Consent-or-Pay for Publishers: Compliance Guide for the UK and EU (2026)
UniSignIn Team
21 min read
Consent-or-pay is now one of the most actively searched compliance topics in European digital publishing. Publishers across the UK, Germany, France, and Switzerland have deployed cookie paywalls at scale, regulators have published formal opinions, and enforcement actions have begun. If you're running a consent-or-pay model or planning to launch one in 2026, this guide gives you the regulatory framework, a 10-publisher case study, pricing strategy data, and a practical implementation checklist.
What's Consent-or-Pay?
The consent-or-pay model (also called a cookie paywall or privacy paywall) gives website visitors a binary choice when they arrive on a publisher's site: consent to personalised advertising tracking, or pay a subscription fee for an ad-free, tracking-free experience.
The model emerged as publishers searched for a legally defensible way to obtain the consent required by GDPR for behavioural advertising. Simply accepting that many users would refuse consent wasn't an attractive option, because it would leave a large share of traffic monetised only through contextual advertising.
Consent-or-pay provided an alternative. By attaching a monetary value to the privacy option, publishers could show that consent was part of a genuine exchange. Users can either consent to personalised advertising and access the content for free, or pay to access the site without tracking. In this structure, consent is linked to a clear value choice rather than being imposed as a condition of access.
In addition to in-house solutions, dedicated consent-or-pay platforms have emerged to provide ready-made gate infrastructure. For example, AdFreePro offers a white-label consent-or-pay solution for mid-market publishers seeking a pre-built gate without a full custom development cycle.
The consent-or-pay model is now operational at major publishers across every major European market. UniSignIn's consent-or-pay solution is built to handle the complete implementation: the gate design, the compliant consent mechanism, the subscription payment tier, and ongoing consent rate optimisation. Understanding where the model sits in the regulatory system is the necessary starting point.
EDPB Opinion 08/2024: What It Actually Says
The European Data Protection Board published Opinion 08/2024 in April 2024, with a focus on consent-or-pay models operated by large online platforms (LOPs). This is the most consequential regulatory document publishers need to understand.
Scope: Large Online Platforms vs. Publishers
The opinion followed requests from three national Data Protection Authorities, the Dutch AP, the Norwegian Datatilsynet, and the Hamburg DPA, after Meta introduced an ad-free subscription in Europe. The EDPB clarified that its analysis mainly targets large online platforms as characterised under both the Digital Services Act (DSA) and the Digital Markets Act (DMA), namely platforms with large market power and limited user alternatives.
The distinction matters enormously for publishers. A reader who rejects consent on Le Monde or Der Spiegel can simply go to a competing news site. A user who rejects consent on Facebook or Instagram faces no comparable alternative because of network effects and data dominance. The EDPB explicitly acknowledged this asymmetry.
For publishers who don't qualify as large online platforms, the opinion creates guidance rather than a hard prohibition. The basic test remains whether consent is "freely given" under GDPR Article 7(4), which requires that consent not be made conditional on a contract where the processing isn't necessary for the performance of that contract.
The Three-Option Requirement
The EDPB's clearest practical guidance was that large platforms should offer a genuine third option: an equivalent service without behavioural advertising and without a subscription fee. For publishers, this translates into an important design question. Regulators in multiple jurisdictions have indicated that a binary consent-or-pay gate is harder to defend than a three-option model that includes contextual advertising as a free, non-tracking alternative.
Publishers implementing consent-or-pay in 2026 should consider whether their model offers a contextual advertising tier that doesn't require personal data processing, alongside the consent and pay options.
Freely Given Consent: The Pricing Test
The EDPB opinion established that even where a pay option exists, consent can still fail the "freely given" test if the subscription fee is so high that it effectively coerces users into consenting. This is the pricing adequacy question. No fixed threshold was set, but the EDPB indicated that the fee must not be so high as to inhibit data subjects from making a genuine choice.
