Cookie Wall: Legal or Not in France in 2026?

The cookie wall — conditioning access to a site on accepting cookies — is one of the most debated topics in European digital law. Legal? Illegal? The answer, in 2026, is: it depends. And the conditions are strict.

This guide traces the legal history of the cookie wall in France, details the criteria set by CNIL (French data protection authority) and the EDPB, analyzes sanctioned practices and proposes compliant alternatives for website publishers.

What is a cookie wall?

A cookie wall is a mechanism that blocks access to a website’s content if the user refuses non-essential cookies. In practice: the banner appears, the user clicks “Refuse all”, and instead of accessing the site, they are faced with a blocking screen.

The cookie wall raises a fundamental question: is consent truly “free” when the alternative is not accessing the service? This question has been at the heart of the legal debate for several years, and the answer varies by jurisdiction, service type and alternatives offered.

The cookie wall differs from a simple “banner wall” (a banner displayed as an overlay but leaving the content accessible in the background) and a “paywall” (which conditions content access on payment). In practice, these mechanisms are often combined: the “Pay or Okay” model offers the user a choice between accepting cookies or paying for a subscription.

Legal history: from prohibition to regulation

2019: CNIL (French data protection authority) prohibits cookie walls

In its first cookie guidelines (deliberation No. 2019-093 of July 4, 2019), CNIL (French data protection authority) had established a blanket prohibition. Access to a site was not to be conditioned on cookie acceptance, as this invalidated the “free” nature of consent under the GDPR.

CNIL (French data protection authority)‘s reasoning was logical: if the user has no choice but to accept cookies to access the service, their consent is not truly free. It is constrained by the need to access the content. This position relied on Recital 42 of the GDPR which states that consent should not be considered freely given if the individual is unable to refuse without detriment.

June 19, 2020: the Council of State partially annuls

Professional associations — notably online press unions dependent on advertising revenue — challenged this position before the Council of State. In its decision of June 19, 2020 (No. 434684), France’s highest administrative court partially annulled CNIL (French data protection authority)‘s guidelines.

The Council of State ruled that CNIL (French data protection authority) could not prohibit cookie walls in a general and absolute manner in a soft law instrument. Such a blanket prohibition exceeded what CNIL (French data protection authority) was authorized to do within the framework of its guidelines. The Council of State’s argument rested on the fact that a total cookie wall ban constituted a new rule that should have gone through the legislative or regulatory route.

The Council of State nevertheless confirmed that cookie wall legality must be assessed on a case-by-case basis, taking into account in particular the existence of real and satisfactory alternatives offered to the user in case of tracker refusal. This decision paved the way for regulation rather than prohibition.

September 17, 2020: CNIL (French data protection authority) reformulates

In its revised guidelines and recommendation of September 17, 2020, CNIL (French data protection authority) took note of the Council of State decision. It no longer prohibits cookie walls absolutely, but reminds that their legality must be evaluated in light of consent freedom. CNIL (French data protection authority) indicates that cookie wall practice “is likely to undermine, in certain cases, consent freedom”.

This cautious formulation reflects the delicate balance between protecting user privacy and publishers’ economic freedom, particularly those who depend on advertising revenue to fund their activity.

May 16, 2022: CNIL (French data protection authority) publishes its criteria

Facing numerous complaints and questions from professionals, CNIL (French data protection authority) published its first cookie wall evaluation criteria on May 16, 2022. This document is the reference text in 2026 for assessing cookie wall legality. It constitutes a concrete analysis framework that publishers can use to evaluate their own practice.

Legality criteria set by CNIL (French data protection authority)

CNIL (French data protection authority) does not say cookie walls are legal. It says they can be, if certain conditions are met. Here are the key criteria, detailed with their practical implications.

1. The equivalent alternative

This is the central and most determinative criterion. The user who refuses cookies must have access to a real and satisfactory alternative. CNIL (French data protection authority) accepts that this alternative may take the form of payment (the “paywall” or “pay-or-okay”): the user chooses between accepting cookies or paying for content access without tracking.

