The Price of Privacy: How Paywalled Cookie Banners are Redefining Digital Revenue Streams

Since the GDPR came into being, we've all become familiar with cookie banners on our favourite websites. They allow us to customise the amount and type of data we feel comfortable sharing before using a site. Recently a number of major European publishers have rolled out some very interesting changes to better monetise people who don't want to share their data. Now users who don't want to share their data are being asked to pay a subscription instead to get access. This "Pay or OK" model is an attempt to offset the lower revenue publishers get when advertisers can't access user data.

Is this a legal move under the GDPR - blocking access unless data is shared or a subscription bought? Is it a better deal for privacy-conscious users who want to see their favourite ad-supported sites survive? And what price are these publishers putting on the privacy of their users?

Introduction

Consent Management Platforms (CMPs), or "cookie banners", have become a common feature of websites throughout Europe and beyond in recent years. These CMPs allow users to accept all cookies a website wishes to use, reject them all, or fine-tune their consent to allow only some cookies. Cookies are used for things like remembering logins to sites, but can also be used for building a profile, which can be sold to advertisers.

Consent pop-up
A typical consent management pop-up

For many ad-supported online publications, users refusing to consent to cookies used for personalised advertising can lead to a significant drop in ad revenue. Depending on the site niche and userbase, personalised ads can deliver in the region of 50% more revenue than the non-personalised kind. The legislation which led to the creation of these CMPs state that it's not legal to outright block someone who says "no" to their data being shared, so what can publishers do to try to fill this revenue gap when they see users declining consent? A number of large European publications have begun changing their CMPs in an effort to plug this gap. Rather than the traditional "Accept" and "Reject" buttons, the options on these sites are now closer to "Accept" and "Reject tracking by paying a small fee". The "Reject" option is modified to ask users to make up the difference in lost revenue by paying a small amount to gain access.

Consent Management Platform with paywall
Pay to continue without tracking cookies - bild.de example

It's an interesting approach from publishers struggling in a cut-throat market, but is it legal? In April 2024, the European Data Protection Board (EDPB) issued a revised ruling on Meta's "Pay or Okay" model, which has significant implications for large online platforms and potentially for media publishers in the future.

Where did the cookie banners come from?

Cookie banners come from two pieces of European legislation:

  • ePrivacy Directive: This directive deals specifically with privacy in electronic communications. It introduced specific requirements for obtaining user consent for storing and accessing information on a user's device, including the use of cookies.
  • General Data Protection Regulation (GDPR): This is a comprehensive data protection law which significantly strengthened the rules on personal data and privacy in the EU, including stricter requirements for consent. Under GDPR, consent must be clear, informed, freely given, specific, and unambiguous, which further influenced the design and functionality of cookie banners to ensure compliance.

Between them, these pieces of legislation mandate that consent should be both informed and "freely given". Informed consent means that it's clear to a user what they're agreeing to. "Freely given" means that they're not forced into given consent by the threat of losing access to the underlying service. This means that publishers can't block access to the site based solely on the non-acceptance of non-essential cookies - known as a "cookiewall".

Problems for publishers?

The challenge many publishers face is that they are largely ad-supported. Display ads tend to pay much better when they act on more data for targeting ads. Unfortunately this typically involves sharing data with a huge network of potential advertisers, ad networks, and middlemen in the technical stacks involved. Many users would prefer this data not be shared - products from that one accidental click on amazon following you around via ads on other sites can be an unsettling experience!

This leads to a scenario where a number of users will reject consent for cookies. Publishers have a choice between adapting their site code to show less lucrative ads, or in some cases a simpler technical choice of showing no ads at all - neither of which are great for the continued financial well-being of the publisher.

The revenue struggles here have led a number of publishers to attempt to skirt the legislation, by making the "Reject" option hard to find, or confusingly-labelled. The various Data Protection Commissioners (DPCs) around Europe have reiterated that consent should be prominent and as easily given as withheld. These publishers largely make the bet that it's best to stay alive via the increased revenue from personalised ads and deal with a potential DPC investigation if and when that happens.

New Developments: The Paywall Approach

In response, publishers in countries like Spain and Germany have introduced a novel concept, linking a paywall to the "reject" option. On websites such as elpais.es and bild.de users are presented with a stark choice: accept cookies or pay a small fee to access content. This fee works like a paywall, giving access to a version of the site without tracking cookies, or in many cases, any display ads at all. This model, while controversial, has opened up a potentially-valuable new revenue stream for publishers. Alberto Martín, a PM with Axel Springer in Spain, has written a great thread which goes into the choices made in the Spanish market in particular.

Cookie rejection with paywall option
El Pais "Pay and Reject Cookies" option

Online news publishers aren't the first to try this move in Europe - it's a similar approach to the model taken by Facebook, who now charge EU users for ad-free access to Instagram and Facebook.

This increased revenue is potentially good news for publishers. But is it strictly legal? Does it count as a restriction in access for users who don't consent?

In April 2024, the EDPB issued an opinion on Meta's "Pay or Okay" model, which has significant implications for this approach. The EDPB requires large online platforms to offer users:

  • A paid subscription.
  • A free account with targeted advertising.
  • A free account without targeted advertising, with ads that do not use personal data.

