The Publisher's Privacy Dilemma
News publishers sit at a crossroads between reader privacy and advertising revenue. Programmatic advertising - the financial engine behind most online journalism - relies on cookies and tracking technologies that fall squarely under the ePrivacy Directive and GDPR.
Without valid consent, publishers cannot serve personalised ads through real-time bidding. Without personalised ads, CPMs drop significantly. Without CPM revenue, newsrooms shrink.
This tension has driven many publishers to experiment with cookie walls and pay-or-consent models - approaches that regulators across Europe are now scrutinising closely. Understanding where the legal boundaries sit is no longer optional for any publisher generating revenue through advertising or subscriptions.
Cookie Walls vs Pay-or-Consent: What Is the Difference?
A cookie wall blocks access to content entirely unless a visitor accepts all cookies. There is no alternative - no paid option, no reduced-functionality version. The visitor either consents to tracking or leaves.
A pay-or-consent model offers visitors a genuine choice: accept cookies and access content for free, or pay a subscription fee for a tracking-free experience. The distinction matters because regulators treat these two approaches very differently.
The EDPB published Opinion 08/2024 on consent-or-pay models used by large online platforms, concluding that offering only a binary choice between consenting to behavioural advertising and paying a fee will, in most cases, fail to meet the GDPR's standard for freely given consent. That opinion, however, was limited in scope to large platforms such as Meta - not news publishers.
Several national data protection authorities have since taken a more permissive stance towards publishers specifically. The CNIL in France, the DSK in Germany, the Garante in Italy, and the ICO in the UK have each indicated that pay-or-consent can be lawful - provided the model meets strict conditions.
Conditions for a Lawful Pay-or-Consent Model
Regulators have converged on a set of requirements that publishers must satisfy:
- The paid alternative must provide equivalent access to content - not a degraded experience
- The subscription price must be reasonable and not so high that it coerces consent
- Both options must be presented in a balanced way, without dark patterns that steer users towards accepting cookies
- Consent must remain specific, informed, and easy to withdraw at any time
- The publisher must be able to justify its pricing model if challenged by a regulator
The CNIL has recommended that publishers prepare a documented pricing analysis. If a supervisory authority questions whether the subscription fee is proportionate, a publisher without documentation will struggle to defend its model.
What the EDPB Says About Cookie Walls
Pure cookie walls - where no alternative exists - face a much harder legal path. The EDPB's Guidelines 05/2020 on consent state that access to services should not be made conditional on consent to data processing that is not necessary for that service. Article 7(4) of the GDPR reinforces this: when assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract is conditional on consent to processing not necessary for that contract.
For publishers, this creates a grey area. Is reading a news article a "service" that requires tracking cookies to perform? Clearly not - the article loads just fine without _fbp or _ga cookies. The tracking serves the publisher's advertising model, not the reader's access to content.
A pure cookie wall that offers no alternative to accepting tracking is unlikely to produce valid consent under GDPR Article 7. The pay-or-consent model exists precisely to address this gap by providing a genuine alternative.
IAB TCF: The Publisher's Consent Infrastructure
The IAB Transparency and Consent Framework (TCF) is the consent protocol that underpins programmatic advertising in Europe. Version 2.3, launched in April 2025, requires adoption by all TCF participants before 28 February 2026.
For publishers, TCF compliance is not just a regulatory matter - it directly affects revenue. Without a valid TCF consent string, Google Ad Manager and other SSPs will serve only limited ads. These non-personalised ad units lack frequency capping and audience targeting, producing substantially lower CPMs.
| Consent Status | Ad Type Served | Typical CPM Impact | TCF String Required |
|---|---|---|---|
| Full consent granted | Personalised (targeted) | Baseline CPM | Yes - valid TC string |
| Partial consent (no marketing) | Contextual only | 40-60% lower | Yes - with restricted purposes |
| No consent / rejected | Limited ads | 60-80% lower | Not applicable |
| No CMP present | No ads (EU traffic) | 100% loss | Not applicable |
TCF v2.3 introduced mandatory disclosure of all vendors in the TC string, closing a loophole where vendors could process data without appearing in the consent interface. Publishers running header bidding setups with dozens of demand partners should audit their vendor lists carefully - each vendor must be disclosed to the reader and must have a lawful basis recorded in the string.