This guidance directly affects subscription pricing on publisher cookie paywalls, as explained in the pricing strategy section below.
ICO Guidance: The UK Position
After Brexit, UK publishers now operate under the UK GDPR instead of the EU GDPR, with the Information Commissioner's Office (ICO) enforcing compliance. Unlike EU supervisory authorities, the ICO has adopted a notably more pragmatic approach to the consent-or-pay dilemma, balancing regulatory expectations with practical realities.
The ICO's Cookie Paywall Review
The ICO's review of cookie paywalls, which began with a call for views in 2024 and culminated in formal guidance published in January 2025, concluded that consent-or-pay models can comply with the UK GDPR's requirement for freely given consent, provided certain conditions are met. The alternative paid option must be clearly explained and genuinely accessible. Its price should bear a reasonable relationship to the commercial value of the data being collected. The gate mustn't employ dark patterns to steer users toward consent. All other GDPR consent requirements, including granularity, ease of withdrawal, and keeping records of consent, must still be satisfied.
In one important respect, the ICO's position is more permissive than the EDPB's. UK publishers aren't required to offer a contextual advertising tier as a third option. A two-option gate remains acceptable under the UK GDPR if pricing is fair and the consent mechanism is properly implemented.
UK Publishers and the ICO Investigation
The ICO launched a public call for views on consent-or-pay in March 2024 following the rollout by UK publishers including The Sun (News UK) and Reach plc, and published formal guidance in January 2025. The ICO's guidance examines:
Whether subscription fees at current market prices constitute coercion. Whether the model creates disadvantage for users who can't afford the subscription tier. Whether the cookie consent banner for the "free with consent" tier complies with the consent standards for specificity and granularity.
Publishers operating under UK GDPR should monitor the ICO's evolving guidance and ensure their implementation addresses these specific concerns.
Major Differences: UK GDPR vs. EU GDPR for Cookie Paywalls
| Dimension | UK GDPR (ICO) | EU GDPR (EDPB) |
|---|---|---|
| Consent-or-pay permissibility | Permitted if price is fair | Permitted for smaller publishers; scrutinised for large platforms |
| Third option (contextual ads) | Not required | Recommended for large platforms |
| Price adequacy test | Reasonable to market | Must not inhibit genuine choice |
| Dark patterns prohibition | Yes | Yes |
| Consent granularity | Required | Required |
| Withdrawal mechanism | Required | Required |
10 European Publisher Examples
Understanding what consent-or-pay looks like in practice across different markets is more useful than any abstract compliance checklist. Here are ten publishers who have deployed the model, including their pricing, model design, and observable outcomes.
1. The Sun (News UK, UK)
The Sun launched one of the first major UK consent-or-pay implementations. Visitors are shown a two-option gate: accept personalised advertising tracking or subscribe for an ad-free experience at £4.99 per month. The gate is full-screen on first visit and remains persistent on return visits for users who haven't made a choice.
The Sun's implementation is notable for its pricing transparency: the gate clearly explains that the subscription fee offsets the revenue the publisher would otherwise earn from personalised advertising.
2. Mirror and Daily Express (Reach plc, UK)
Reach plc deployed consent-or-pay across its portfolio of UK titles including the Mirror, Daily Express, Manchester Evening News, and regional newspapers. The "Privacy Plus" subscription is priced from £1.99 per month for national titles like the Mirror and Express, and £2.99 per month for regional titles like Manchester Evening News, considerably below The Sun's offering.
Reach's lower price points reflect its mixed portfolio of premium and regional titles. The lower barrier to the paid option arguably makes the consent more freely given by reducing the financial coercion argument. Reach has reported that its registered user base has grown sharply since introducing the model, with many users choosing the registration path as a middle option even where it wasn't formally presented.
