What is a cookie wall? Legal status and GDPR rules

We explain what cookie walls are and if they're legal, and some alternatives to the cookie wall. Find out this and more here.
Resources / Blog / What is a cookie wall? Legal status and GDPR rules
Published by Usercentrics
11 mins to read
Sep 6, 2021

Some websites block access to their content for visitors arriving at the site. Users are presented with a choice: agree to data collection or leave. There’s no option to decline, and no room for customized consent choices.

This all or nothing method is known as a cookie wall, and while it’s becoming more common, it raises important questions. Is it fair to users? Does it meet requirements of laws like the GDPR? And what options do companies have to balance their business needs with regulatory restrictions and their customers’ trust?

A cookie wall is a visual, digital barrier that can prevent users from accessing website content unless they agree to the use of cookies or similar tracking technologies. In other words, often users must consent to their data being collected and processed before they can view or interact with the site.

For example, a user may visit a news website and encounter a banner that reads, “Accept cookies to continue.” Or “We use cookies to collect data for marketing purposes.” But there is only an “accept” button. If the user doesn’t consent, they’re unable to read the articles or explore the site.

While cookie walls are intended to help website operators gather valuable data for functions like advertising or analytics, they leave users with little choice, creating a frustrating experience and raising concerns about fairness and transparency. The use of cookie walls also brings up important questions about GDPR compliance and user rights. 

Can websites demand consent for data processing as a condition to access content? That’s where regulations like the GDPR come into play, and where businesses need to tread carefully.

A cookie wall typically appears with a full-screen overlay and a banner or pop-up that blocks access to a website’s content. It demands user consent for cookies or data tracking before anything else can be viewed. Visitors often see limited options, such as a single button that says “Accept” or “Continue,” with no clear way to decline or customize their preferences.

Cookie-wall-example
Website homepage with a black overlay blocking access, and a consent banner with cookie use information and only an “Accept” button.

For example, a user might arrive at a website and find the content completely hidden behind a large overlay. Until they agree to data collection, the page remains inaccessible. This design forces users to make an all or nothing decision, often delivering a frustrating experience.

In contrast, a more compliant alternative — like a GDPR cookie banner — provides transparency and choice. These banners typically appear without a full overlay. They enableusers to:

  • accept or decline cookies
  • customize preferences for different categories, like marketing or analytics cookies
  • understand how their data will be used

This type of setup aligns with GDPR requirements and respects user choice, offering a better balance between business goals and user experience. By comparing these two approaches, it’s clear that while cookie walls prioritize data collection, compliant GDPR cookie banners focus on user transparency and trust.

The legality of cookie walls is a significant concern, particularly under the General Data Protection Regulation (GDPR). At the core of the GDPR is the principle of voluntary consent, meaning users must have a genuine choice when deciding whether to allow their data to be collected or processed.

Cookie walls, by design, can violate this principle. When users are forced to either accept all cookies or lose access to a website, their consent can’t be considered freely given. The European Data Protection Board (EDPB) clarified this in its Guidelines 05/2020, stating:

“Access to services and functionalities shall not be conditioned on a user’s consent to store or access information already stored in a user’s terminal device.”

National authorities, like France’s CNIL, echo this stance, highlighting that cookie walls fail to meet GDPR standards for valid consent. The French regulator has repeatedly emphasized that users must not be forced into an all or nothing choice when it comes to their data.

This means that while businesses may see cookie walls as a quick solution for data collection, they run the risk of noncompliance with the GDPR, which can lead to penalties and loss of user trust. A more compliant approach, such as using a GDPR cookie banner, perhaps with an overlay that only focuses user attention on the information and choices provided, rather than blocking them, can not only satisfy legal requirements, but also support a transparent and user-friendly experience.

The GDPR: What are the rules?

Under the GDPR, valid consent must meet clear and specific criteria. 

