"Pay or OK" Models:Are Consent-or-Pay Walls GDPR Compliant?

That gap in interpretation is precisely why consent-or-pay models remain the most legally contested area of GDPR consent practice in 2026. They are not banned. They are not automatically compliant. They exist in a regulatory space where the specific design of each implementation determines its legality — and where the standards for what qualifies as a genuine choice have been progressively tightened by regulatory opinions, enforcement actions, and court decisions over three years.

The reason these models exist at all is instructive. Large platforms facing GDPR enforcement were told that neither contract nor legitimate interest could serve as the lawful basis for behavioural advertising. They were pushed toward consent — and then built systems that made declining consent costly enough that most users would accept anyway. Regulators noticed. The EDPB's April 2024 opinion is the response.

Four things to understand before going further:

• Consent-or-pay models are not categorically prohibited under GDPR. Both the CNIL and the ICO have confirmed they can be compliant. The legal question is whether the model, as specifically implemented, produces freely given consent.
• The EDPB's Opinion 08/2024, issued April 17, 2024, concluded that in most cases large online platforms cannot comply with valid consent requirements if they offer only a binary choice between behavioural advertising consent and a fee. The opinion applies specifically to large online platforms but its analytical framework is referenced by national DPAs across all platform sizes.
• The critical factor the EDPB added — beyond prior guidance — is that a free third option without behavioural advertising should generally be available. A binary "consent or pay" choice is structurally more vulnerable than a three-way choice of consent to tracking / pay for no tracking / use a contextual-ads-only free version.
• The fee amount, the power balance between the platform and its users, the equivalence of the service across options, and the transparency of what each option entails are all independently assessed factors. Failing any one of them makes the model non-compliant regardless of the others.

EDPB Opinion 08/2024: The Current Authoritative Position

In April 2024, the Dutch, Norwegian, and Hamburg data protection authorities asked the EDPB a direct question: can Meta's €9.99/month subscription — offered as an alternative to behavioural advertising consent — produce valid GDPR consent?

The EDPB's answer: in most cases, no.

Opinion 08/2024 applies to "large online platforms" — entities designated as Very Large Online Platforms (VLOPs) under the Digital Services Act, with over 45 million monthly EU users. It does not directly govern smaller publishers. However, the EDPB explicitly stated it would issue further guidance for smaller platforms, and national DPAs have already begun applying the opinion's analytical framework to smaller entities in their enforcement work.

The EDPB's core conclusion is that in most cases, large online platforms cannot produce valid consent by offering only a choice between behavioural advertising consent and a paid fee. The word "most" was deliberately chosen to preserve case-by-case assessment rather than issue an absolute prohibition — but the opinion makes clear that meeting the consent standard in a binary model is structurally very difficult.

The EDPB identified four criteria for assessing whether the consent produced is freely given:

• Conditionality — whether service access depends on tracking consent
• Detriment — whether declining tracking produces meaningful negative consequences for the user
• Imbalance of power — whether the platform's market position impairs genuine choice
• Granularity — whether users can consent to specific processing purposes separately rather than all-or-nothing

The most operationally significant element for publishers and smaller platforms is the EDPB's recommendation that controllers consider offering a free equivalent alternative without behavioural advertising — a contextual-advertising-only version that gives users a third path beyond the binary pay-or-consent choice. Users can consent to behavioural advertising (free, tracked), pay for a tracking-free experience (subscription), or use a free version supported by contextual advertising that does not require data-driven profiles. The EDPB stated explicitly that offering only a paid alternative to behavioural advertising should not be the default approach.

National DPA Positions: Where the Standards Diverge

Regulators across EU member states are not reading from the same script. The specific DPA most likely to investigate your implementation shapes your practical compliance posture.

France's CNIL has taken the most elaborated and publisher-friendly position among major EU DPAs. In 2022, after the Conseil d'État ruled that a blanket ban on cookie walls was disproportionate, the CNIL published case-by-case criteria: whether a genuine and fair alternative is available, whether the payment required is a reasonable price, whether the model is limited to purposes that allow fair remuneration, and whether the tracking-free path actually limits unnecessary trackers. The CNIL's 2025 survey reinforced this approach, citing consumer willingness to pay as evidence that the model addresses genuine user preferences when implemented fairly.

