“Pay to Reject” Cookies: A GDPR and ePrivacy Compliance Problem

The rise of “pay to reject” cookie models, also known as “cookie paywalls,” has sparked significant debate in the privacy community, particularly in the European Union (EU), where stringent data protection laws like the General Data Protection Regulation (GDPR) and the ePrivacy Directive govern the use of cookies and online tracking technologies. These models require users to pay a fee to opt out of non-essential cookies or accept cookies to access a website’s content for free, raising questions about compliance with EU privacy laws.

The question that pops up often in forums and privacy discussions is whether “pay to reject” cookie practices breach GDPR or ePrivacy rules, exploring legal requirements, enforcement trends, and practical implications for organizations we provide guidance to other privacy professionals.

Understanding Cookies and EU Privacy Laws

Cookies are small data files placed on a user’s device to track online behavior, personalize content, or deliver targeted advertising. In the EU, cookies are regulated primarily by two frameworks: the GDPR and the ePrivacy Directive (Directive 2002/58/EC, as amended). While the GDPR governs the processing of personal data, the ePrivacy Directive, often referred to as the “Cookie Law,” specifically addresses the confidentiality of electronic communications and the use of tracking technologies like cookies and pixels.

Under the GDPR, personal data processing must have a lawful basis, such as consent, which must be freely given, specific, informed, and unambiguous (Article 4(11)). The ePrivacy Directive complements the GDPR by requiring organizations to obtain user consent before placing non-essential cookies on a user’s device (Article 5(3)). Strictly Necessary cookies, essential for the website to function (e.g., session cookies for login functionality), are exempt from this consent requirement.

The “pay to reject” model typically presents users with two options: (1) consent to non-essential cookies (e.g., for advertising or analytics) to access the website for free, or (2) pay a subscription fee to access the website without non-essential cookies. This practice has raised concerns about whether it aligns with the principles of “freely given” consent under GDPR and the ePrivacy Directive’s requirements for cookie consent. This also pops up with Meta/Facebook in the EU offering a paid version that is hotly debated.

The Legal Framework: GDPR and ePrivacy Directive

GDPR Requirements for Consent

The GDPR sets a high standard for consent as a lawful basis for processing personal data. According to Article 7 and Recital 32, consent must be:

• Freely given: Users must have a genuine choice without facing detriment for refusing consent.
• Specific: Consent must be granular, allowing users to agree to specific types of data processing.
• Informed: Users must receive clear, transparent information about what data is collected and how it will be used.
• Unambiguous: Consent must be expressed through a clear affirmative action, such as clicking an “Accept” button.

The European Data Protection Board (EDPB), which provides authoritative guidance on GDPR enforcement, has emphasized that consent cannot be considered freely given if users face negative consequences, such as loss of access to services or additional costs, for refusing to provide it.

ePrivacy Directive and Cookies

The ePrivacy Directive, specifically Article 5(3), requires that users provide informed consent before non-essential cookies are placed on their devices. The directive allows access to website content to be conditional on cookie consent in some cases, but this must align with GDPR’s consent requirements. The proposed ePrivacy Regulation, which aims to replace the directive, has not yet been adopted (as of July 2025), so the current directive remains in force, implemented differently across EU member states (e.g., as the Privacy and Electronic Communications Regulations (PECR) in the UK).

The “Pay to Reject” Model

In a “pay to reject” model, websites argue that they offer users a choice: either consent to cookies or pay for an ad-free, cookie-free experience. Proponents claim this aligns with the ePrivacy Directive’s provision that access to services can be conditional on cookie consent. However, critics, including privacy advocacy groups like NOYB (None of Your Business), argue that this model undermines the GDPR’s requirement for freely given consent by introducing a financial penalty for exercising the right to refuse cookies.

Are “Pay to Reject” Models Compliant?

The Case Against Compliance

The primary concern with “pay to reject” models is whether they satisfy the GDPR’s “freely given” consent requirement. The EDPB’s Opinion 5/2024 on “Consent or Pay” models, issued earlier this year, provides critical guidance. The EDPB asserts that forcing users to choose between paying a fee or consenting to data processing creates a situation where consent is not genuinely voluntary. Key arguments include:

• Financial Detriment: Requiring payment to avoid cookies imposes a financial burden, which may coerce users into consenting, especially if the fee is significant or the website offers essential services (e.g., news or public information).
• Lack of Equivalent Alternatives: The EDPB emphasizes that users must be offered a “real choice.” If the only alternative to consenting is paying a fee, this may not constitute a genuine alternative, particularly for users who cannot afford the subscription.
• Dark Patterns: Some “pay to reject” implementations use design tactics (e.g., making the “Accept All” button more prominent than the “Reject” or “Pay” option) that nudge users toward consenting, potentially violating GDPR’s requirement for unambiguous consent.