  • freely given: users must have a real choice, without pressure or consequences for refusing
  • informed: users need to understand exactly what they’re agreeing to and how their data will be used
  • explicit: consent must involve a clear, active action, such as clicking “Accept”
  • granular: users should be able to select which types of cookies or data processing they agree to
  • revocable: users must be able to withdraw consent as easily as they gave it

Cookie walls tend to fail to meet these standards because consent options do not meet conditions of being freely given or granular. Often there is little information provided, which would fail for informed consent as well.

Simplify GDPR compliance with our easy to follow consent management checklist.

Download for free

CCPA: What are the rules?

While cookie walls are widely discussed in the context of the GDPR, the California Consumer Privacy Act (CCPA) offers a different perspective on data privacy in that state in the United States. The CCPA focuses on giving consumers control over their personal information, but it does not require consent before data collection in most cases the way the GDPR does.

Under the CCPA, businesses are required to:

  • inform users about what data is being collected and how it will be used
  • provide a clear option for users to opt out of the sale or sharing of their personal information (or with the CPRA in effect, for its use for targeted advertising or profiling)
  • offer equal access to services so that users who opt out are not treated unfairly

Unlike the GDPR, the CCPA does not explicitly address cookie walls. The law does prohibit businesses from discriminating against users who choose to exercise their data privacy rights, so a user cannot be blocked from accessing a site or its functions if they have requested to opt out of data collection and use. This would likely be on subsequent visits, rather than the first one, however.

This creates an important distinction between the two regulations. Under the GDPR, cookie walls are generally not allowed because consent must be freely given. In contrast, the CCPA allows businesses more flexibility but still requires transparency and fairness.

For companies operating internationally, this highlights the need to balance compliance with  data privacy laws in multiple jurisdictions. Using a solution like a consent management platforms (CMP) can help businesses respect user preferences and meet the requirements of multiple legal frameworks, providing a seamless and compliant user experience.

Regulatory requirements regarding cookie walls vary significantly across the globe, creating a complex legal landscape for businesses that operate internationally. While the European Union’s GDPR and the United States’ CCPA are among the most well-known data privacy frameworks, other US states and countries have also implemented strict laws governing data collection and user consent.

Beyond the EU and the US, several other countries are adopting stricter privacy laws and consent requirements. A few examples:

  • Brazil’s LGPD: Similar to the GDPR, it requires clear, informed consent for data collection and processing.
  • Canada’s PIPEDA: Businesses must obtain meaningful consent and be transparent about how user data is handled.
  • South Korea’s PIPA: Companies must collect explicit consent and face stringent penalties for noncompliance.

This potential patchwork of regulatory requirements highlights the need for a global approach to privacy compliance. Solutions like consent management platforms (CMPs) help companies navigate these diverse legal requirements by providing tools to manage user consent transparently and consistently across different regions.

By understanding the rules in each country, companies can reduce legal risks, respect user rights, and build trust with their audiences worldwide.

Given the legal and user experience challenges associated with cookie walls, businesses need solutions that are both legally compliant and user-friendly. Fortunately, there are effective options that respect user choice, align with regulations like the GDPR, and help build trust. They can even be implemented in ways that improve user experience and consent rates.

A GDPR cookie banner provides a transparent and user-friendly way to manage consent. Instead of blocking access entirely, these banners enable users to:

  • accept or decline cookies
  • customize preferences for different categories, such as essential, marketing, or analytics cookies
  • understand how their data will be used
  • understand what their rights are and how to exercise them

Implementing a consent management platform (CMP) makes it easier for websites to display privacy-compliant cookie banners. A CMP enables granular consent management and provides information about data processing, giving users control while helping companies meet the GDPR and other regulatory requirements.

2. Paywalls

Another alternative to cookie walls is implementing a paywall. A paywall is a method used by websites to restrict access to content, requiring users to either pay for entry or subscribe to a service. Unlike cookie walls, which force users to agree to data tracking in exchange for access, paywalls provide a clearer, more potentially compliant alternative under regulations like the GDPR.

Paywalls work by offering users a genuine choice:

  • Pay to access content directly
  • Access content for free by consenting to data collection and tracking

This approach aligns with the GDPR because it respects user autonomy. Rather than forcing an all or nothing decision, paywalls allow users to decide how they want to interact with the website — either through payment or by sharing their data.

