Skip to main content
C
CookieBeam
Back to Guides
Compliance8 min read

Cookie Walls and "Pay or Consent": What's Actually Legal in 2026

Cookie walls and "pay or consent" models force visitors to choose between accepting tracking or losing access. Learn what the EDPB, CJEU, and national regulators have ruled, and how to design a lawful alternative.

What Is a Cookie Wall?

A cookie wall blocks access to a website until the visitor accepts cookies. There is no "reject" path that still lets you read the content — consent is the price of entry. A close cousin, the "pay or consent" model (sometimes called "pay or okay"), softens this slightly: visitors can either accept tracking for free or pay a subscription fee to use the site without behavioural advertising.

Both designs sit at the centre of one of the most contested questions in European privacy law: can consent obtained this way ever be "freely given"? Under the GDPR, consent that is not freely given is not valid consent at all — and processing based on invalid consent is unlawful. This guide explains where the law actually stands in 2026, what regulators have said, and how to build an entry experience that survives scrutiny.

The Legal Foundation: "Freely Given" Consent

Consent is one of six lawful bases for processing under Article 6 GDPR, and the conditions for valid consent are set out in Article 7. Two clauses matter most for cookie walls:

  • Article 7(4) states that when assessing whether consent is freely given, "utmost account" must be taken of whether access to a service is made conditional on consenting to processing that is not necessary to perform that service.
  • Recital 42 adds that consent is not freely given if the data subject has "no genuine or free choice" or is unable to refuse without detriment.

In plain terms: if saying "no" costs you the service, the law is sceptical that your "yes" means anything. This is the bar that every cookie wall and pay-or-consent design has to clear. For the broader rules on what consent must look like, see our explainer on what GDPR is and the ePrivacy Directive and cookie law.

Strict Cookie Walls: Largely Prohibited

The European Data Protection Board (EDPB) addressed hard cookie walls directly in its Guidelines 05/2020 on consent. Its conclusion was blunt: a service that makes access conditional on consent to non-essential cookies does not obtain freely given consent, because the user is presented with a take-it-or-leave-it choice rather than a genuine one.

National regulators have echoed this. The Dutch and German authorities have treated pure cookie walls as non-compliant, and the CJEU's Planet49 ruling (C-673/17) reinforced that consent must be a clear, affirmative, and unbundled act. The practical takeaway is simple: a banner where the only options are "Accept" or "Leave" is the highest-risk pattern you can deploy. If you want to understand how a compliant banner gives equal weight to refusal, read our guide on cookie banner design best practices.

A cookie wall is not the same as a paywall

Charging for content is perfectly legal — newspapers do it every day. What regulators scrutinise is conditioning consent to tracking on access. A subscription that simply unlocks articles is fine. A subscription that exists only as the escape hatch from behavioural advertising is what triggers the "freely given" analysis.

"Pay or Consent": The 2024 EDPB Opinion

The pay-or-consent model gained prominence when several large platforms began offering users a paid, ad-free tier as the alternative to consenting. In April 2024 the EDPB issued Opinion 08/2024 on "consent or pay" models deployed by large online platforms.

The headline finding: in most cases, offering only a binary choice — consent to tracking or pay — will not meet the standard for valid consent. The EDPB reasoned that a fee can create the kind of detriment that makes refusal feel impossible, especially where the platform holds a dominant position and users have few realistic alternatives.

Crucially, the EDPB did not ban the model outright. Instead it pointed to a third path: platforms should consider offering an "equivalent alternative" that does not involve payment — for example, a version of the service funded by non-personalised (contextual) advertising. Offering a genuine free-and-private option is what restores the "free choice" the GDPR requires.

