TL;DR — A cookie wall is a mechanism that conditions access to a site on accepting cookies. The CNIL and the European Data Protection Board (EDPB) have confirmed that cookie walls without a genuine alternative are unlawful under GDPR: consent obtained under such conditions is not free. A paid alternative can make a cookie wall lawful under strict conditions, but this model is closely scrutinised by authorities.
Cookie walls are an understandable temptation for publishers: forcing visitors to accept cookies rather than risking a high refusal rate. But their legality is strictly governed, and in most cases a standard cookie wall is unlawful. This guide explains what a cookie wall is, why it creates problems and in what (very limited) circumstances it can be used.
What is a cookie wall?
A cookie wall is a mechanism that blocks access to a site's content and displays a conditional message: the user must accept cookies to access the site. In its most common form, the banner offers no refusal button, or refusal results in a blank page or impossible access.
Different forms of cookie walls
Pure cookie wall: no refusal button. The only way to access the site is to accept all cookies. Not lawful.
Cookie wall with paid alternative ('pay or consent'): the user can either accept advertising cookies or pay a subscription to access the site without cookies. This model is lawful under very strict conditions.
Partial cookie wall: access to the main content is blocked but some elements remain visible (title, summary). Legality varies depending on conditions.
Why are cookie walls (generally) unlawful?
GDPR requires that consent be freely given. Consent given under duress — notably under threat of being denied a service — is not free within the meaning of GDPR. This is the basis for the unlawfulness of cookie walls.
The ICO's position
The ICO has confirmed in its guidance that making access to a service conditional on accepting cookies is contrary to the principle of freely given consent. It has issued warnings to publishers using cookie walls without a genuine alternative. The ICO acknowledges a nuance: if the user has a 'real and fair alternative', consent may be considered free.
The EDPB's position
The European Data Protection Board (EDPB) published an opinion on the 'pay or consent' model in 2023. Its main conclusion: this model may be compatible with GDPR if the alternative (the paid version) is fair, accessible and genuine — but the EDPB remains critical of the pressure this model places on users with limited income. Major platforms (Meta, Google) have implemented this model and are subject to review procedures by authorities.
The 'pay or consent' model: conditions for lawfulness
If you wish to implement a cookie wall with a paid alternative, here are the cumulative conditions to meet according to current guidance.
1. A genuine alternative
The paid alternative must provide access to the same content or service, without analytics or advertising cookies. The alternative cannot be fictitious (prohibitive price, severely degraded access, different service).
2. A fair price
The price of the cookie-free alternative must be reasonable and reflect the real economic value of the data foregone. A 'no cookies' subscription at the same price as a paid premium subscription constitutes a fair alternative according to the EDPB. A very high price designed to discourage the cookie-free choice would be considered contrary to the freedom of consent.
3. Clear information
The user must clearly understand what they are consenting to, what their data will be used for, and what the alternative includes or excludes. The presentation must not visually favour the cookie acceptance choice (no dark patterns: prominent 'accept' button, 'pay' option difficult to find).
4. No degraded access for those who refuse
If the user refuses cookies and does not subscribe, this may result in content being blocked. But if partial access is possible (some free articles, limited access), the alternative must clearly specify these conditions.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Common mistakes
Removing the refusal button from the banner. Even with a cookie wall, GDPR requires that refusal be accessible. A hidden or absent refusal button is unlawful.
Setting a prohibitive price for the cookie-free alternative. A subscription at €30/month for a normally free site does not constitute a fair alternative. The EDPB examines price proportionality.
Using dark patterns in the presentation. Visually emphasising the 'accept' button and making the subscription path difficult undermines the freedom of consent.
Applying a cookie wall to essential services. The more essential the service is considered or the fewer reasonable substitutes exist, the harder it is to justify the paid alternative as 'free'.
Not documenting the model in the GDPR register. The pay-or-consent model must appear in the processing register with legal bases, purposes and protective measures.
What to do instead
If the goal is to increase the consent rate, lawful and more effective alternatives exist: banner optimisation (design, text, category granularity), reduction in the number of cookies requested (focusing on purposes essential to your business model), and implementing a clear, non-aggressive banner. For lawful consent rate optimisation, see the FlowConsent guide at /en/blog/cookie-consent-rate-optimization.
Cookie wall checklist
- Verify your banner offers a refusal button accessible with a single click.
- If considering a cookie wall: determine whether a genuine alternative can be offered.
- If using pay-or-consent: set a proportionate, justifiable price, without dark patterns.
- Document the model in the processing register and privacy policy.
- Ensure the banner is no more restrictive than necessary and does not visually coerce consent.
- Consult a DPO or legal counsel before implementing a cookie wall, even a partial one.
- Regularly test the banner to ensure compliance with evolving regulatory decisions.
Cookie walls are legally unstable territory. The pay-or-consent model can be lawful, but only under very strict conditions that few sites can satisfy. The safest approach remains optimising the consent banner rather than removing it. Scan your site at /en/scan to see which cookies are active and evaluate whether their volume justifies a cookie wall or whether reduction is possible.
Frequently asked questions
What exactly is a cookie wall?
A cookie wall is a mechanism that blocks access to a website's content and displays a message conditioning access on the acceptance of cookies. Unlike a standard consent banner — which lets users refuse and still access the site — a cookie wall gives no real choice: accept cookies or leave. This form of coercion makes the consent obtained invalid under GDPR.
Why are most cookie walls illegal under GDPR?
GDPR requires that consent be freely given. Consent obtained under the threat of being denied access to a service is not free. The EDPB (European Data Protection Board) and multiple national authorities have confirmed this position: conditioning access to a site solely on cookie acceptance makes the consent invalid. Standard cookie walls, without any real alternative, are therefore illegal in most cases.
Can a pay-or-consent model make a cookie wall legal?
Possibly, but under very strict conditions. The EDPB's 2023 opinion on the pay-or-consent model confirms that it can be compatible with GDPR if the paid alternative is fair (price proportional to the economic value of the data), genuine (same content and service quality), and clearly presented (no dark patterns). In practice, few implementations fully meet these criteria, which is why this model remains under scrutiny by authorities.
What are the alternatives to a cookie wall for improving consent rates?
Instead of a cookie wall, there are legal and effective approaches to optimize consent: improve banner design (clear layout, balanced button sizing), refine the wording of purposes to make cookies feel less intrusive, reduce the number of cookies by focusing on those strictly necessary for the business model, and make the refusal option visible without hiding it. These optimizations can significantly improve consent rates without legal risk.
What sanctions can apply to a website using an illegal cookie wall?
Data protection authorities can issue formal notices, which require the website to bring itself into compliance within a set deadline. Failure to comply can result in financial sanctions of up to 4% of global annual turnover or €20 million for a company. Beyond fines, the authority can order the site to stop processing data collected via the illegal wall. Several European authorities — including the French CNIL, the Belgian APD, and the Italian Garante — have already taken enforcement action against cookie walls.