Are Cookie Walls Legal? What 2026 Rules Actually Say

You've seen the banner: "Accept cookies to continue." No reject button, no second option, no way past it. Either you agree to tracking or the site stays locked.

That's a cookie wall, and someone on your team has probably suggested one. Consent rates are annoying, "everyone else does it," and a wall solves the problem in one sprint.

Except it mostly doesn't — at least not legally. Cookie walls sit on the exact question regulators have spent years probing: whether consent obtained under conditions is consent at all. And the answer varies by country more than almost any other cookie-consent question, so this article goes regulator by regulator.

Are cookie walls legal?

In most of the EU, no — a hard cookie wall that blocks access entirely unless the visitor accepts tracking produces invalid consent under the GDPR. The European Data Protection Board's consent guidelines say it plainly: if access to a service is conditional on accepting cookies, the user has no genuine choice, so consent is not "freely given" and the processing is unlawful.

The longer answer has three layers:

• Hard walls (no alternative at all): invalid in the EU, prohibited outright by the Dutch DPA, treated as non-compliant "in most cases" by the UK's ICO.
• Walls with a real alternative (usually a paid option): assessed case by case. France, Germany, Italy, and Austria each allow them under conditions — but the conditions differ, and the model is under active legal challenge. That's the "consent or pay" debate, which we cover in depth separately.
• The US: no law bans cookie walls as such, but dark-pattern rules and non-discrimination provisions in state privacy laws make coercive consent flows risky in their own way.

This article focuses on the first category — hard walls — plus the country-by-country criteria that decide whether any wall survives review.

What counts as a cookie wall?

A cookie wall (or tracking wall) conditions access to a website or app on the visitor accepting non-essential cookies or similar tracking. In practice you see three flavors:

1. Hard wall: "Accept all or leave." No alternative whatsoever.
2. Wall with an alternative: typically "accept tracking or pay" — the pay-or-okay model.
3. Soft wall: access is technically possible without consent, but the reject path is buried, degraded, or nagged into submission.

The legal question is the same for all three: did the visitor have a genuine, practical choice? Consent you can't defend is the same as no consent — which means every tracker behind it fires unlawfully.

The EU baseline: conditioned consent is not consent

Two rules stack in the EU. The ePrivacy Directive requires consent before storing or reading non-essential cookies on a device, and the GDPR defines what valid consent looks like: freely given, specific, informed, unambiguous. (Our ePrivacy explainer covers how these two interact.)

Cookie walls fail at "freely given." The EDPB's Guidelines 05/2020 — revised specifically to address this — state that access to services "must not be made conditional on the consent of a user" to cookies, and include a worked example of a script that blocks content until the visitor clicks "accept": not valid consent, because no genuine choice is presented. GDPR Article 7(4) backs this up: consent bundled into a take-it-or-leave-it condition is presumed not to be free.

In April 2024 the EDPB added Opinion 08/2024 on "consent or pay": for large online platforms, a binary choice between behavioral-ad tracking and a fee will in most cases fail the freely-given test. Broader consent-or-pay guidelines covering everyone else are still in progress — they appear in the EDPB's 2026–2027 work programme but had not been adopted as of mid-2026, so don't believe anyone selling you a settled rulebook.

So the EU-wide baseline is clear for hard walls: invalid. Where it gets interesting is what national regulators say about walls with an alternative.

France: the CNIL's cookie-wall criteria

France is the most instructive case, because the CNIL tried to ban cookie walls outright — and lost. In June 2020 the Conseil d'État (France's highest administrative court) struck down the blanket prohibition in the CNIL's guidelines, ruling that consent freedom must be assessed case by case, considering whether a "real and satisfactory alternative" exists when the user refuses.