Under the GDPR, consent must be freely given and cannot be forced as a condition to access services. Cookie walls violate this requirement by offering no real choice. Paywalls, on the other hand, align with GDPR guidelines because:

  • users are not coerced into agreeing to data collection
  • a fair, transparent alternative (paying for content) is provided

Implementing a paywall can offer a sustainable way to monetize content while avoiding the legal and user trust issues associated with cookie walls.

Image request: A comparison graphic showing cookie wall vs. paywall under GDPR.

A comparison graphic showing cookie wall vs. paywall under GDPR.

The debate around cookie walls and their legality reached new heights in January 2024 when NOYB (None of Your Business), a privacy advocacy group led by activist Max Schrems, filed a complaint against Meta’s “pay or okay” consent model in the European Union. This model forced users to either consent to data tracking for personalized ads or pay a subscription fee to access ad-free versions of Facebook and Instagram.

NOYB argued that this approach, often referred to as a cookie paywall, violated the GDPR’s principle of freely given consent. Users were presented with an unfair choice: allow their data to be tracked or lose access to essential services. This complaint posited that cookie paywalls restrict user autonomy by creating coercive scenarios that leave no real alternatives.

The case spotlighted the increasing scrutiny on cookie walls, pay walls, and how users are required to pay for access to content and services online, either monetarily or with their data.

Why these alternatives matter

Unlike cookie walls, GDPR-compliant cookie banners and paywalls give users more control over their experiences on websites. They can promote transparency, build trust, and improve user satisfaction, all while helping businesses avoid legal risks.

By adopting these alternatives, website operators can achieve their business goals, maintain user trust, and meet the evolving requirements of global privacy regulations.

While GDPR cookie banners are an effective and more likely compliant alternative to cookie walls, they must be designed ethically. Some websites use dark patterns — deceptive design tactics — to manipulate users into giving consent, which undermines transparency and trust.

What are dark patterns?

Dark patterns are design choices that intentionally mislead or pressure users into making decisions they may not fully understand or agree with. In the context of cookie banners, this can mean tricking users into accepting cookies or hiding or removing options to decline consent.

  • Pre-checked boxes: Automatically selecting options for users, like opting them into marketing cookies, which violates the GDPR’s requirement for explicit consent.
  • Unclear or misleading options: Using vague wording like “Customize” or making the “Accept” button prominent while hiding or downplaying the option to reject cookies.
  • Confusing layouts: Designing banners where declining cookies requires multiple steps while accepting them is a single click.
  • Misleading buttons: Making “Accept” buttons look like the only option, with small or grayed-out text for declining or managing settings.

Why dark patterns violate the GDPR

Dark patterns contradict the core principles of the GDPR, which require consent to be freely given, informed, and explicit. By tricking users into agreeing to provide their data, businesses not only risk noncompliance but also erode user trust. When users feel deceived, it damages relationships and discourages long-term engagement, which negatively affects revenue.

Building user trust through ethical design

To comply with the GDPR and build meaningful trust with users, businesses should avoid these manipulative tactics. Instead, cookie banners should:

  • provide clear, equal (and ideally granular) options to accept or decline cookies
  • avoid default consent (no pre-checked boxes or deleted options)
  • use simple, transparent language and design

By adopting ethical consent practices, website operators can design their cookie banners to be user-friendly, legally sound, and supportive of a positive user experience.

For websites looking to move away from cookie walls and adopt user-friendly, privacy-compliant solutions, a consent management platform (CMP) like Usercentrics provides the ideal answer.

The Usercentrics Web CMP enables websites to manage user consent transparently and in alignment with GDPR requirements. Instead of forcing users into all-or-nothing decisions, businesses can empower visitors with clear, granular consent options. It also seamlessly handles multiple regulations for companies with international operations.