The ICO in the UK published consent-or-pay guidance in January 2025 (updated October 2025), confirming the model can be lawful under four conditions: users must have a genuine choice without "take it or leave it" pressure, the fee must be reasonable and proportionate to the content available, the core service must be equivalent across both options, and the design must present choices fairly without dark patterns. The ICO noted that nearly 60% of tracking-related complaints it received in 2024 concerned users' inability to reject tracking — making consent-or-pay with a genuine free alternative a potential improvement on the existing landscape.

Germany's DSK concluded that consent-or-pay models can comply with GDPR if transparency is maintained, user behaviour is not manipulated, and the technical implementation actually delivers what each option promises. Austria's DSB, Spain's AEPD, and Denmark's data protection authority have each acknowledged potential legality under similar case-by-case analysis.

The Netherlands' AP has been notably more sceptical, and its complaint against Meta contributed to the EDPB opinion request. Publishers operating primarily in Dutch jurisdictions face a harder regulatory environment than those operating primarily in France or the UK.

The distinction between consent and legitimate interest as lawful bases — and why behavioural advertising has been pushed specifically toward consent after the invalidation of contract and legitimate interest as alternatives — is the legal context that explains why consent-or-pay models arose in the first place and why the consent quality standards for these models are being examined so rigorously.

When Consent-or-Pay Models Are More Defensible

The implementations that consistently satisfy DPA scrutiny share a common thread: they make the non-consent path genuinely available and genuinely equivalent — rather than technically offering it while making it economically or practically inaccessible.

Proportionate pricing means the fee reflects the actual cost of providing an ad-free service, not a price designed to push users toward consent. The CNIL's "reasonable price" standard and the ICO's "proportionate fee" standard both orient around what would be charged for the equivalent paid service if tracking were never part of the business model. A subscription price comparable to a modest streaming service tier for a comparable content offering is defensible. A fee set at €9.99 per month for a regional news site with limited content depth has a harder time meeting the proportionality standard.

Genuine service equivalence means editorial content, features, and user experience must be functionally the same — the difference is only the advertising model. A tracking-free subscription that loads slower, lacks access to archives, or excludes premium content is not offering an equivalent service. A consent-accepting free version with full features and a subscription-accepting free version with full features satisfy equivalence even if the subscription path has a better UX because it does not load advertising.

Granular consent options — allowing users to consent to some tracking purposes but not others — reduce the coercion concern and satisfy the specificity requirement. A model that requires accepting the full advertising partner stack to access any free content is more legally vulnerable than one that allows a user to accept analytics but decline behavioural advertising and receive a contextual-ads-only experience.

Transparency about what each option actually involves — which data categories are processed, which vendors receive data, how the tracking-free path technically prevents processing — is both a consent validity requirement and an enforcement priority. The CNIL's September 2025 fines against SHEIN (€150 million) and Google (€325 million) both included findings about inadequate transparency in consent design alongside banner mechanics issues. The enforcement pattern that has emerged in 2025 and 2026 — with GDPR consent fines increasingly targeting the substance of what users are told and whether the design of the consent interface reflects their actual choices — applies with particular force to consent-or-pay models where the commercial stakes make opaque design tempting.

The design of the consent-or-pay interface is an independent compliance variable, not a consequence of the pricing and structural decisions.

The EDPB's deceptive design patterns guidelines and the ICO's guidance both require that choices be presented with equal visual prominence and equal accessibility — neither option should appear as the "default" or "easy" path while the other requires additional steps to select.

Options should be presented in plain language that a reasonable user can understand without legal background:

• What does "personalised advertising" actually mean in terms of data collected, vendors involved, and purposes served?
• What does the paid option specifically deliver in terms of tracking prevention — technical enforcement or contractual promise?
• What does the contextual-ads tier actually involve, and what data is and is not collected?

Users who cannot understand what they are agreeing to have not given informed consent regardless of whether a paid alternative exists.

The technical enforcement of each path matters as much as the interface design. A model that shows a consent-or-pay banner but loads tracking scripts regardless of which path the user selects is not a consent-or-pay model — it is a consent interface over universal tracking. The tracking-free path must actually be tracking-free at the technical level: no advertising scripts loading, no device fingerprinting, no data transmission to third-party ad platforms. Building consent infrastructure that technically enforces user choices — not just records them in a CMP database — is the operational requirement that makes the difference between a defensible model and an enforcement target.