But the alternative must be genuine. A paywall whose price would be dissuasive does not constitute a real alternative — it would amount to a disguised cookie wall. Similarly, a free version so degraded that it is unusable does not constitute a satisfactory alternative.

CNIL (French data protection authority) insists that the alternative must not be merely theoretical. It must be effectively accessible, clearly presented and functionally equivalent. A link to a paid offer hidden at the bottom of the page does not meet this requirement.

2. Reasonable pricing

CNIL (French data protection authority) has not set a numerical threshold beyond which a price would be unreasonable. It requires a case-by-case analysis. The criterion is proportionality: the price must be reasonable given the service offered, the consumption habits of the target audience and the publisher’s business model.

Concretely, for an online press site, a monthly subscription of a few euros (2 to 5 euros) for access without advertising cookies can be considered reasonable. A 50 euro per month subscription to access a generalist blog probably would not be.

CNIL (French data protection authority) suggests that the alternative need not necessarily take the form of a monthly subscription. Micropayments per article, prepaid virtual wallets, daily access at reduced rates or weekly passes could constitute acceptable and more accessible alternatives. The idea is to offer a range of options that allows the user not to be locked into a binary choice of “accept all cookies or pay an annual subscription.”

3. No discrimination in access

The user who pays must have access at least equivalent to the one who accepts cookies. No degraded version, no restricted content, no removed features. If an article is accessible for free with cookies, it must be accessible in the same way with payment.

This criterion has technical implications: the site must work perfectly without any non-essential cookie. Features that depend on third-party cookies (personalized recommendations, social sharing buttons, comments via third-party platforms) must be replaced by alternatives or simply absent — but the main content must remain fully accessible.

4. Transparency

The publisher must clearly inform the user of the nature of the choice: which cookies will be placed, for what purposes, which third parties will have access, and what alternative is offered. CNIL (French data protection authority) encourages publishers to publish their analysis of the pricing proportionality — a transparency approach that strengthens the cookie wall’s legitimacy.

Information must be accessible from the first banner screen, not buried in terms and conditions. The user must immediately understand the terms of the choice offered, without having to click multiple links or read pages of legal text.

5. No cookie wall on essential services

CNIL (French data protection authority) reminds that for public services or services where the user has no reasonable alternative (de facto monopolies, essential services), the cookie wall is much harder to justify. Consent is not free when there is no real choice.

This criterion is particularly relevant for:

• Public services (government websites, state online services, local authorities): the user has no alternative for completing administrative procedures.
• De facto monopolies: a service without real competition cannot impose a cookie wall, as the user has no other option.
• Universal-purpose services: online education, health, access to general interest information — the cookie wall raises major ethical issues on these services.

The EDPB (European Data Protection Board) position

The European Data Protection Board (EDPB) has a historically stricter position than CNIL (French data protection authority) on cookie walls. This divergence is important for publishers operating at the European level.

The general principle: against cookie walls

In its consent guidelines (05/2020), the EDPB states that “access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).”

This position is more categorical than CNIL (French data protection authority)‘s post-Council of State decision. The EDPB considers in principle that cookie walls invalidate the free nature of consent, without the nuance brought by the French Council of State on case-by-case assessment.

The Cookie Banner task force

The EDPB coordinated a cookie banner task force, whose conclusions were adopted in January 2023. The vast majority of participating authorities consider that the absence of any refusal option at the same level as acceptance constitutes a violation. CNIL (French data protection authority) co-led these works with the Austrian authority.

The task force conclusions cover a wide range of practices: the absence of a refusal button on the first screen, manipulative designs, misleading cookie categories, and failure to effectively respect user choices. These conclusions, while not legally binding in themselves, constitute a strong reference for harmonized European law interpretation.

The “Pay or Okay” opinion

In 2024, at the request of the data protection authorities of Norway, the Netherlands and Hamburg, the EDPB issued an opinion on “Pay or Okay” models used by large platforms. This opinion followed Meta’s decision to impose a paid subscription on European users who refuse targeted advertising.