The Tests Regulators Apply

Across the EDPB's guidance and national decisions, a consistent set of questions has emerged. Before deploying any conditional model, run it through these:

  1. Is there genuine free choice? Can a user decline tracking and still get a meaningful version of the service?
  2. Is the fee appropriate? A fee so high that it is effectively prohibitive is treated as coercive rather than a real alternative.
  3. Is consent granular and unbundled? Users must be able to consent to some purposes and refuse others, not face one all-or-nothing switch.
  4. Is withdrawal as easy as giving consent? Required by Article 7(3) — see our guide on consent expiry and re-consent.
  5. Is the power balance fair? Dominant platforms face stricter scrutiny than a small independent publisher.

noyb and other privacy NGOs have filed numerous complaints against pay-or-okay implementations, so this area is actively litigated. In 2025 and into 2026 the EDPB has been working toward broader guidelines extending the analysis beyond "large" platforms to a wider range of websites — meaning the safe assumption is that the strict reasoning will increasingly apply to everyone.

Contextual advertising is the pressure valve

Contextual ads are targeted to the content of the page rather than to a profile of the user, so they generally do not require consent for tracking cookies. Offering a contextual-ad-funded tier lets you monetise visitors who refuse behavioural tracking without forcing them behind a paywall — the "equivalent alternative" the EDPB favours.

How to Build a Compliant Alternative

If your business model depends on advertising revenue, you do not have to choose between compliance and monetisation. A defensible architecture typically combines:

1. A genuine reject path

Your banner must let visitors refuse non-essential cookies and still use the site. "Reject all" should be as prominent and as easy to reach as "Accept all" — a single click on the first layer. Burying refusal behind extra screens is itself a dark pattern regulators penalise.

2. A contextual fallback

For visitors who refuse, serve contextual rather than behavioural advertising. This keeps the lights on without relying on consent you may not have lawfully obtained.

3. Granular purposes

Separate analytics, advertising, and personalisation so users can opt into some and not others. This maps cleanly onto cookie categories and the signals used by Google Consent Mode v2.

4. A proper audit trail

Record what each visitor chose, when, and against which banner version. Robust cookie scanning and consent logging are what let you prove the choice was real if a regulator asks.

Cookie Wall Compliance Checklist

  • No hard cookie wall on essential content

    Visitors must be able to refuse non-essential cookies and still access a meaningful version of the service.

  • Reject is as easy as accept

    A one-click 'Reject all' on the first layer, with equal visual prominence to 'Accept all.'

  • An equivalent non-payment alternative exists

    Per EDPB Opinion 08/2024, offer a contextual-ad option so refusal does not force a paywall.

  • Any fee is appropriate, not prohibitive

    A fee set so high that paying is unrealistic is treated as coercion, not genuine choice.

  • Consent is granular and unbundled

    Separate analytics, advertising, and personalisation purposes — never a single all-or-nothing toggle.

  • Withdrawal is as easy as consent

    Provide an always-available way to change or revoke consent, per Article 7(3) GDPR.

  • Every choice is logged with proof

    Store the banner version, timestamp, and the exact selection to demonstrate freely-given consent.

The Bottom Line

Strict cookie walls — accept or leave — are the riskiest pattern and should be avoided. Pay-or-consent models are not automatically unlawful, but after EDPB Opinion 08/2024 the burden is on you to show that refusal carries no real detriment, typically by offering a free, contextual-advertising alternative. As the EDPB extends this reasoning beyond the largest platforms, the smart move is to design for the strict standard now.

The throughline of every regulator's reasoning is the same: consent only counts when "no" is a genuine option. Build your entry experience around a real, easy, equally-weighted refusal path, fund it with contextual advertising where you can, and keep a clean audit trail. For the mechanics of presenting that choice well, continue with our guides on banner design and consent rate optimization.

Monetise without coercion

A compliant stack — genuine reject path, contextual fallback, granular purposes, and verifiable consent logging — lets you respect visitor choice and keep revenue flowing. Pair this with a consent management platform that records every decision, so you can prove your consent was freely given.

Back to all guides
Cookie Walls & Pay-or-Consent Models: Are They Legal? (2026) | CookieBeam | CookieBeam