The Business Tradeoffs

Consent-or-pay models exist because publishers face a structural tension between GDPR's consent requirements and behavioural advertising revenue. When consent rates for tracking are low — which they typically are when presented honestly — the revenue from the consented segment may not sustain editorial operations. A paid subscription alternative captures value from users who decline tracking rather than losing them as a revenue source entirely.

The contextual advertising path — the EDPB's preferred "third option" — requires investment in ad technology that can serve relevant, contextual ads without user-level profiles. Contextual advertising generates significantly lower CPMs than behavioural advertising for most publishers, though the gap has narrowed as contextual technology has improved and as the supply of consented inventory has contracted. For premium editorial publishers with high-value audiences, a well-implemented contextual tier can be commercially viable.

Subscription conversion rates on consent-or-pay models typically range from 1% to 5% of users who decline tracking — low enough that subscription revenue alone rarely replaces behavioural advertising revenue from the full undifferentiated audience, but meaningful enough to improve total monetization of a privacy-respecting model.

Publishers who have implemented three-path models report that the consent rate to the tracking path tends to improve when users understand they have a free contextual-ads alternative. The presence of a genuine free alternative may paradoxically increase consented tracking revenue as well as capturing subscription revenue from willing payers — because users who feel a genuine choice are more likely to make an affirmative one.

Decision Framework: Should You Implement This Model?

The threshold question is whether your platform is in a dominant position or has a market-essential quality that limits genuine freedom of user choice. For a large social platform or major news aggregator with no viable alternative, the power imbalance analysis makes consent-or-pay models very difficult. For a specialist publisher serving a niche audience with readily available alternative content sources, the power imbalance concern is weaker and the model is more defensible.

The second question is whether you can offer a contextual-advertising-supported free tier that is genuinely equivalent in content and features to the tracking version. If you can, implementing a three-path model substantially reduces your regulatory exposure compared to a binary model. If you cannot — because your ad technology stack does not support contextual-only serving or your supply partner contracts require cross-site audience data — you face a structural choice between investing in the technical capability and operating a binary model whose legal status is increasingly precarious.

The third question is whether your fee is defensible as proportionate. If your subscription price is anchored to the actual cost of providing an ad-free service plus a reasonable margin, it is proportionate. If it is set to maximise revenue from privacy-conscious users regardless of service cost, it is likely not.

FAQ

Is consent or pay legal under GDPR? Not categorically prohibited, and not automatically compliant. Legality depends on the specific implementation: whether a genuine free alternative without tracking exists, whether the fee is proportionate, whether the service is equivalent across options, whether consent is specific and granular, and whether the design avoids coercion and dark patterns.

What is a pay or OK model? A monetization model in which users are offered two (or sometimes three) paths to accessing a service: consenting to personal data processing for behavioural advertising (free access), paying a subscription fee for tracking-free access, and — in the EDPB's preferred framework — a free contextual-advertising-supported tier that does not involve user-level profiles.

Can websites require consent for access? Not when access is made contingent on consent to non-essential processing and no genuine alternative is offered. The Netherlands' AP position that website access cannot depend on tracking consent reflects one end of the spectrum; the CNIL and ICO positions allowing conditional access when a genuine paid or contextual alternative is available reflect a more permissive middle ground.

Are cookie paywalls allowed in the EU? Subject to case-by-case analysis. France's Conseil d'État blocked a blanket prohibition in 2020. Most EU DPAs now assess cookie paywalls against criteria including genuine alternative availability, proportionate pricing, service equivalence, and transparency — rather than applying a categorical rule.

What do regulators say about consent walls? The EDPB's Opinion 08/2024 says binary consent-or-pay models are in most cases insufficient for large platforms. National DPAs including CNIL, ICO, DSK, and AEPD allow models that meet their respective case-by-case criteria. No EU DPA has issued an absolute prohibition applicable to all publishers.

The models that survive regulatory scrutiny are not the ones with the best legal opinion attached. They are the ones where a user presented with the choice genuinely feels free to decline tracking — because a real alternative exists, is affordable, delivers the same service, and technically enforces the path they chose.

That design standard is simultaneously a compliance requirement and a business opportunity: publishers who build it properly acquire paying subscribers and consenting users. Publishers who build it to maximize coerced consent acquire enforcement targets.

See how Secure Privacy's consent management platform helps publishers implement consent-or-pay models with the documentation, technical enforcement, and audit-ready records that demonstrate genuine choice to regulators.