The EDPB insists on the need to offer users alternatives that genuinely preserve their privacy, and recommends that data controllers consider an “equivalent” alternative requiring no payment — for example, a version with less intrusive advertising, without behavioral advertising but with contextual advertising.

This recommendation of a “third way” (neither cookies nor payment) goes beyond what CNIL (French data protection authority) currently requires. It suggests that the binary “accept or pay” model may not suffice to guarantee consent freedom, and that an intermediate privacy-preserving option should be offered.

What this means in practice

The EDPB position is more constraining than CNIL (French data protection authority)‘s. A cookie wall with paywall might be tolerated by CNIL (French data protection authority) but questioned by the EDPB. Publishers operating at the European level must consider both readings. In case of a cross-border complaint, the GDPR consistency mechanism applies, and the EDPB opinion carries significant weight.

Sanctioned practices

Conde Nast / Vanity Fair: the cookie wall that did not respect refusal

In November 2025, CNIL (French data protection authority) sanctioned Publications Conde Nast with 750,000 euros. Beyond the cookie wall itself, CNIL (French data protection authority) found that even when the user refused cookies, trackers were still placed and read. The failure to effectively respect the user’s choice is the most serious point.

This case illustrates a frequent problem: the publisher sets up a consent mechanism as a facade, but the underlying technical architecture does not actually respect choices. Third-party scripts continue to execute, cookies continue to be placed, and consent is merely a formality with no effect. This is precisely the type of discrepancy that CNIL (French data protection authority) detects during its network inspections.

Google and Facebook: symmetry violated

In January 2022, Google (150 million euros) and Facebook (60 million euros) were sanctioned because refusing cookies required multiple clicks while a single one sufficed to accept. This was not a cookie wall strictly speaking, but the mechanism produced the same result: discouraging the user from refusing.

CNIL (French data protection authority)‘s reasoning is illuminating: when the choice architecture is designed to make refusal significantly harder than acceptance, the effect is equivalent to a cookie wall. The user, through fatigue or incomprehension, ends up accepting. The consent thus obtained is neither free nor unambiguous.

December 2024 formal notices

CNIL (French data protection authority) issued formal notices to several publishers for dark patterns in their banners. Among the targeted practices: banners where the only visible choice was “Accept”, with a nearly invisible refusal link. When the only way to continue browsing is to accept — because refusal is too hard to find — this constitutes a form of implicit cookie wall.

These formal notices show that CNIL (French data protection authority) does not limit its analysis to explicit cookie walls (blocking screen). It also sanctions disguised cookie walls: mechanisms that, without formally blocking access, make refusal so difficult that it becomes practically impossible.

Practical implications for publishers

If you are a media or content site

The “Pay or Okay” model is today the most widespread in French and European online press. It can be compliant, provided the price is reasonable and access is equivalent. Micropayments and per-article access are avenues to explore to maintain proportionality.

Major press groups (Le Monde, Le Figaro, Les Echos) already use this model with subscription rates of a few euros per month. For smaller media, per-article micropayment solutions or daily passes can offer a more accessible alternative to their readers.

However, note: the EDPB recommendation to consider a “third way” (contextual advertising without tracking) could become a requirement in the medium term. Publishers have an interest in anticipating this evolution.

If you are an e-commerce site

A cookie wall on an e-commerce site is very difficult to justify. The user comes to buy a product, not consume editorial content. Blocking access to product pages upon cookie refusal poses an obvious proportionality problem.

The solution for e-commerce sites is to respect the user’s choice and adapt their marketing strategy accordingly: audience measurement with a consent-exempt tool, contextual rather than behavioral advertising, and full respect for cookie refusal.

If you are a SaaS service

For a software service, the cookie wall is almost always disproportionate. The user already pays a subscription to access the service. Imposing advertising cookie acceptance on top of that is not justifiable. Consent would not be free because the user depends on the service for their professional activity.

If you are a public service

The cookie wall is incompatible with the public service mission. The user has no alternative: they must access the service to complete their administrative procedures. Consent cannot be free under these conditions. This is the clearest case: any cookie wall on a public service is contrary to the GDPR.