The CNIL responded in May 2022 with evaluation criteria that remain its operating framework:

1. A real and fair alternative must exist for visitors who refuse trackers — typically paid access. A wall with no alternative is presumptively invalid (the court carved out narrow exceptions, e.g. where equivalent content is freely available elsewhere).
2. If the alternative is paid, the price must be reasonable. The CNIL sets no threshold but expects publishers to be able to justify the fee, and suggests options like per-article micro-payments.
3. The wall must be limited to the purposes that actually fund the service — usually targeted advertising. Refusing unrelated purposes (content personalization, say) must not block access.
4. Visitors who pay must actually escape tracking. Behind the paid door, only strictly necessary trackers are allowed; anything else needs separate consent.

France also shows what enforcement looks like when consent quality fails. In September 2025 the CNIL fined SHEIN's operating entity €150 million for placing ad cookies before any choice and continuing to track users who clicked "reject all," and fined Google a combined €325 million, partly for placing ad cookies during account creation without valid consent. Neither was a cookie-wall case per se, but both turned on the question a wall raises: was the consent real, and did the site honor it?

Country differences: Netherlands, Germany, Italy, Austria

The EU baseline is shared; the national positions are not. Here's the spread:

Netherlands: the hardest no

The Autoriteit Persoonsgegevens has held since March 2019 that cookie walls violate the GDPR, and its current guidance hasn't softened: you must be able to use a website or app normally even if you refuse tracking cookies, and walls that deny access on refusal "are prohibited under the GDPR." The AP is also actively enforcing banners — it warned 50 organizations about misleading cookie banners in April 2025 and opened investigations into those that didn't fix them. If you have meaningful Dutch traffic, a cookie wall is the wrong fight to pick.

Germany: permitted, with homework

Germany's conference of data protection authorities (DSK) assessed publisher "Pur-Abo" models — accept tracking or buy a tracking-free subscription — in March 2023 and found them grundsätzlich zulässig: permissible in principle. The conditions are real, though: the paid option must offer essentially the same content, the price must be market-typical, consent on the free side must still meet full GDPR standards with granular per-purpose choices, and the paid tier must process only what's strictly necessary. German consent requirements for cookies themselves live in § 25 of the TDDDG (the renamed TTDSG). A hard wall with no alternative satisfies none of this.

Italy: unlawful, with a narrow exception

The Garante's June 2021 cookie guidelines deem cookie walls unlawful, except where the site offers an equivalent way in that doesn't require consent — assessed case by case. Italian banners must also offer a way to continue browsing without being tracked at all, which is structurally incompatible with a hard wall.

Austria: the test case to watch

Austria is where pay-or-okay is being stress-tested in court. The DSB didn't object to the model in principle, but found newspaper derStandard's implementation unlawful because the free track demanded one global yes-or-no to all processing purposes — no granularity. In 2025 the Federal Administrative Court (BVwG) confirmed that decision and allowed an appeal to the Supreme Administrative Court; most observers, including noyb (which brought the complaint), expect the question to reach the CJEU. Until it does, "legal in Austria" means "legal if your consent is granular, equivalent, and fairly priced" — a much higher bar than most implementations clear.

The UK: take-it-or-leave-it fails "in most cases"

The ICO's position maps closely to the EU's. Its January 2025 consent-or-pay guidance states that take-it-or-leave-it approaches — agree to personalized-advertising processing or get nothing — do not comply with freely-given consent in most cases, because consent must not be bundled as a condition of access. Consent-or-pay models can comply if they pass the ICO's four factors (power imbalance, appropriate fee, equivalence, privacy by design), documented in a DPIA. Note the guidance is under review following the Data (Use and Access) Act 2025, so check for updates before building anything around it.

The US: no cookie-wall ban, different traps

No US state law prohibits conditioning access on cookies the way EU law does — the US model is generally notice and opt-out, not opt-in. But a cookie wall imported from a "what would Europe ban" mindset can still hurt you three ways:

• Dark patterns invalidate consent. California's privacy agency put it memorably in its September 2024 enforcement advisory: "dark patterns aren't about intent, they're about effect." Choices must be symmetrical — the privacy-protective option can't be harder or slower than "accept."
• Non-discrimination rules. Under the CCPA, you can't deny service or degrade quality because someone exercised a privacy right, unless the difference fits the financial-incentive framework with its own disclosure rules. A wall that punishes opt-outs walks straight into this.
• Opt-out signals. California, Colorado, and a growing list of states require honoring Global Privacy Control. A wall that overrides a GPC signal with "accept to continue" is asking for an enforcement letter.

