Over the past few months, we’ve seen a renewed interest in paywalls and cookie walls. What does it mean for organizations and professionals today? Are paywalls legal under the GDPR? Why this sudden spike around the topic?


In 2020, the French DPA (Data Protection Authority), the CNIL, issued guidelines and recommendations regarding the use of cookies and other tracking technologies. One of the notable positions taken by the CNIL at that time was related to "cookie walls."


The CNIL initially suggested that the use of cookie walls could be considered non-compliant with the General Data Protection Regulation (GDPR), arguing that consent obtained under such conditions might not be considered as freely given.


However, later in 2020, CNIL published its final recommendations on cookies and other tracking devices, offering a more nuanced view on cookie walls. The DPA stated that while they do not outright ban the use of cookie walls, the legality of a cookie wall would depend on a case-by-case analysis.


Since then, in 2022, the CNIL has updated guidelines about cookie walls, essentially stating that the legality of this content monetization model should be taken case by case, with a few essential things to remember:


  1. The user should be presented with a fair alternative for accessing the content if they refuse to accept cookies

  2. If the alternative is to pay, the price should be reasonable 

  3. The publisher must demonstrate that the cookie wall is limited to purposes that allow fair remuneration of the service offered.


Since then, other DPAs have emerged with similar rulings. Most notably, Spain’s AEPD recently issued guidelines surrounding paywalls and other updates for organizations handling Spanish consumers' personal data.


However, this local “rush” surrounding the question of paywalls is largely inconsequential in the grand scheme of things, as it will be heavily dependent on the issue of the case against Meta over the organization’s “Pay or Okay” subscription model in Europe.


Meta introduced a new subscription model in 2023, allowing users to opt out of targeted advertising on their Facebook and Instagram apps by paying a monthly fee. The model was almost immediately contested by the advocacy group NOYB, which coined the term “Pay or Okay” and argued that only a small portion of users desire tracking and that ​​charging a “privacy fee” could lead to widespread adoption of the same model by competitors if Meta is not held accountable.


Based on our knowledge of the European Court of Justice timeline (NOYB’s previous case against Meta regarding the platform’s legal basis for ads was filed in 2018 and is still in appeal), we are unlikely to have a clear answer anytime soon. However, the first decision from the European Court of Justice on this specific case will deeply impact the interpretation of the legality of paywalls and cookie walls across Europe.


The bottom line

Ultimately, and while the latest developments surrounding paywalls and cookie walls should be taken seriously, it is unlikely that we will see enforcement from DPAs on this question before the initial European Court of Justice ruling. It will all boil down to the Meta case, whether the company is validated in its subscription model, and under which terms.


The Meta case has become a focal point in the ongoing debate about privacy protections and the economic models of online services. While it's tempting to draw broad conclusions from this case, it's crucial to remember that Meta's situation is not entirely representative of the entire publishing industry.


In fact, smaller publishers, who rely heavily on advertising revenue to operate, could face significant challenges if the European Court of Justice (ECJ) rules against Meta.


This underscores the need for a nuanced approach to privacy regulations that considers the diverse landscape of publishers and ensures that smaller players are not disproportionately impacted.