Cookie Walls Are Illegal Under GDPR: Here's What to Do Instead

What Is a Cookie Wall?

A cookie wall (also called a "tracking wall") is when a website blocks access to its content unless the visitor accepts all cookies. You've seen them: a full-screen overlay saying "Accept cookies to continue" with no way to decline and still use the site.

It feels like a reasonable approach — your site, your rules. But under GDPR, it's explicitly illegal.

Why Cookie Walls Violate GDPR

The GDPR requires that consent be "freely given." The European Data Protection Board (EDPB) has issued clear guidance in their Guidelines 05/2020:

"Access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)."

The logic is simple: if refusing cookies means losing access to the website, the user has no real choice. Consent given under such pressure is not freely given, and therefore not valid.

Key Rulings

• Austrian DPA (2021) — Fined a media company for using cookie walls that forced users to accept tracking or pay a subscription.
• French CNIL (2022) — Ruled that "accept or leave" cookie walls do not constitute valid consent, even when an alternative (like a paid subscription) is offered.
• Dutch DPA (2023) — Issued enforcement guidance specifically stating that cookie walls are non-compliant.

The "Pay or Accept" Model

Some publishers have tried a variation: "Accept cookies for free, or pay a subscription to browse cookie-free." This is often called the "pay or consent" model.

The legality of this approach is contested. The CNIL has expressed scepticism, while some other DPAs have not explicitly banned it if the paid alternative is "reasonable." However, the trend is clearly against it, and relying on this model is risky.

What to Do Instead

The compliant alternative is straightforward:

1. Show an informative banner that explains what cookies you use and why
2. Offer genuine choice — Accept All, Reject All, and granular category options, all equally accessible
3. Allow full site access regardless of choice — if the user rejects all non-essential cookies, the site works normally with only necessary cookies
4. Block non-essential scripts until consent — this is the technical part that LegalBanner handles automatically

Won't Reject Rates Kill My Analytics?

This is the fear that drives cookie walls. And yes, when you give users a genuine choice, some will reject tracking. Typical consent rates with a well-designed banner are 65–80% acceptance.

But consider: the data you collect from consenting users is higher quality, legally valid, and regulatorily safe. Data collected through cookie walls is tainted consent — a regulator can invalidate it retroactively, along with everything built on top of it.

With Google Consent Mode v2, you also get modelled conversion data from non-consenting users, which fills most of the gap for advertising purposes.

How LegalBanner Helps

LegalBanner never uses cookie walls. The banner always offers Accept, Reject, and granular settings with equal prominence. Scripts are blocked until consent is given, and the site functions fully regardless of the user's choice. This is GDPR compliance by design.