3. Le Monde (France)
Le Monde introduced a consent-or-pay gate in line with CNIL guidance in France. The French data protection authority (CNIL) has published its own guidance permitting cookie walls on a case-by-case basis, following a 2020 ruling by the Conseil d'Etat that overturned CNIL's earlier blanket ban. Le Monde's gate offers three tiers: consent to personalised ads (free), a limited contextual-only access (free, reduced number of articles), or a full digital subscription.
Le Monde's three-tier model is one of the clearest implementations of the EDPB's recommended approach. The contextual advertising option functions as the EDPB's suggested third option, meaning the model is more defensible under EU GDPR than a strict two-option gate.
4. Bild (Axel Springer, Germany)
Bild's consent-or-pay model, branded as "Bild Pur" on the tracking-free side, has been operating since 2023. Germany's DSK (Conference of Independent Data Protection Authorities) has published guidance broadly permissive of consent-or-pay for publishers, which has encouraged wider adoption.
Bild charges around EUR 3.99 per month for the ad-free option. The consent tier includes full access to the site with personalised advertising. The model sits alongside Bild's existing BILDplus premium subscription, which provides additional editorial content beyond what the standard site offers.
5. Der Spiegel (Germany)
Der Spiegel deployed consent-or-pay as part of a broader reader revenue strategy. The Spiegel+ subscription is a distinct premium product, while the consent-or-pay gate applies to the main site. Der Spiegel has been transparent in its editorial coverage about the business rationale for the model, which has reduced reader resentment compared to publishers that introduce the gate without explanation.
The editorial transparency approach, explaining to readers why the choice exists and what happens to their data in each case, is a model other publishers should consider adopting.
6. PlanetSport (UK)
PlanetSport, which operates a network of sports content sites including PlanetFootball and LoveRugbyLeague, introduced a consent-or-pay gate across its UK properties using UniSignIn's consent-or-pay solution, in line with ICO guidance. The sports audience skews toward high engagement and repeat visits, which makes the model commercially viable even at a lower price point than general news publishers.
PlanetSport's implementation, powered by UniSignIn, uses a lightweight gate design: a single-screen prompt that loads without impeding article access, keeping bounce rates low while still collecting a meaningful consent signal on the majority of return visits.
7. La Repubblica (GEDI, Italy)
Italy's Garante has been one of the more active EU supervisory authorities on consent-or-pay. La Repubblica introduced a model that includes a contextual advertising option in direct response to Garante guidance. The gate is presented as a three-step modal explaining what each option means before asking the user to choose.
La Repubblica's implementation includes a clear "manage cookies" link that allows users to revisit their choice on subsequent visits, a requirement under both EU and UK GDPR that's sometimes absent from hastily deployed implementations.
8. Het Financieele Dagblad (Netherlands)
The Dutch AP (Autoriteit Persoonsgegevens) was one of the three authorities that requested the EDPB opinion on consent-or-pay. The Dutch market has therefore been more cautious in adopting the model. Het Financieele Dagblad, the Dutch financial newspaper, uses a model that prominently features the contextual advertising option as a free default, with the personalised advertising consent offered as an upgrade.
This inverted default approach (contextual ads free, personalised ads by opt-in) is a more conservative interpretation of the GDPR requirements and may be the design pattern most defensible under the EDPB's opinion.
9. Le Figaro (France)
Le Figaro operates a consent-or-pay gate for ad-free access. French publisher trade body GESTE has published position papers advocating for publishers' right to use consent-or-pay models, and Le Figaro's implementation broadly follows the principles outlined in those positions. The gate is A/B tested for conversion across different user segments, with returning visitors and registered users shown different gate designs.
Le Figaro's testing programme is a useful reminder that consent-or-pay isn't a set-and-forget implementation. Ongoing optimisation of the gate design, copy, and pricing improves both compliance (clearer consent) and commercial outcomes.
10. Mail Online (DMG Media, UK)
Mail Online launched its consent-or-pay model in July 2024 alongside several other major UK publishers. The "Mail Essential" subscription is priced at £2.70 per month and offers access with reduced tracking and non-personalised advertising. Notably, Mail Essential is separate from DMG Media's premium content paywall "Mail+" and focuses purely on the privacy choice rather than gating editorial content.