Key features of Usercentrics CMP

  • Granular consent management: Give users control by enabling them to accept or decline all cookies or specific cookie categories, such as marketing or analytics cookies.
  • Transparency and trust: Communicate how user data will be used, building trust and improving engagement.
  • Privacy compliance reporting: Maintain detailed consent records to demonstrate legal compliance and be prepared for an audit or data subject access requests.
  • Advanced analytics: Analyze user interactions with consent banners to optimize acceptance rates and improve user experience.

Businesses can implement a CMP to avoid the legal risks and negative user experiences associated with cookie walls by providing users with clear, respectful choices that meet global privacy standards.

Offering transparency and user control doesn’t just align with GDPR requirements — it also builds long-term trust, fostering stronger relationships with customers. With Usercentrics, businesses can confidently navigate data privacy challenges while creating positive, privacy-compliant experiences for their users.

Scan your website now and find out which cookies and tracking technologies are collecting data.

Scan now

Frequently asked questions

What is a cookie wall and how does it work?

A cookie wall is a visual, digital barrier that blocks access to a website’s content unless users agree to the use of cookies or data tracking. It works by displaying a full-screen message or overlay that forces users to accept cookies to proceed. If users decline consent, they are unable to view or interact with the site. This creates an all or nothing scenario that limits user choice.

Are cookie walls allowed under the GDPR?

No, cookie walls are not allowed under the GDPR if they prevent access to the site unless the user provides blanket consent. According to the GDPR guidelines, consent must be freely given, informed, and explicit, meaning users must have a real choice when deciding whether to accept cookies. Since cookie walls require users to agree to data collection as a condition of accessing content, they violate the principle of freely given consent. Authorities like the European Data Protection Board (EDPB) and national regulators, such as France’s CNIL, have stated that cookie walls are non-compliant with the GDPR.

What’s the difference between a cookie wall and a paywall?

A cookie wall blocks access to website content unless users consent to data collection and tracking. This leaves users with no real choice and violates the GDPR’s requirements for freely given consent.

A paywall, on the other hand, offers users a transparent choice:

  • pay to access content directly
  • access content for free by agreeing to data collection

Paywalls can better align with the GDPR guidelines because users are presented with a genuine alternative, rather than being forced into data consent. This can make paywalls a more user-friendly and legally compliant option for content monetization.

What are dark patterns in cookie banners?

Dark patterns are deceptive design practices used to manipulate users into giving consent. In cookie banners, dark patterns can include:

  • pre-checked boxes: automatically opting users into cookies, which violates the GDPR’s requirement for freely given and explicit consent
  • misleading buttons: highlighting the “Accept” button while hiding or downplaying the option to decline cookies
  • confusing wording: using vague terms that make it unclear how to reject or customize consent options
  • complicated layouts: making it difficult to decline cookies by requiring multiple steps

These practices not only violate the GDPR guidelines but also erode user trust by making consent feel forced or deceptive.

What are cookie wall alternatives for website operators?

Website operators can replace cookie walls with more user-friendly and compliant solutions, such as:

  • GDPR cookie banners: Banners that provide users with clear options to accept, decline, or customize their cookie preferences. Using a consent management platform (CMP) simplifies this process and helps businesses meet the legal requirements.
  • Paywalls: Allowing users to access content either by paying directly or consenting to data collection. This respects user choice while enabling content monetization.

These alternatives promote transparency, comply with the GDPR standards, and help build trust with users by giving them control over their data.

Dec 20, 2024
The Video Privacy Protection Act (VPPA) was passed in 1988 to protect video rental history and viewing data. Today, its application extends to online video platforms like streaming services. Learn how US courts are interpreting the law and what steps to take for your business to comply.
Dec 13, 2024
The European Accessibility Act (EAA) sets accessibility standards for products and services across the EU, aiming to improve inclusion for people with disabilities and older adults. Learn what it covers, who must comply, and how to prepare for the June 2025 enforcement deadline.
Dec 12, 2024
If you operate in the EU or serve EU customers, it’s important to understand the 7 GDPR principles and how to apply them to your data practices. Below are clear examples and actionable steps you can take to help your business stay compliant and build trust.