This ruling highlights the need for a genuine choice, ensuring that consent is "freely given" and not forced by lack of alternatives.

Legal Perspectives and Varied Responses

This approach seems to tread a fine line legally, particularly concerning the GDPR's principle of 'freely given' consent. In Spain, the AEPD has tentatively approved this model under specific conditions.

There may be certain cases in which the non-acceptance of the use of cookies prevents access to the website or the full or partial use of the service, provided that the user is adequately informed and an alternative, not necessarily free, is offered for accessing the service without accepting the use of cookies.

The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice. The definition of "modest and fair" is not laid out, but is consistent with what the Spanish authorities have said.

This means that publishers are not obliged to support more costly, cookie-free users at no additional charge, but by the same token have to be reasonable in the alternatives they offer. "Reject all cookies for €1m per month" would be a pretty unreasonable alternative to cookie acceptance. Well, maybe not if you're running a lifestyle magazine for billionaires, but for most of us, that level of pricing would certainly not pass the sniff test!

While the authorities listed above have been broadly supportive in theory, by contrast, in Germany there has already been an explicit ruling against this type of implementation:

The LfD found that the consent banner used on heise.de in July 2021, did not provide granular consent options. Instead, users were asked to provide blanket consent by clicking the “Accept” button. In this case, blanket consent refers to a situation where users provide a general consent that encompasses all purposes without being able to make individual choices for each specific purpose.

A key note in this decision is that the publishers presented only "Accept" or "Reject and pay"-type options. The German authorities found fault with the way the options were presented. There was a lack of a middle-ground option, to give fine-grained consent - accepting some cookies and refusing others.

From the excellent write-up at Iubenda.com:

The key takeaway from the DSB’s decision is that if a “pay or okay” system is used, users should have the option to give granular consent instead of just a general one. It’s important to note that the DSB reached this decision specifically because users were only given a choice between paying or allowing all their data to be processed without the option for more granular consent.

A number of other European DPCs have remained silent to date, highlighting the challenge of ensuring consistent compliance across the whole region.

The EDPB's recent opinion on Meta's "Pay or Okay" model adds another layer to this complex landscape. The EDPB emphasizes that large online platforms must provide an "equivalent alternative" without behavioral advertising, ensuring a choice that does not involve payment or extensive data processing. This ruling specifically addresses the impact of social media on participation in social and professional life, arguing that the absence of a free, non-targeted advertising option undermines the concept of freely given consent.

For media publishers, this opinion is not yet legally binding but sets a significant precedent. While the EDPB's ruling currently targets large online platforms, it could influence future regulations for media publishers, prompting them to reconsider their "pay or okay" models.

Future Implications

As we can see from the guidance above, publishers need to be careful about how these approaches are worded, presented, and implemented. A variety of opinions from different Data Protection authorities means it's important for publishers to stay on top of the prevailing winds within the legislative ecosystem. This is certainly an area that will be easier for larger publishers to navigate, given the superior resources they'll have to hand.

The recent EDPB opinion on Meta's "Pay or Okay" model underscores the importance of offering genuine alternatives for users, ensuring that consent is truly "freely given." While this opinion directly targets large online platforms, it sets a potential precedent for media publishers, who may need to adapt their models to comply with evolving interpretations of GDPR.

Integration of a paywall into user consent choices raises critical questions about the future of online advertising and the extent to which user privacy can be traded for content access. Will this lead to a more privacy-conscious internet, or create a divide between those who can pay for privacy and those who cannot? As publishers and users continually adapt to an ever-changing digital landscape, it's important that a balance be struck between respecting the privacy of users, and giving publications a viable path to monetise their content.


CyberWiseCon 2025 Speaker

CyberWiseCon 2025

In May 2025, I'll be giving a talk at CyberWiseCon 2025 in Vilnius, Lithuania. From selling 10 Downing St, to moving the Eiffel Tower to Dublin, this talk covers real-world examples of unconventional ways to stop scrapers, phishers, and content thieves. You'll gain practical insights to protect assets, outsmart bad actors, and avoid the mistakes we made along the way!

Get your ticket now and I'll see you there!


Share This Article

Related Articles


Lazy loading background images to improve load time performance

Lazy loading of images helps to radically speed up initial page load. Rich site designs often call for background images, which can't be lazily loaded in the same way. How can we keep our designs, while optimising for a fast initial load?

Using Google Sheets as a RESTful JSON API

Save time by not building backends for simple CRUD apps. Use Google Sheets as both a free backend and JSON API endpoint!

Serverless caching and proxying with Cloudflare Workers

Using Cloudflare Workers we can quickly build an effective API proxy, without spinning up any additional hardware. Whether its needing a CORS proxy, speeding up slow APIs via caching, or rate limit management on stingy APIs, this serverless tech is as easy to set up as it is powerful.

Idempotency - what is it, and how can it help our Laravel APIs?

Idempotency is a critical concept to be aware of when building robust APIs, and is baked into the SDKs of companies like Stripe, Paypal, Shopify, and Amazon. But what exactly is idempotency? And how can we easily add support for it to our Laravel APIs?

Calculating rolling averages with Laravel Collections

Rolling averages are perfect for smoothing out time-series data, helping you to gain insight from noisy graphs and tables. This new package adds first-class support to Laravel Collections for rolling average calculation.

More