Mail Online's implementation highlights an important design consideration: the subscription tier offers "reduced tracking" rather than zero tracking, with the site still using some cookies for content personalisation and measurement. Publishers should be clear about what the paid tier actually removes to avoid misleading users and to maintain compliance with transparency requirements.
Pricing Strategies for Cookie Paywalls
Setting the right price for the paid option in a consent-or-pay model is both a commercial and a compliance question.
The Market Rate Standard
EDPB and ICO guidance converges on the principle that the subscription price should bear a reasonable relationship to the commercial value of the data being collected. The implied standard is the revenue per user that the publisher would otherwise earn from personalised advertising consent, which for most news publishers is in the range of EUR 1 to EUR 5 per user per month depending on geography, content vertical, and audience quality.
Current market pricing across European publishers clusters in two bands:
| Price Point | Examples | Positioning |
|---|---|---|
| EUR/GBP 1.99 to 2.99 | Reach plc, Mail Online | Low barrier; maximises "freely given" argument |
| EUR/GBP 3.99 to 5.99 | Bild, The Sun, Der Spiegel | Market rate for ad-free tier |
| EUR/GBP 9.99+ | Large platforms | Regulatory scrutiny territory |
Tiered Pricing and the Three-Option Model
Publishers who want to maximise compliance defensibility and commercial flexibility should consider a three-tier pricing structure:
Tier 1: Consent (free). Full access with personalised advertising. Requires compliant consent collection with genuine granularity.
Tier 2: Contextual (free, reduced). Access to a set number of articles per month with contextual advertising only. No tracking consent required. This tier satisfies the EDPB's third-option recommendation.
Tier 3: Pay (EUR/GBP 1.99 to 4.99). Full access, no advertising, no tracking. Price set to reflect the actual advertising revenue value foregone.
This structure is more operationally complex to implement but far more defensible under EU GDPR and increasingly under UK GDPR as ICO guidance evolves.
Pricing and Consent Rate Optimisation
The pricing decision doesn't sit in isolation from consent rate performance. A lower subscription price increases the proportion of users choosing the free consented tier, because the cost of opting out of tracking is perceived as meaningful. A higher price improves revenue per paying subscriber but may reduce the consented user share if it tips users toward neither option.
UniSignIn's consent rate optimisation tools let publishers A/B test price points alongside gate copy and design, so pricing decisions are driven by actual conversion data rather than assumption. Publishers who treat price as a variable in an ongoing optimisation programme consistently outperform those who set it once at launch.
Implementation Checklist for Consent-or-Pay Compliance
Legal and Governance
- Conduct a GDPR Article 35 Data Protection Impact Assessment (DPIA) before launching your consent-or-pay model to identify potential privacy risks.
- Document the legitimate interests assessment or clearly define the lawful basis for each category of processing in the consent tier.
- Ensure that your Privacy Policy and Cookie Policy are updated so they accurately describe the consent-or-pay model.
- Brief your Data Protection Officer (DPO) on the model's design and implementation.
- If operating across multiple EU countries, confirm which lead supervisory authority applies and review whether national guidance (e.g., CNIL, Garante, DSK) introduces additional requirements.
- Verify that all partners or vendors processing data under the consent tier have valid Data Processing Agreements in place.
Consent Mechanism
- Implement a compliant Consent Management Platform (CMP) that records consent in detail by purpose and vendor, such as UniConsent.
- Make sure consent is collected before any tracking scripts fire, including Google Analytics, Google Ad Manager bidding signals, and any IAB TCF registered vendors.
- Ensure the consent banner for the "free with consent" tier offers genuine granularity, allowing users to opt in by purpose and by vendor rather than providing only a single "accept all" option.
- Confirm that users can withdraw consent as easily as they give it, ideally with one-click opt-out.
