As of 2026, enforcement trends suggest regulators are not saying the model itself is illegal. They are focusing on how Pay-or-Consent is implemented and whether users have a real choice to accept or reject tracking without paying.
Data protection laws do not prohibit Pay-or-Consent business models. However, businesses applying these models must ensure people have the free choice to accept or reject personalized advertising.
European regulators and businesses, especially large Big Tech companies, have been arguing for the last few years whether the Consent or Pay model corresponds to the requirements of GDPR’s “freely given consent”. Businesses say it gives users a real choice: you either consent, either pay for the content. Regulators argue it turns privacy into a paid feature and, thus, the model doesn't allow users to provide valid and freely given consent.
The Pay-or-Consent model is under severe regulatory pressure by the European Data Protection Board (EDPB) and the EU Commission.
In April 2025, Apple and Meta were fined by the EU Commission with €500 million and €200 million respectively, for violating the Digital Markets Act (DMA) through their Pay-or-Consent model.
So, what is the situation in early 2026? Is the Pay-or-Consent business model legal in 2026?
What Is the Pay-or-Consent Model?
The Pay-or-Consent model (also called Pay or OK) is a website access model where users have two choices:
- They either consent to data tracking and profiling for personalized ads, or
- They must pay a subscription fee to access the site without tracking.
The Pay or Okay model was first introduced by websites to boost their consent rates. It is used by online platforms, media companies and common websites.
When users consent, businesses collect user data and use this data to show them personalized advertising, among other purposes. With Pay-or-Consent, almost everyone “consents” as the alternative is to sign up for a paid subscription. This model allows companies to earn more than with a typical Cookie Banner.
In 2023, Social media platforms like Facebook and Instagram also started using the Pay-or-Consent model.
However, internet users started to question whether consent under the Pay or Okay model actually shows a free choice.
European regulators were the first to investigate the Pay-or-Consent business approach.
What Regulators Say About Pay-or-Consent in 2026
As of 2026, enforcement trends suggest regulators are not saying the model itself is illegal. They are focusing on how Pay-or-Consent is implemented and whether users have a real choice to accept or reject tracking without paying.
The legal debate around Pay-or-Consent largely centers on one issue:
Does it meet the GDPR requirement for freely given consent?
On 17 April 2024, the EDPB issued a non-binding opinion stating that in most cases, Consent or Pay models do not constitute valid consent under GDPR.
In April 2025, the European Commission fined Apple and Meta with €500 million and €200 million respectively for violating the Digital Markets Act (DMA) with its Pay-or-Consent model, which forced EU users to either pay for an ad-free experience or consent to data tracking for personalized ads. The EDPB argues that the Pay-or-Consent model violates the GDPR principle of free consent.
This does not automatically mean that Pay-or-Consent is not valid.
The EDPB released guidance stating that Pay-or-Consent models are not automatically illegal.
But there are strict conditions for the model: websites must provide a real alternative to tracking and not press users into accepting cookies. The paid option is not a valid alternative for tracking since, in most cases, paid membership is expensive and unrealistic, forcing users to accept tracking.
The EDPB emphasized that consent must be:
- freely given
- specific
- informed
- unambiguous.
If users are forced into accepting tracking to access basic content, such consent may not be valid.
Several national regulators in the EU have also addressed the Pay-or-Consent model. The Dutch Data Protection Authority, the French Data Protection Authority, and the Austrian Data Protection Authority say that:
Pay-or-Consent may be valid in some cases if certain conditions are met: users should have a genuine choice to accept or reject cookies without paying.
If the implementation of Pay-or-Consent allows users to select a genuine, pressure-free choice for transparent tracking, offers fair pricing, and has no manipulative design, the model may pass regulatory scrutiny.
Not sure if your website uses cookies? Scan your website for free and see what cookies, including Third-Party Cookies, your website uses:
Is Pay-or-Consent Legal Under GDPR?
The General Data Protection Regulation (GDPR) does not explicitly mention Pay or Consent models. The Pay or Consent model is permitted if its implementation complies with GDPR consent requirements.
Pay-or-Consent models could be considered legal under GDPR if they include:
- A realistic paid alternative The paid version must be reasonably priced. If the cost is too high, regulators may argue that users have no real choice and are therefore forced to accept tracking.
- Clear transparency Users must understand what they are consenting to. Users must know that they are consenting to tracking, ad personalization, profiling, and data sharing.
- No deceptive design Websites and apps must avoid dark patterns that push users to accept tracking.
Pay-or-Consent models violate GDPR when:
- The paid option is unreasonably expensive.
- Users cannot access the site unless they consent.
- Interfaces push users toward “Accept” and tracking.
