Pay-or-Consent Models in 2026: EDPB Guidance for Publishers
For two years European publishers have leaned on the same answer when GDPR consent rates collapsed: offer users a choice between accepting tracking or paying a subscription. The pay-or-consent model — sometimes called consent-or-pay or the cookie paywall — promised a way to keep ad-funded business models alive while satisfying the GDPR's requirement that consent be freely given. In 2026 that compromise is under serious legal pressure. The European Data Protection Board, the Italian Garante, the German DSK, and the Norwegian Datatilsynet have all weighed in, and the European Court of Justice now has the question on its docket. This guide explains where the law stands today and what publishers can do to keep a compliant pay-or-consent flow live.
What Pay-or-Consent Means in Practice
A pay-or-consent banner presents the user with two choices on first visit. The first is to accept tracking and processing for behavioral advertising in exchange for free access to the content. The second is to pay a recurring fee — usually monthly — in exchange for an ad-free or tracking-free version of the same content. Refusing both options blocks access entirely. Meta, Le Monde, Der Spiegel, Bild, and dozens of mid-tier European publishers have shipped variants of this design since 2023.
The legal theory is that consent remains freely given because the user has a genuine alternative: they can pay rather than consent. The counter-theory, which regulators have increasingly endorsed, is that this only works if the paid alternative is a real and proportionate equivalent — and many implementations fail that test.
The EDPB's April 2024 Opinion and What Followed
The starting point for any 2026 analysis is the EDPB's Opinion 08/2024, adopted in April 2024 in response to a request from the Dutch, Norwegian, and Hamburg supervisory authorities. The Opinion deals specifically with very large online platforms but its reasoning is now applied broadly to publishers.
The EDPB held that, in most cases, large platforms cannot rely on a binary pay-or-consent design to obtain GDPR-valid consent. Three EDPB conclusions matter most for publishers:
- A binary choice is rarely sufficient. Where the alternative to consent is a paid subscription that is the only other option, consent will usually not be freely given. Controllers should consider offering a third option that does not involve any payment and does not involve behavioral tracking — such as a contextual-advertising tier.
- The fee must not be a deterrent. If the price is set so high that users feel functionally compelled to consent, the choice is illusory. Regulators may compare the fee to the publisher's own ARPU on consenting users.
- The processing scope must be limited. Even when consent is given, it cannot lawfully cover unrelated processing such as data sharing with hundreds of third-party vendors. Each processing purpose still requires its own valid legal basis.
Position of National DPAs in 2026
Italy — Garante
The Italian DPA has been the most active enforcer. In its 2024 guidelines and a series of 2025 decisions, the Garante required that publishers offer a third no-tracking, no-payment option, with the precise rules depending on the publisher's size and market position. Pure binary banners on Italian-language sites are now treated as presumptively non-compliant.
Germany — DSK
The German conference of data protection authorities issued a position paper in late 2024 that aligned with the EDPB but stopped short of a flat ban. The DSK requires the alternative to be \"appropriate\" — meaning the paid tier must offer comparable content access, the price must be objectively justifiable, and any free alternative offered must be genuinely usable. Several Landesdatenschutzbeauftragte have since opened investigations into specific publishers.
Norway — Datatilsynet
Norway took the strongest line. In a 2025 statement Datatilsynet said that for most general-interest publishers, no pay-or-consent design will produce valid consent under the GDPR. Norwegian publishers are increasingly defaulting to contextual advertising or hybrid contextual-plus-consent flows.
France — CNIL
The CNIL's position is more pragmatic but evolving. France permits pay-or-consent in principle but published criteria in 2025 covering price reasonableness, the scope of tracking under the consent option, and whether refusal genuinely results in continued access through alternative channels.
What a Compliant Implementation Looks Like in 2026
Pay-or-consent is not dead, but it survives only when designed carefully. Publishers that want to keep this flow live should evaluate four design dimensions.
Add a third option
The single most important change since the EDPB Opinion is the addition of a third choice: free access with contextual advertising and no behavioral tracking. This third option does not need to be the default — it can sit one click deeper than \"Accept\" and \"Subscribe\" — but its existence transforms the legal posture of the banner. Several major German and Italian publishers have implemented this pattern through 2025.
Justify the price
Document how the subscription price was set. Compare it to the publisher's own ARPU on consenting users, to comparable subscription products in the market, and to the marginal cost of serving non-tracked traffic. A price that is several multiples above the ARPU of consenting users is the single fastest path to a regulator decision against you.
Narrow the consent scope
Audit what users actually consent to under the \"Accept\" path. The EDPB Opinion is explicit that consent cannot bundle unrelated purposes. If your TCF string lists 300 vendors and a dozen unrelated purposes, the consent is vulnerable even before the pay-or-consent question is reached. Reduce the vendor list, separate purposes where possible, and surface granular controls rather than a single Accept-All button.
Honor easy reversal
Make withdrawal of consent as easy as the original grant. The CNIL and the Garante have both fined publishers whose subscription cancellation flows were materially harder than the original sign-up. The same logic now applies to consent: the path to revoke must be discoverable, frictionless, and complete.
What to Watch Through 2026
Two pending developments will reshape this area before year-end. The first is the European Court of Justice's pending decision on the Meta pay-or-consent case (referred from the Austrian DSB), which will give the first binding pan-EU ruling on the legality of the pattern. The second is the European Commission's review of the GDPR's interaction with the Digital Markets Act and the Digital Services Act, which is examining whether very large online platforms should face stricter rules than smaller publishers — a position the EDPB has hinted at but not formally established.
Until those decisions land, the safest publisher posture is the one regulators have already telegraphed: offer a third no-tracking option, keep prices objectively justifiable, narrow the consent scope to genuinely related purposes, and make withdrawal as easy as the original grant. Publishers who get all four right will keep their pay-or-consent flows live; the rest are increasingly likely to face enforcement.