- Maintain reliable consent logging with timestamps and versioning, so you can demonstrate valid consent to regulators.
- Test the consent mechanism on mobile devices to ensure usability, avoiding dark patterns such as pre-ticked boxes, misleading button colours, or hidden reject options.
Gate Design and UX
- Avoid dark patterns in the gate design. Both "Accept" and "Pay" buttons should be equally prominent, and "Reject" must never be hidden or visually downplayed.
- Write gate copy in plain language, clearly explaining what each option involves.
- If offering a three-option model, present the contextual advertising tier with equal prominence alongside the other options.
- Test the gate across mobile, tablet, and desktop devices at multiple viewport sizes.
- Provide a persistent and accessible mechanism for users to change their choice after the initial gate, such as a "cookie settings" link in the footer.
- For the paid option, ensure the subscription flow is straightforward and doesn't introduce unnecessary friction.
Technical Implementation
- Use UniConsent or another IAB TCF 2.2-certified CMP to manage EU consent signals.
- Connect consent signals to Google Ad Manager to ensure personalised advertising serves only to users who have given valid consent.
- Test that non-consented users receive only contextual advertising and that no tracking scripts fire for them.
- Ensure the subscription and payment flow for the paid tier is PCI-compliant and as frictionless as possible.
- Verify that the gate correctly identifies and bypasses existing subscribers, using their subscription relationship as the lawful basis rather than re-collecting consent.
- Confirm that UniSignIn's consent-or-pay gate fires consent signals to all downstream ad tech partners before any personalisation occurs.
Commercial Optimisation
- Establish a baseline consent rate before launching so you can measure the true impact of the implementation.
- A/B test gate copy, design, and price using UniSignIn's built-in consent rate optimisation tools to find the configuration that delivers the highest compliant uptake.
- Design the gate for each audience segment: first-time visitors, returning visitors, and existing subscribers should each see a contextually appropriate version.
- Track the paid conversion rate alongside the consent rate to monitor the full commercial impact of pricing and design changes.
- Review consent rate performance monthly: small uplifts compound into big revenue gains across a full year of traffic.
How UniSignIn and UniConsent Work Together
A compliant, commercially optimised consent-or-pay deployment requires two layers working in concert: consent management and gate delivery.
UniConsent handles the consent layer: the IAB TCF 2.2-certified CMP, consent logging, vendor management, and signal enforcement across the ad stack. UniConsent's GDPR compliance tools handle UK and EU GDPR requirements in a single deployment, ensuring the correct consent framework is applied to each visitor based on their jurisdiction.
UniSignIn's consent-or-pay platform handles the gate layer: the compliant two- or three-option gate, subscriber recognition and bypass logic, the subscription and payment flow for the paid tier, and the consent rate optimisation engine that continuously improves gate performance. UniSignIn ensures that consent signals captured at the gate are passed correctly to all downstream ad tech, and that the paid subscription tier is managed with the same platform, removing the need for a separate billing provider.
Together, the two platforms provide the complete stack for a consent-or-pay implementation without requiring publishers to build or maintain custom infrastructure.
Common Compliance Mistakes to Avoid
Launching without a DPIA. A Data Protection Impact Assessment is mandatory under GDPR Article 35 for processing that's likely to result in a high risk to individuals. A consent-or-pay model that systematically collects and processes behavioural data from all consenting users at scale meets this threshold. Launching without a completed DPIA is a big regulatory risk.
Using dark patterns in the gate. Regulators in France, Germany, Italy, and the Netherlands have all issued fines or enforcement notices for cookie banners that use dark patterns to steer users toward consent, including brighter "accept" buttons, buried reject options, and misleading copy. The same standards apply to consent-or-pay gates.
Not auditing your vendor list. The consent you collect only covers the vendors listed in your CMP at the time of consent. Publishers who add new advertising partners after collecting consent are processing data without a valid legal basis for those partners. Audit your vendor list quarterly and obtain fresh consent when material new vendors are added.