Publisher Responsibilities Under TCF
Under the TCF framework, publishers act as controllers. This means the publisher - not the CMP vendor, not the SSP - bears responsibility for ensuring consent is collected lawfully. If a reader's data is processed by a vendor listed in the publisher's TCF configuration without valid consent, the publisher faces regulatory exposure.
Choosing a certified CMP that supports TCF v2.3 is a baseline requirement. Beyond that, publishers should regularly review which vendors appear in their consent interface and remove any that are no longer active in their ad stack.
Consent Rates and the Revenue Equation
Consent rates vary significantly by industry, and news publishing tends to sit at the lower end. Privacy-conscious readers, ad-blocker usage, and consent fatigue all contribute to lower opt-in rates on news sites compared to ecommerce or SaaS platforms.
A publisher seeing a 55% consent rate on desktop might see 40% on mobile, where banner interactions are more disruptive. That gap directly translates to lost ad impressions.
The temptation to use manipulative banner designs - hiding the reject button, using confusing toggle states, or adding unnecessary friction to refusal - is real. But regulators have made their position clear. The CNIL fined Google EUR 150 million and SHEIN EUR 150 million in September 2025 specifically for interface designs that manipulated consent decisions. Pre-checked boxes, unequal button prominence, and dark patterns are now enforcement priorities across European DPAs.
Google Consent Mode v2 for Publishers
Beyond TCF, publishers using Google products must comply with Google Consent Mode v2. This requirement, enforced since March 2024, applies to any publisher running Google Ads, AdSense, or GA4.
Consent Mode v2 introduced two new parameters - ad_user_data and ad_personalization - that must reflect the reader's actual consent state. When consent is denied, Google uses conversion modelling to estimate the data it cannot collect. For publishers, this means analytics and attribution data will always contain modelled figures rather than observed data for a portion of traffic.
The practical challenge is ensuring that both TCF consent strings and Consent Mode signals stay synchronised. A mismatch - where the TCF string grants consent but Consent Mode signals denial, or vice versa - can result in either compliance failures or unnecessary revenue loss.
Protecting Reader Trust While Maintaining Revenue
Reader trust is a publisher's most valuable long-term asset. A cookie banner that feels deceptive - one that buries the reject option three clicks deep or uses guilt-tripping language - erodes that trust even if it technically produces a consent signal.
Transparent consent design benefits publishers in measurable ways. Readers who feel respected are more likely to return, more likely to subscribe, and more likely to disable ad blockers. A clear, honest banner that explains why advertising funds journalism can outperform a manipulative one over time.
Practical steps for maintaining trust:
- Use plain language in banner copy - explain that advertising funds the journalism readers access for free
- Offer equal prominence for accept and reject buttons
- If running a pay-or-consent model, display the subscription price prominently alongside the free option
- Run regular cookie audits to ensure no undisclosed trackers fire before consent
- Provide a preference centre where readers can adjust their choices without hunting for a hidden link
Frequently Asked Questions
Are cookie walls legal under GDPR?
Pure cookie walls that offer no alternative to accepting tracking are unlikely to produce valid consent under GDPR, because consent must be freely given. A pay-or-consent model that provides a reasonable paid alternative can be lawful, provided the price is proportionate and both options are presented fairly.
Does the EDPB ban pay-or-consent for publishers?
No. EDPB Opinion 08/2024 addressed large online platforms, not news publishers. Several national DPAs - including the CNIL, ICO, and DSK - have indicated that publishers may use pay-or-consent models if the subscription fee is reasonable and consent is genuinely free.
What happens to ad revenue if visitors reject cookies?
Publishers typically see CPMs drop by 60-80% for non-consented traffic, as ad platforms serve only limited or contextual ads. Without a valid TCF consent string, personalised bidding is disabled entirely for that visitor.
Do publishers need IAB TCF to serve ads in Europe?
Google and most major SSPs require a valid TCF consent string to serve personalised ads to European visitors. Without TCF integration, publishers face dramatically reduced ad revenue or must disable programmatic advertising for EU traffic.
How much should a pay-or-consent subscription cost?
There is no fixed threshold, but the CNIL recommends that publishers be able to justify the affordability of their pricing. A subscription priced so high that no reasonable reader would choose it may be viewed as coercing consent rather than offering a genuine alternative.
Can publishers use legitimate interest instead of consent for ad cookies?
For cookies and similar tracking technologies, Article 5(3) of the ePrivacy Directive requires consent regardless of the GDPR legal basis. Legitimate interest cannot bypass the requirement to obtain consent before placing non-essential cookies on a reader's device.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