Read the GDPR compliance checklist:
Pay-or-Consent vs Traditional Cookie Consent
Regulators investigate whether a model provides a real, pressure-free choice to accept or reject tracking. If users can freely make a choice, websites and apps will comply with data privacy laws. If not- they will violate regulations independently on whether a website or app uses a Pay-or-Consent model or a traditional Cookie Consent model.
Even if traditional Cookie Consent and Pay-or-Consent ask for consent, they are two completely different models.
Traditional consent banners usually offer these options:
- Accept all cookies
- Reject non-essential cookies
- Customize settings.
This approach focuses purely on user consent management; access to the website remains available regardless of choice.
The Pay-or-Consent model combines consent rates and ad revenue.
Users have these options:
- Allowing tracking for (often aggressive) targeted advertising, or
- Paying for content access.
The main purpose of Pay-or-Consent is not consent management or respect for user privacy. It concentrates on increasing consent rates and ad revenue.
However, data privacy laws apply to both models. Businesses must respect user choice regarding personal data management.
Should Your Website Use a Pay-or-Consent Model?
It depends on the business type and your audience.
If most of your website visitors are new, a paywall-style option could drive them away. Users don’t want to pay for content on an unknown website.
Pay-or-consent works best when:
- Websites rely on permanent users.
- Users value the content of the website.
- Advertising revenue is significant.
- Websites set reasonable subscription pricing.
However, the Pay-or-consent model maintains regulatory risk.
Even though data privacy laws do not ban it outright, implementation can be complicated. Even the same implementation could be perceived differently by different regulators. Companies operating across multiple EU countries should be especially cautious.
Mistakes could be costly. For example, violation of the GDPR principles could lead to fines up to 4% of the company’s global annual turnover.
Thus, you must calculate whether increased traffic and revenue weights out potential risk for non-compliance.
How CMPs Support Pay-or-Consent Compliance
If you’re considering a pay-or-consent approach, a Consent Management Platform (CMP) becomes essential.
CookieScript CMP is one of the best CMPs on the market, valued by users. In 2025, CookieScript received its fourth consecutive badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year!
CookieScript CMP offers the following cookie compliance solution:
- Transparent consent interfaces
CookieScript CMP allows websites to create a Cookie Banner with clear information about cookie categories, tracking purposes, and advertising partners. This transparency helps websites to obtain valid user consent. - Consent recording
CookieScript CMP logs consent signals, user preferences, and timestamped records, which are essential for demonstrating GDPR compliance. - Automatic blocking of third-party scripts
Analytics, ads, and other tracking tools are blocked until valid consent is collected, preventing unlawful data collection before consent. - Privacy Policy and Cookie Policy Generator
Keeps public disclosures aligned with actual cookie scans and vendor activity, ensuring transparency as sites evolve. - Integration with Google Consent Mode v2 and IAB TCF 2.2
Ensures ad and analytics tags automatically adjust to each user’s consent preferences. - Automated scans and reports
Performs regular cookie scanning to detect new scripts or vendors and track consent rates over time, helping teams stay ahead of compliance changes. - Compliance across jurisdictions
Different countries interpret consent requirements slightly differently. Geo-targeting adapts banners to local privacy laws, covering GDPR in the EU, CCPA in California, LGPD in Brazil, and more. - Multilingual support
CookieScript CMP automatically detects the language of a website and presents the banner, cookie report, Privacy Policy, and Cookie Policy in the language used by the user. - Shared and self-hosted options
Allows organizations or agencies to manage multiple sites from a single setup while maintaining full control over data and performance.
Frequently Asked Questions
What is the Pay-or-Consent model?
The Pay or Consent model, also called Pay or OK, is a website access model in which users have two choices: either consent to data tracking and profiling for personalized ads, or pay a subscription fee to access the site without tracking. If you’re considering a pay-or-consent approach, a CMP like CookieScript becomes essential.
Is Pay-or-Consent legal under GDPR?
GDPR does not explicitly mention Pay or Consent models. The Pay or Consent model is allowed if its implementation satisfies GDPR consent requirements for transparent tracking, offers fair pricing, and has no manipulative design. A Consent Management Platform (CMP) like CookieScript is essential when using Pay-or-Consent.
Is the Pay-or-Consent model legal in 2026?
Data privacy laws do not ban Pay-or-Consent throughout. Regulators are focusing on how Pay-or-Consent is implemented and whether users have a real choice to select a genuine, pressure-free choice for transparent tracking, the website offers fair pricing and has no manipulative design. A Consent Management Platform (CMP) like CookieScript is essential when using Pay-or-Consent.
When should I use the Pay-or-Consent model instead of traditional Cookie Consent model?
Pay-or-consent works best when websites rely on permanent users, users value the website’s content, advertising revenue is significant, and websites set reasonable subscription pricing. However, the Pay-or-Consent model maintains regulatory risk. Use CookieScript CMP to manage Cookie Consent with Pay-or-Consent.