Regulation·5 min read

Pay-or-OK cookie walls after EDPB Opinion 08/2024: a clear posture for EU e-commerce

EDPB Opinion 08/2024 confirms that a binary choice between paying a subscription and accepting tracking is unlikely to produce freely given consent under GDPR for large online platforms. The Opinion does not catch every storefront, but the structural test is now public. Here is when your store is exposed, what the EDPB actually said, and what regulators have done since.

Pay-or-OK is the cookie banner pattern that gives a visitor two choices and only two choices: accept tracking, or pay a monthly fee to use the site without tracking. The EDPB published Opinion 08/2024 on the model on 17 April 2024, focused on large online platforms. The Opinion is the most important EU-level statement on this question since Meta v Bundeskartellamt (CJEU, July 2023).

What did the EDPB actually say?

In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to the processing of personal data for behavioural advertising purposes and paying a fee.
EDPB Opinion 08/2024, point 73

The Opinion identifies the factors that, taken together, undermine the "freely given" element of consent under Article 4(11) and Article 7 GDPR. Where users have no equivalent alternative that does not require behavioural advertising, where the paid option is manifestly disproportionate to the value of the service, or where there is no free alternative at all, consent obtained through the wall is not freely given.

Who is in scope?

The Opinion repeatedly stresses "large online platforms". The structural concern is bargaining asymmetry: a single user cannot meaningfully negotiate with a near-monopoly service. The Opinion is not a blanket ban on pay-or-OK for every storefront.

That said, national DPAs read the test less narrowly. The German Datenschutzkonferenz published its own position on 22 March 2023 reaching a similar conclusion for any controller in a dominant content position. CNIL announced enforcement priorities for 2025 and 2026 that include consent-or-pay walls on French publisher and retail sites.

EnforcementGarante (Italy), provision of 19 December 2023, no. 567: ordered Italian magazine publisher to remove a binary cookie wall pricing the ad-free subscription at EUR 2,99 per month, citing the absence of a no-tracking free alternative and the lack of a meaningful price ceiling on the paid option. Fine: EUR 25,000 plus injunctive order.

What does this mean for a typical EU storefront?

A storefront selling physical or digital goods is structurally different from a content platform. A shop visitor is there to buy a product, not to read content gated by a subscription. EDPB Opinion 08/2024 does not directly apply to most retail. However, several large EU retailers have launched ad-free subscriptions in 2025 and 2026 that explicitly use the pay-or-OK pattern at the cookie banner, and at least one consumer association is preparing test cases.

If your store offers a paid "ad-free" or "tracker-free" option that the cookie banner uses as the only alternative to accepting tracking, you are in the grey zone. The pattern is not per se unlawful. It is, however, the subject of active national-DPA enforcement on a fact-by-fact basis.

How we test thisComplianceGuardHQ does not flag pay-or-OK cookie walls as a violation. The deterministic detector emits a warning instead, with a link to EDPB Opinion 08/2024 and the relevant DSK and CNIL positions, so a lawyer can review the specific deployment.

What to audit this week

If your storefront uses any form of consent-or-pay banner, check three things. First, is there a free alternative that uses no behavioural tracking? Second, is the price for the paid option proportionate to the value of the service for an average user? Third, do the cookie banner texts and the subscription terms together make clear what processing happens in each branch? The answers do not resolve the legal question, but they map cleanly onto the EDPB test.

Run a free scan of your live storefront. ComplianceGuardHQ surfaces any pay-or-OK pattern in the cookie banner with a warning, the EDPB Opinion citation, and the matching national DPA position for your country. The scan takes about 60 seconds and requires no install.

Frequently asked questions

What is EDPB Opinion 08/2024 about?

EDPB Opinion 08/2024, adopted on 17 April 2024, addresses the validity of consent obtained on large online platforms that offer users a binary choice between accepting behavioural advertising and paying a fee. The Opinion concludes that in most cases such a binary choice is unlikely to result in freely given consent under Article 4(11) GDPR.

Does EDPB Opinion 08/2024 apply to small online shops?

The Opinion is targeted at large online platforms with substantial bargaining asymmetry. It does not directly apply to a typical small or mid-sized e-commerce storefront. However, national DPAs (DSK in Germany, CNIL in France, Garante in Italy) have applied the same structural test more broadly in their own enforcement priorities.

Is a pay-or-OK cookie wall always unlawful?

No. The EDPB Opinion does not declare the pattern per se unlawful. It identifies fact-specific factors that point against valid consent, including the absence of a no-tracking free alternative, a disproportionate price for the paid option, and the absence of any free alternative at all. Lawfulness depends on the full fact pattern under the local DPA's reading.

What is the largest fine to date for a consent-or-pay wall?

As at June 2026, the largest published EU enforcement action is the Garante provision of 19 December 2023 (no. 567) imposing EUR 25,000 plus injunctive relief on an Italian magazine publisher. The amount is modest, but the injunctive order required the publisher to introduce a no-tracking free alternative within 90 days.

Does ComplianceGuardHQ flag pay-or-OK as a GDPR violation?

No. ComplianceGuardHQ flags the pattern as a warning, not a violation. The deterministic detector confirms the presence of consent-or-pay framing in the cookie banner, attaches the EDPB Opinion citation and the relevant national DPA position, and recommends review by a qualified DPO or EU privacy lawyer. The lawfulness assessment requires a fact-specific call we deliberately do not make for you.

Run the check on your store

ComplianceGuardHQ runs 37 automated checks across 8 EU frameworks against your live storefront in about 60 seconds. Free baseline scan, no install.

Run a Free Scan

ComplianceGuardHQ runs an automated technical scan. Findings cite the directive text and enforcement precedent. They are not legal advice. Consult a qualified lawyer or Data Protection Officer for binding interpretation in your jurisdiction.

Continue reading

Regulation

Omnibus Directive 30-day rule (Article 6a) explained for e-commerce

The Omnibus Directive's Article 6a requires every discounted product to display the lowest price from the 30 days before the sale began. Here is what the rule says, who enforces it, and where it breaks on Shopify and WooCommerce stores.

Regulation

GDPR Article 13 checklist: the disclosures most privacy policies miss

Article 13 of GDPR lists the information a controller must provide at the point of data collection. It is more specific than "have a privacy policy." Here is the full checklist, with the four disclosures most storefronts miss.

Regulation

European Accessibility Act for e-commerce: what WCAG 2.1 AA requires

Directive 2019/882, the European Accessibility Act, became enforceable on 28 June 2025. For e-commerce, it incorporates WCAG 2.1 Level AA. Here is what that means for product pages, checkout, account flows, and which storefronts are exempt.