The right approach: consent without constraint

Rather than trying to force consent through a cookie wall, invest in a respectful and compliant consent collection process. The numbers show that honest banners, with a real “Refuse all” button at the same level as “Accept all”, achieve lower consent rates, but higher quality consent — and zero risk of sanction.

A freely given consent has more value than an extorted one. Data collected with informed consent is more reliable, advertising profiles more relevant, and the trust relationship with the user is preserved. This is an argument that advertisers are beginning to factor in: data quality trumps data quantity.

At DPLIANCE, we believe consent is not an obstacle to circumvent. It is a commitment to honor. Cookilio was designed with this conviction:

• Zero dark patterns: multi-step banner (wizard) with perfect symmetry between acceptance and refusal
• Zero scripts before consent: real technical blocking, not cosmetic — verifiable by network inspection
• Server-side proof: each choice is recorded with a unique correlation ID, server-side, with timestamp and purpose detail
• Self-hosting: consent data stays on your own servers — total sovereignty

Respecting the user’s choice is not a handicap. It is a competitive advantage.

Discover Cookilio — starting at EUR 9 excl. tax/month.

FAQ

Is a cookie wall legal in France?

Not prohibited per se, but subject to strict conditions. The Council of State ruled on June 19, 2020 that CNIL (French data protection authority) could not prohibit them generally. CNIL (French data protection authority) published evaluation criteria on May 16, 2022: mandatory equivalent alternative (paywall at reasonable price, for example), no discrimination in access, total transparency. In practice, cookie wall compliance is assessed on a case-by-case basis, depending on the type of service, target audience and alternatives offered.

Is the “Pay or Okay” model GDPR compliant?

The EDPB and CNIL (French data protection authority) accept it under conditions. The price must be reasonable and proportional to the service. Access must be equivalent whether cookies are accepted or payment is made. The EDPB further recommends that a non-payment alternative be considered, such as a version with contextual (non-behavioral) advertising. Large platforms are closely scrutinized on this topic — the evolution of European case law is worth monitoring closely.

Can I block access to my site if the user refuses cookies?

It is risky. If you do not offer a real and satisfactory alternative, consent is not free and therefore invalid under the GDPR. CNIL (French data protection authority) could consider that you violate Article 82 of the French Data Protection Act. Public services and sites without alternatives (de facto monopolies) can under no circumstances use cookie walls. For other sites, case-by-case analysis is mandatory.

What price is “reasonable” for an alternative paywall?

CNIL (French data protection authority) has not set a fixed amount. It requires case-by-case analysis depending on the service offered, the audience’s consumption habits and the publisher’s business model. A monthly subscription of a few euros for a news media can be considered reasonable. A 50 euro per month rate to access a blog probably not. Per-article micropayments or daily passes are alternatives to explore to improve proportionality.

How does the EDPB view cookie walls?

The EDPB has a historically stricter position than CNIL (French data protection authority). It considers in principle that service access should not be conditioned on cookie consent. Its 2024 opinion on “Pay or Okay” models insists on the need to offer alternatives that genuinely preserve privacy, beyond the simple binary “accept or pay” choice. The recommendation of a “third way” (contextual advertising without tracking) could become a standard in the medium term.

Is a cookie wall compatible with TCF 2.2?

The IAB Europe TCF 2.2 does not directly address cookie walls. The standard focuses on how consent is collected and transmitted between advertising ecosystem actors. A cookie wall can be technically implemented within the TCF framework, but its legality remains subject to CNIL (French data protection authority) and EDPB criteria. TCF compliance in no way guarantees cookie wall legality.

---

Sources: Council of State, Decision of June 19, 2020, No. 434684 — CNIL (French data protection authority), Cookie walls: evaluation criteria — CNIL (French data protection authority), Guidelines and recommendation of September 17, 2020 — CNIL (French data protection authority), Vanity Fair EUR 750,000 sanction — EDPB, Cookie banner task force report — CNIL (French data protection authority), Google EUR 150M sanction (January 2022)