Cookie walls can feel like a reasonable trade. Users get access to content, and brands get the data they need to run advertising.
However, the EU’s General Data Protection Regulation (GDPR) does not see it that way. For consent to be valid, it has to be freely given. When access to a website is conditional on accepting cookies, that freedom disappears.
What makes this complicated is that cookie walls are not always obvious. Some block the page entirely. Others bury the reject option, require multiple clicks to opt out, or use pre-ticked boxes to push visitors toward acceptance. Regulators treat these as the same underlying problem: consent that is not freely given. The design varies; the legal issue does not.
This is why cookie walls are now a consistent focus in regulatory guidance and enforcement. Understanding how they are defined, where they fall short, and what to use instead is key to staying compliant.
At A Glance
- A cookie wall is a visual, digital barrier that blocks site access unless users consent to tracking.
- Under the GDPR, cookie walls are generally not compliant because consent must be freely given.
- The EDPB confirmed in its guidelines that access to services cannot be made conditional on consent to cookies.
- “Consent or pay” models are not automatically compliant and rarely produce valid consent for large platforms.
- The EU’s proposed Digital Omnibus Act would require a one-click rejection option equal in prominence to acceptance.
- Compliant alternatives exist, and, when designed well, tend to produce better consent rates than cookie walls do.
What is a Cookie Wall?
A cookie wall is a visual and digital barrier that blocks access to a website unless a visitor consents to cookie-based tracking or similar technologies. It typically appears as a full-screen overlay with a single “Accept” button and no visible way to decline or manage preferences.
There is no payment option, no partial access, and no way to continue without agreeing to data collection.
While cookie walls are intended to help website operators gather data for advertising or analytics, they leave visitors with little meaningful choice, creating a frustrating experience and raising concerns about fairness and transparency.
Cookie Wall vs. Paywall: What’s the Difference?
The terms are sometimes used interchangeably, but they describe different things.
- A cookie wall makes data tracking the condition of access. There is no payment option and no way to access the content without agreeing to cookie use.
- A paywall makes payment the condition of access.
Some publishers combine the two: pay for ad-free access, or access for free by consenting to tracking. This is the “consent or pay” model, and it has its own compliance questions, which we will cover. But it is structurally different from a pure cookie wall because a financial alternative exists.
Under the GDPR, the distinction matters. A paywall can, in principle, offer website visitors a real choice. A cookie wall does not.
What Does a Cookie Wall Look Like?
Cookie walls typically appear as full-screen semi-opaque overlays that block visibility and access to the page underneath. The banner typically presents a single prominent “Accept” button, with no visible way to decline or adjust preferences.
For example, a user might arrive at a website and find the content completely hidden behind a large overlay. Until they agree to data collection, the page remains inaccessible. This design forces users to make an all-or-nothing decision, often delivering a frustrating experience, and preventing freely given consent.
Some versions are more subtle. A consent banner might appear to offer choice but buries the reject option in small text, requires multiple clicks to decline, or uses pre-ticked boxes to nudge users toward acceptance. These manipulations are dark patterns, and regulators treat them with the same scepticism as an outright cookie wall. Under some privacy regulations, they are explicitly prohibited.
A privacy-compliant design, like a GDPR cookie banner, looks different, with equally prominent accept and decline options, granular choices by cookie category, and no barrier to access the page.
What Is the “Consent or Pay” Model, and Is It Compliant?
The “consent or pay” model under the GDPR gives users a choice: agree to data tracking, or pay a subscription fee to access the content without tracking. Unlike a hard cookie wall, it does offer an alternative to consent. That distinction matters legally.
However, this does not automatically make the model GDPR-compliant.
In April 2024, the European Data Protection Board adopted Opinion 08/2024 on “consent or pay” models. Its assessment was clear: for large online platforms (LOPs), these models generally do not result in valid, freely given consent under the GDPR.
The issue is structural. When the only alternative to consent is payment, users remain under pressure, and pressure undermines the requirement that consent be freely given.
The EDPB did not impose an outright ban. Instead, it confirmed that a case-by-case assessment is required, and that some implementations may still be defensible. That said, the threshold is high. For the model to be acceptable, the fee must be proportionate, and ideally, there should be a third option, such as access to a version of the service that does not rely on tracking-based advertising at all.
For publishers and smaller organizations, the same standard applies. While the opinion focuses on large platforms, it signals the broader direction of enforcement across the EU.
This approach also aligns with developments under the Digital Markets Act (DMA). For platforms designated as gatekeepers, combining consent with access to core services is subject to stricter scrutiny.