The Court of Justice of the European Union (CJEU) further clarified in its 2019 ruling (Case C-673/17, Bundesverband v. Planet49) that consent must be active and explicit, and pre-ticked boxes or implied consent (e.g., continuing to browse) are invalid. While this case did not directly address “pay to reject” models, it underscores the need for clear, voluntary consent, casting doubt on practices that penalize refusal.

The Case for Compliance

Some organizations argue that “pay to reject” models are permissible under the ePrivacy Directive, which allows conditional access to services. For example, Recital 25 of the directive states that access to specific website content may be made conditional on the well-informed acceptance of cookies. Websites like The Washington Post have implemented such models, offering EU users a choice between consenting to tracking cookies or paying for a “Premium EU Ad-Free” subscription. Proponents argue:

• Business Model Justification: Websites rely on advertising revenue, and offering a paid, cookie-free option balances user choice with operational needs.
• Transparency: If users are clearly informed about the cookies’ purpose and the subscription alternative, the model could meet the “informed” consent requirement.
• Draft ePrivacy Regulation: The latest draft of the ePrivacy Regulation (as of October 2019) suggests that “pay to reject” models may be permissible, though this regulation has not yet been finalized, and the EDPB’s stance leans against such practices.

Enforcement Trends

Recent enforcement actions by EU data protection authorities (DPAs) highlight the risks of non-compliant cookie practices. For example:

• In December 2021, the French DPA (CNIL) fined Google €150 million and Facebook €60 million for making it harder to reject cookies than to accept them, citing violations of the French Data Protection Act, which implements the ePrivacy Directive. These cases focused on usability rather than “pay to reject” specifically but signal strict scrutiny of consent mechanisms.
• In November 2020, the CNIL fined Carrefour €3 million for multiple GDPR violations, including placing advertising cookies without consent, demonstrating that non-compliance with cookie rules can lead to significant penalties.
• The Spanish DPA fined Vueling Airlines €18,000 in 2019 for relying on implied consent through browsing, reinforcing the need for explicit consent mechanisms.
• Outside of Europe we’ve seen fines and legal settlements in the USA of $18.4 million for running cookies without consent but not on a news site but in the healthcare industry that is ripe for privacy compliance measures.

While no major DPA has yet issued a definitive ruling specifically targeting “pay to reject” models, the EDPB’s opinion and advocacy from groups like NOYB suggest that such models are at high risk of being deemed non-compliant, particularly if they lack a free, equivalent alternative to consenting.

Practical Implications for Organizations

For organizations considering a “pay to reject” model, the following steps can help mitigate compliance risks:

1. Offer a Free Alternative: To align with the EDPB’s guidance, provide a free option to access the website without non-essential cookies. This could involve a limited version of the site that relies only on essential cookies.
2. Ensure Transparency: Clearly disclose the types of cookies used, their purposes, and any third-party data sharing in a user-friendly cookie banner. Avoid vague language or hidden settings.
3. Balance Consent Options: Make the “Accept” and “Reject” options equally prominent to avoid dark patterns. The European Commission’s cookie banner, with equally weighted “Accept All” and “Reject All” buttons, is a good example. Honda Motors just got hit with a big fine for not following this requirement.
4. Document Consent: Maintain records of user consent, as required by GDPR Article 7(1), to demonstrate compliance in case of a DPA audit.
5. Monitor Regulatory Developments: The proposed ePrivacy Regulation may clarify the legality of “pay to reject” models, but until it is adopted, organizations should prioritize GDPR-compliant practices.

So…Is it Legal to Have the Pay to Reject Model on My Website?

The “pay to reject” cookie model sits in a gray area of EU privacy law. While the ePrivacy Directive allows conditional access to services, the GDPR’s stringent requirements for freely given consent, reinforced by the EDPB’s 2024 opinion, suggest that imposing a financial penalty for refusing cookies likely violates the principle of voluntary consent. Recent enforcement actions demonstrate that DPAs are actively penalizing non-compliant cookie practices, and “pay to reject” models face significant scrutiny from regulators and advocacy groups.

Organizations adopting such models must tread carefully, ensuring transparency, offering genuine choices, and staying abreast of regulatory developments. It’s recommended to prioritize user-centric, compliant consent mechanisms to avoid costly fines and issues with your userbase and stakeholders. Until the ePrivacy Regulation is finalized, the safest approach is to offer a free, cookie-free alternative to ensure compliance with both GDPR and ePrivacy rules but if you have doubts or want help reach out to one of our compliance superheroes here at Captain Compliance.