept all" toggle doesn't meet the standard.

France's enforcement muscle shouldn't be underestimated. The CNIL's total fines in 2025 reached €486.8 million, roughly nine times the 2024 total. For publishers operating in France, the model is available but the compliance bar is real.

Germany: Generally Allowed

The German Data Protection Conference (DSK) has concluded that cookie walls are generally allowed under data protection law, making Germany one of the most permissive large EU jurisdictions. Two recent developments add nuance:

• The Consent Management Ordinance (EinwV), effective 1 April 2025, lets users make one-time cookie consent decisions via a central management solution — reducing the banner fatigue that pushes people toward "accept all."
• The Hanover Administrative Court (March 2025) ruled that a visible "reject all" button must appear alongside "accept all," limiting how you can structure the consent interface within a cookie wall.

Germany's permissive stance may look attractive, but if your site serves visitors across the EU, you're subject to the strictest applicable standard.

Italy: Case-by-Case, Leaning Strict

The Italian DPA (Garante per la protezione dei dati personali) has taken a middle-ground position in its cookie guidelines: cookie walls are unlawful unless the website provides the visitor with access to equivalent content or services without giving consent. Whether the alternative actually qualifies as "equivalent" is assessed case by case.

In practice, this means a pure cookie wall — accept or leave — is dead in Italy. A pay-or-consent model might pass if the paid tier provides genuinely equivalent access and the price doesn't make refusal unrealistic. But the Garante hasn't issued the kind of detailed guidance that the CNIL or DSK have, leaving publishers in a grey zone that's riskier than it looks.

United Kingdom: Compliant If Done Right

The UK ICO published its "consent or pay" guidance in January 2025, confirming that these models can comply with UK GDPR and PECR — but setting a high bar:

• Consent must be freely given, specific, informed, and unbundled. Users must be able to consent to some processing purposes and refuse others.
• The fee must be reasonable enough that paying is a realistic option for users. Pricing designed to funnel everyone toward "accept" won't pass.
• Power imbalance matters: if users can't realistically switch to another service, consent is unlikely to be freely given.
• If users pay, their personal data cannot be used for targeted advertising. No double-dipping.

The ICO's approach is broadly aligned with the EDPB but slightly more permissive in acknowledging that well-designed models can work. For publishers with UK audiences, it's the clearest set of compliance criteria currently available.

The "Genuine Choice" Test: What Regulators Look For

Across every jurisdiction, the same question surfaces: does the user have a genuine choice? Five factors determine whether a consent-or-pay model survives scrutiny:

1. Is refusal possible without meaningful detriment? If saying "no" means losing access with no comparable alternative, the choice isn't genuine. Dominant platforms face stricter scrutiny than niche publishers.
2. Is the price appropriate? A fee that's practically unaffordable is coercion. DerStandard's €9.90/month was challenged as disproportionate given that tracking generates cents per user in ad revenue.
3. Is consent granular? This sank DerStandard. Users must consent to analytics separately from advertising, advertising separately from personalisation. An all-or-nothing toggle fails. See our guide on cookie categories.
4. Is withdrawal as easy as giving consent? Article 7(3) GDPR requires this. One click to consent, five screens to revoke = non-compliant. See our guide on consent expiry and re-consent.
5. Does a free, non-tracking alternative exist? The EDPB's "equivalent alternative" — contextual ads instead of behavioural targeting — is increasingly the litmus test. A binary model with no third option faces an uphill battle in most jurisdictions.

Alternative Monetisation Without Tracking

If your audience spans jurisdictions where pay-or-consent is banned or too risky, proven alternatives exist:

• Contextual advertising. Targeted to page content, not user profiles. No consent for tracking cookies required — and the revenue gap with behavioural ads has narrowed substantially.
• First-party data strategies. Logged-in users who provide data directly can be served relevant ads under legitimate interest or contractual necessity. See our guide on first-party cookieless tracking.
• Micropayments and tip jars. Voluntary payment removes the coercion problem entirely.
• Membership and premium content. A traditional paywall is perfectly legal everywhere. The key distinction: it exists because the content has value, not because it's the escape hatch from tracking.

How to Implement a Compliant Consent-or-Pay Model

If you still want to offer consent-or-pay after weighing the legal landscape, here's how to design one that maximises compliance across jurisdictions:

1. Offer three options, not two. Add a free tier with contextual advertising alongside "consent to behavioural ads" and "pay for ad-free." This satisfies the EDPB's "equivalent alternative" requirement.
2. Keep the price proportionate. Your subscription should bear a reasonable relationship to per-user ad revenue. €10+/month for a news site earning cents per visit will draw scrutiny. Document your pricing rationale.
3. Make consent granular. Separate analytics, advertising, personalisation, and social media purposes. Never bundle into a single switch. See our guide on Consent Mode v2 for wiring purpose-level signals.
4. Equalise the UX. "Accept" and "reject" must be equally prominent, equally easy, on the same layer. No dark patterns.
5. Don't track paid users. If someone pays to avoid tracking, honour it completely. The UK ICO is explicit: paid users' data cannot be used for targeted advertising.
6. Log everything. Record banner version, timestamp, and exactly what each visitor chose. Robust cookie scanning and consent logging are what separate defensible implementations from wishful thinking.

CookieBeam's Approach

CookieBeam doesn't force a monetisation model. It provides the infrastructure to make whatever model you choose compliant: granular purpose controls wired to Consent Mode v2, equal-prominence reject on the first layer, a full consent audit trail with banner version and purpose-level selections, regional consent rules that adapt behaviour per visitor location, and continuous cookie scanning to catch scripts firing without consent.

Whether you run a consent-only banner, consent-or-pay, or a contextual fallback, the tooling needs to produce verifiable consent records that hold up under the "genuine choice" test. That's what CookieBeam handles.

What Comes Next

The DerStandard case is likely headed to the CJEU, which would produce the first definitive ruling on pay-or-consent for smaller publishers. The EDPB has committed to extending its guidance beyond large platforms but hasn't published it yet. And noyb, armed with class-action powers, is actively filing complaints across the EU.

The pragmatic move: design for the strictest plausible interpretation now. Offer a free, non-tracking option; keep consent granular; price subscriptions proportionately; maintain an audit trail proving every choice was genuinely free. If the law relaxes, you've lost nothing. If it tightens, you're already there.