In that context, Meta’s “pay or okay” model has already been challenged by NOYB. The first instance was in November 2023, when the group argued that requiring users to either consent to personalized advertising or pay up to EUR 251.88 per year does not constitute freely given consent, particularly for services that play a central role in everyday digital life.
A second complaint followed in January 2024, arguing that withdrawing consent was made deliberately burdensome compared to giving it.
Are Cookie Walls Legal Under GDPR?
As a general rule, cookie walls are not legal under the GDPR. The GDPR requires that consent be freely given. That means users must have a real choice, and can’t face consequences for refusing. A cookie wall removes that choice entirely: consent is the price of entry.
The EDPB was explicit on this in its Guidelines 05/2020: access to services and functionalities cannot be conditional on a user’s consent to the storing of, or access to, information on their terminal device.
National regulators have reinforced this position consistently. France’s CNIL, the Dutch Data Protection Authority, and the Belgian Data Protection Authority have all concluded that cookie walls do not meet the standard for valid GDPR consent.
For consent to be valid under the GDPR, it must be:
Freely given
No pressure, no consequences for refusing
Informed
Users understand what they are agreeing to
Specific
Consent is given per purpose, not in bulk
Unambiguous
A clear, active action is required
Revocable
Withdrawing consent must be as easy as giving it
Cookie walls fail the freely given test by design. When access to a service is conditional on consent, any agreement is not free.
The Digital Omnibus Act and One-Click Reject
The regulatory direction is already clear, but proposed EU legislation would codify it further. The Digital Omnibus Act, currently moving through the European legislative process, includes provisions that would require a one-click rejection option that is equally prominent as the acceptance button, presented on the first layer of any consent interface.
If adopted, this would effectively mandate what the EDPB’s guidelines already recommend: no buried reject buttons, no multi-step opt-outs, no design that makes refusal harder than acceptance. Websites that rely on cookie walls or dark-pattern banners would need to redesign their consent flows entirely.
The proposal signals that the current enforcement posture is not a temporary phase. It reflects a sustained legislative commitment to meaningful consent as a baseline requirement across the EU.
Cookie Wall Rules by Country
The GDPR sets the baseline across EU Member States, but national regulators have developed their own positions, and rules outside the EU vary. Cookie walls are now a named enforcement concern in multiple jurisdictions.
| Country / Region | Regulatory Body | Position on Cookie Walls |
| EU (General) | European Data Protection Board (EDPB) | Not compliant; access cannot be conditional on consent per Guidelines 05/2020. |
| France | Commission nationale de l’informatique et des libertés (CNIL) | Explicitly prohibited; “consent or pay” is only permissible with a genuine free alternative. |
| Belgium | Belgian Data Protection Authority | Prohibited with multiple enforcement decisions already issued against digital publishers. |
| Spain | Agencia Española de Protección de Datos (AEPD) | Not compliant; requires equal prominence for “Accept” and “Reject” options on the first layer. |
| Denmark | Datatilsynet | Prohibited; cookie walls and deceptive dark patterns are a named 2026 enforcement priority. |
| United Kingdom | Information Commissioner’s Office (ICO) | Generally not acceptable; the 2025 Data (Use and Access) Act allows narrow exemptions for low-risk cookies, but never for walls or behavioral ads. |
| United States | FTC / State Attorneys General | Prohibited as “dark patterns”; while no federal GDPR exists, Section 5 of the FTC Act treats forced tracking as a deceptive practice like other dark patterns. |
| California (U.S.) | CalPrivacy, Attorney General | Illegal; CCPA/CPRA prohibits “retaliation” or denying service to users who exercise privacy rights or use Global Privacy Control (GPC) signals. |
| Texas (U.S.) | Texas Attorney General | Not compliant; the TDPSA (Texas Data Privacy Act) requires consent to be “freely given” and explicitly excludes agreements obtained via dark patterns. |
| Other U.S. States | Colorado, Virginia, Connecticut Attorneys General | Prohibited; non-discrimination clauses in Colorado (CPA), Virginia (VCDPA), and Connecticut (CTDPA) prevent blocking access for users who opt-out. |
| Brazil | Agência Nacional de Proteção de Dados (ANPD) | Inconsistent; the LGPD requires “freely given” consent, making most wall structures legally indefensible. |
| Canada | Office of the Privacy Commissioner (OPC) | High scrutiny; PIPEDA requires “meaningful consent,” which is negated when access is conditional on tracking. |
Cookie Wall Enforcement Is Increasing
Regulatory guidance on cookie walls has been consistent for years. What’s changed is the willingness to act on it. Enforcement actions are becoming more frequent, fines are growing larger, and regulators are naming cookie walls and dark patterns as explicit priorities rather than treating them as edge cases.