State-by-state details are in our US cookie banner requirements guide.

Supportive: at least the US gives you room to experiment with access models. Cynical: the room is exactly one dark-pattern complaint wide.

What to do instead of a cookie wall

If you were considering a wall to lift consent rates, here's the lower-risk playbook:

1. Don't gate access on consent in the EU/EEA, UK, or anywhere opt-in applies. Accept, reject, and manage — all reachable on the first layer, all one click.
2. If you want a paid no-tracking tier, build it as consent-or-pay, not a hard wall — and run it through the CNIL criteria, the DSK conditions, and the ICO's four factors first. Details in the consent-or-pay deep dive.
3. Make refusal symmetrical. Equal prominence, equal effort. This is the single most-enforced banner failure in both the EU and California.
4. Verify behavior, not just UI. SHEIN's €150M fine wasn't about banner copy — trackers fired before consent and after refusal. Test that "reject" actually blocks scripts.
5. Serve the right rules to the right visitors. A Dutch visitor and a Texas visitor shouldn't see the same logic. Geo-targeted banner behavior beats one-wall-fits-all.
6. Keep consent records. Every regulator discussed above expects you to demonstrate valid consent, not just assert it.
7. Improve the banner instead of weaponizing it. A clear, fast, well-designed banner recovers more consent than you'd expect — our banner UX checklist covers what actually moves the number.

Where CookieChimp fits

The reason cookie walls tempt people is that doing consent properly across jurisdictions sounds like a lot of engineering. It doesn't have to be. CookieChimp gives you geo-targeted banners (strict opt-in for the EU, opt-out and GPC support for US states), automatic cookie scanning so your disclosures stay accurate, script blocking that makes "reject" actually mean reject, and consent logs you can hand to a regulator. Simple yet powerful beats wall-shaped shortcuts — especially when the wall is illegal in half your markets. For the broader 2026 picture, see what changed in cookie consent laws this year.

FAQ

References

1. EDPB, "Guidelines 05/2020 on consent under Regulation 2016/679": edpb.europa.eu
2. EDPB, "Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms": edpb.europa.eu
3. EDPB, "Work programme 2026–2027" (consent-or-pay guidelines in progress): edpb.europa.eu
4. CNIL, "Cookie walls : la CNIL publie des premiers critères d'évaluation": cnil.fr
5. CNIL, "Cookies placed without consent: SHEIN fined 150 million euros by the CNIL": cnil.fr
6. CNIL, "Cookies and advertisements inserted between emails: GOOGLE fined 325 million euros by the CNIL": cnil.fr
7. Autoriteit Persoonsgegevens, "Cookies" (cookie walls prohibited under the GDPR): autoriteitpersoonsgegevens.nl
8. Datenschutzkonferenz (DSK), "Beschluss: Bewertung von Pur-Abo-Modellen auf Websites" (22 March 2023): datenschutzkonferenz-online.de
9. Garante per la protezione dei dati personali, "Linee guida cookie e altri strumenti di tracciamento" (10 June 2021): garanteprivacy.it
10. noyb, "Court decides 'Pay or Okay' on DerStandard.at is illegal": noyb.eu
11. ICO, "Consent or pay — about this guidance" (23 January 2025): ico.org.uk
12. California Privacy Protection Agency, "CPPA Issues Enforcement Advisory on Avoiding Dark Patterns" (4 September 2024): cppa.ca.gov

Skip the wall. Ship a banner that's compliant in every market you serve, with consent records to prove it. Get started with CookieChimp — geo-targeted, simple yet powerful, and live in an afternoon.