Ignoring subscriber bypass. Forcing existing paid subscribers through the consent gate is both a UX failure and a potential compliance issue, because it creates ambiguity about what legal basis applies to subscriber data processing. Configure your gate to recognise authenticated subscribers and route them directly to content.
Setting an unjustifiable price. A pay option priced at EUR 9.99 or more per month for a general news site with limited premium content will face scrutiny under both EDPB and ICO guidelines. Price the paid tier at a level that reflects the actual advertising revenue foregone, not at the maximum the market might bear.
Frequently Asked Questions
Is consent-or-pay legal under GDPR in 2026?
Yes, for publishers who aren't large online platforms, provided the implementation satisfies the "freely given" consent test. The paid option must be reasonably priced, the gate mustn't use dark patterns, and the consent mechanism must meet all standard GDPR requirements including granularity, easy withdrawal, and consent logging.
Does the EDPB opinion apply to news publishers?
The EDPB Opinion 08/2024 was directed at large online platforms as defined by the Digital Markets Act. Most news publishers don't qualify. However, the opinion's principles on freely given consent apply broadly, and national DPAs have used its reasoning in guidance directed at publishers.
What CMP should I use for consent-or-pay?
Publishers implementing consent-or-pay need a CMP that's certified under IAB TCF 2.2 and supports multi-jurisdiction consent (UK GDPR and EU GDPR simultaneously). UniConsent is built for this use case and integrates directly with UniSignIn's identity platform.
Do I need a three-option model or is two options enough?
Under UK GDPR (ICO), a two-option model is acceptable provided the price is fair. Under EU GDPR, the EDPB has recommended a third option (contextual advertising free) for large platforms, and several national DPAs have extended this recommendation to publishers. If you're operating in France, Italy, or the Netherlands, building in a contextual tier is strongly advisable.
How does UniSignIn handle the subscription tier of consent-or-pay?
UniSignIn's consent-or-pay platform includes a built-in subscription and payment module that covers the paid tier end-to-end: recurring billing, subscriber recognition, and bypass logic so existing paying subscribers are never shown the consent gate. The payment flow is designed to minimise drop-off between the gate and completed subscription, with a streamlined checkout that typically takes under 60 seconds.
How long does implementation take?
With UniSignIn and UniConsent deployed together, a compliant consent-or-pay implementation typically takes two to four weeks including legal review, gate design, CMP configuration, payment integration, and QA. Building custom infrastructure from scratch takes three to six months of engineering work and still requires ongoing maintenance as regulatory guidance evolves.
Building a Consent-or-Pay Strategy
Consent-or-pay is a legally permissible and commercially viable model for European publishers in 2026, provided it is implemented correctly. The regulatory framework is settled enough to provide clear requirements: fair pricing, no dark patterns, detailed consent mechanisms, easy withdrawal, and proper logging.
The publishers who derive the most value are those who treat the model as an active commercial programme rather than a one-time compliance deployment. That means ongoing gate optimisation, regular price testing, quarterly vendor audits, and treating the paid subscriber tier as a product that deserves its own retention effort.
UniSignIn's consent-or-pay platform and UniConsent together cover every layer of that programme, from the initial gate through to subscriber billing and consent rate reporting.
About UniSignIn
UniSignIn provides a consent-or-pay platform built for digital publishers. It works alongside UniConsent to cover the full implementation: compliant gate design, consent collection and logging, subscriber payment management, and consent rate optimisation. UniSignIn is part of Transfon's suite of publisher technology products. Contact us to learn more: [email protected]
Everything you need
All-in-one platform
UniSignIn is all-in-one first-party data platform to collect and manage the first-party data of your digital assets.
- Social Login with Google Login
- Social Login with Facebook Login
- Social Login with Twitter Login
- First-party data analysis
- First-party data onboarding and management
- Single Sign-On with Email and password
- User experience orchestration engine
- Personalised Email and communication
- First-party data collector
- First-party tag management