The following examples illustrate the increase in cookie wall enforcement.
| Company / Authority | Jurisdiction | Action | Outcome |
| France (CNIL) | CNIL found that Google made it harder to refuse cookies than to accept them, requiring multiple clicks to opt out versus a single click to consent. | Fined €150 million in 2022; precedent now being codified by the 2026 Digital Omnibus Act. | |
| SHEIN | France (CNIL) | French DPA investigated SHEIN’s consent practices, finding that users were not given a meaningful way to refuse tracking cookies and that cookies were placed before consent. | Fined €150 million in Sept 2025; required to overhaul consent flows to include a “Reject All” button. |
| Dutch DPA (AP) | Netherlands | The AP published updated enforcement guidance explicitly naming cookie walls as non-compliant and announced targeted reviews of high-traffic websites. | Active monitoring of 10,000+ sites; over 200 warnings issued as of late 2025 with fines pending for non-remediation. |
| Danish DPA (Datatilsynet) | Denmark | Datatilsynet designated cookie walls and deceptive consent patterns as a named enforcement priority for 2026, committing to proactive investigations. | Proactive audit phase launched Q1 2026; coordinated enforcement with the Agency for Digital Government. |
The pattern across these cases is consistent: regulators are not waiting for complaints. They are conducting proactive sweeps, issuing guidance that names specific practices as prohibited, and using fines large enough to create deterrent effects beyond the individual case.
Compliant Alternatives to Cookie Walls
Cookie walls are usually a revenue protection decision. The concern is that without them, consent rates will drop and ad revenue will follow. But that logic doesn’t hold up under scrutiny.
Consent obtained under pressure is harder to defend legally, more likely to be withdrawn, and, under the GDPR, may not constitute valid consent at all. Visitors who choose to consent freely are more valuable than those who were given no real choice.
Several approaches protect revenue without the legal exposure.
A GDPR Cookie Banner
A properly designed GDPR cookie banner is the most direct alternative. When built with equally prominent accept and decline options, granular category choices, and clear language, it can perform well on consent rates.
To implement and manage this effectively at scale, many organizations rely on a consent management platform (CMP). A CMP handles the technical and legal requirements, maintains auditable consent records, and can be configured to meet the requirements of multiple regulations for organizations operating internationally.
A “Consent or Pay” Model
A carefully implemented “consent or pay” model can be compliant if the fee is proportionate and the choice is structured so that users are not effectively coerced.
The EDPB’s 2024 opinion sets a high bar, particularly for large platforms, but the model is workable for publishers willing to meet it. Offering a third option, such as a free version with non-tracking advertising, strengthens the case considerably.
Contextual Advertising
Contextual advertising targets ads based on the content of the page rather than visitor behavior. It does not depend on tracking consent, which removes the consent dependency from that revenue stream entirely.
For many publishers, contextual ads perform competitively with behavioral targeting, and the approach carries no regulatory risk.
First-Party Data Strategies
A first-party data strategy involves users voluntarily sharing information in exchange for a better experience: newsletters, personalization, saved preferences, and similar value exchanges. This builds a consented, durable data asset over time. It is a longer-term investment than a consent banner, but it is structurally robust and does not depend on third-party tracking.
Learn more about first-party data marketing: tips and strategies for 2026
The key principle across all of these: visitors who have a choice are more valuable than visitors who have been coerced. Consent obtained under pressure tends to be lower quality, less durable, and more exposed to challenge.
How Usercentrics CMP Helps With GDPR Cookie Consent
Cookie walls have never been compatible with the GDPR. What’s shifted is the pace and confidence of enforcement. Regulators are no longer treating this as a gray area.
Additionally, consent obtained under pressure yields lower-quality data, higher withdrawal rates, and records that are more difficult to defend if challenged. Consent that is given through a clear, balanced choice is more stable and more reliable.
Compliant alternatives exist, but they need to be implemented correctly to meet both regulatory and performance requirements.
Usercentrics CMP is designed to support this by helping companies replace cookie walls with GDPR-compliant consent experiences and providing audit-ready consent records.
If you’re unsure how your current setup performs, the fastest way to assess it is to scan your website and see which cookies are being set and how consent is collected.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
