If a UK news site has recently asked you to either accept personalised advertising or pay, you are not looking at a brand new law. You are looking at an old rule being applied in a more explicit way. The legal base is still regulation 6 of PECR, which requires consent for non-essential cookies and similar technologies, read alongside the UK GDPR standard for consent in article 4(11) and the conditions in article 7. What changed was the ICO’s guidance on 23 January 2025. That guidance says a ‘consent or pay’ model can be lawful in the UK, but only if the organisation can show the choice is real.
That is why the market now looks different. The ICO has not said ‘cookie walls are fine now’. It has said some consent-or-pay models may pass, provided the business can justify them against a specific set of tests. For compliance teams, that narrower point matters more than any single publisher example: the legal question is whether the user is being given a genuine choice, not whether the banner uses the word ‘pay’.
What the law said before January 2025
Before the ICO published its final guidance, most UK practitioners treated a hard cookie wall as a bad bet. That was for a simple reason. PECR requires consent before a site stores or accesses non-essential cookies, and UK GDPR says consent must be freely given, specific, informed and unambiguous. If the only route into a service is ‘agree to tracking or go away’, it is hard to argue that the user had much freedom at all.
The ICO still says that point clearly. In its guidance on online advertising, the regulator says the classic ‘take it or leave it’ model does not comply in most cases, because consent must not be bundled in as a condition of service unless it is necessary. That older understanding has not been repealed. It still kills the pure ‘accept tracking or no access’ banner.
The difference is that a payment route changes the analysis. Once a site offers a second route into the service, the question stops being ‘is this bundled consent?’ and becomes ‘is this a genuine choice, or is the paid route priced or designed so badly that most people are still pushed into consent?’
What changed on 23 January 2025
The key change was not an Act of Parliament. It was the ICO’s final consent or pay guidance, published on 23 January 2025 after the regulator’s March 2024 call for views. The ICO’s starting point is now explicit: consent-or-pay models can be compliant with data protection law if the organisation can demonstrate that people can freely give consent and the wider model meets UK GDPR and PECR.
That is a meaningful shift in tone. It gave publishers a framework they could work to, rather than a fog of assumptions. The ICO also folded the point into its wider 23 January 2025 announcement on cookie compliance across the UK’s top 1,000 websites. In other words, the regulator was tightening pressure on weak cookie banners while also telling the market that consent-or-pay was not automatically off limits.
The guidance turns on four factors. First, power imbalance: does the user rely on the service, face high switching costs, or deal with a business whose market position leaves little real choice? Second, appropriate fee: is the paid option priced at a level that still leaves users with a realistic alternative? Third, equivalence: do both routes provide broadly the same core service? Fourth, privacy by design: are the choices presented clearly, neutrally and without pressure or tricks?
The ICO also says organisations must document the assessment in a DPIA. That matters. The model is not lawful because the banner says ‘pay’. It is only lawful if the business can evidence why its own service, its own pricing and its own design still allow freely given consent.
Why this is possible for publishers, but not a blank cheque
Publishers have an argument that some other sectors do not. A news website is usually not the only route to vital daily life tasks. The ICO’s power-imbalance analysis is much harsher where people depend on the service, where switching is unrealistic, or where the organisation holds structural power over the individual. The guidance gives examples such as public authorities and employment relationships. It also warns that where users would be unfairly penalised for leaving, consent is unlikely to be freely given.
That helps explain why a commercial news site may have more room than a utility, a public service portal or an employer platform. Even then, it is not automatic. If a news publisher dominates a niche, targets children, serves users in financial hardship, or makes the paid route so expensive that the practical answer is still ‘accept’, the argument weakens fast.
The ICO’s fee guidance is particularly blunt on this point. It says a fee does not automatically make consent invalid, but a fee that is too high may mean people are priced out of the paid route and feel they have no genuine choice. The regulator also says businesses should not justify the fee by pointing to lost ad revenue or their own production costs. The question is whether the user still has a real choice about their data, not whether the publisher prefers a certain commercial outcome.
What a compliant UK model should look like in practice
If you are a manager asking whether your own organisation can copy this model, the safest answer is: only if you can defend each part of the design in writing. A stronger UK implementation would usually include all of the following.
- A clear statement that accepting means consent to personalised advertising and tracking, not vague wording such as ‘continue for free’. The ICO warns against labels that hide the privacy trade-off.
- A paid route that gives access to the same core service. You can vary extras, but the core content or functionality should stay broadly equivalent in quality.
- A fee that is realistic for the audience and not designed to price out refusal.
- An easy way to withdraw consent later, without hunting through multiple menus.
- No non-essential cookies before the user has made a choice.
- A DPIA that records the service context, user groups, fee logic, design testing and the reasons you believe consent remains freely given.
The red flags are just as important. A model is high risk if it hides the tracking consequences, makes the paid route materially worse, ties the choice to children or vulnerable users, or uses aggressive design to shove people towards the ‘free’ route. The ICO’s privacy-by-design section also points businesses towards user testing. If real users do not understand what they are agreeing to, the consent case is already in trouble.
For many organisations, a simpler path still exists. The ICO says contextual advertising more readily fits PECR and UK GDPR than behavioural advertising. That option will often be easier to defend than a consent-or-pay system built around extensive profiling.
Where the UK sits against the EU
The UK position is more open than the current EU-level line. In its Opinion 08/2024 and accompanying 17 April 2024 statement, the EDPB said that for large online platforms, a simple binary choice between behavioural advertising and a fee will not comply in most cases. It said platforms should give users a real choice and should consider an equivalent alternative that does not require payment.
The ICO did not copy that position into UK guidance. It did not say every publisher must offer a free contextual-advertising route on top of the paid route. Instead, it adopted a case-by-case assessment against the four factors above. That is why some UK publishers now have a clearer regulatory route to test these models than many EU publishers do.
What managers should do before copying the model
- Map the service. Be honest about whether users rely on it or can switch away without real detriment.
- Set the fee from the user’s point of view, not from the ad-sales spreadsheet.
- Define the core service and make sure both routes deliver it.
- Design the prompt in plain language with equal visual weight for both options.
- Run and record user testing.
- Update the DPIA and make sure marketing, product and legal sign off the same analysis.
If your organisation cannot support those steps with evidence, you are not ready to ship a consent-or-pay banner. You are ready to create a complaint file.
What to watch next
As of 14 May 2026, the ICO’s consent-or-pay guidance remains the live UK reference point, though the page itself says it is under review. The immediate watch items are not a fresh Act of Parliament but enforcement and implementation. The ICO has already said it is checking the UK’s top 1,000 websites for cookie compliance, and poor design choices on consent-or-pay prompts are an obvious candidate for scrutiny. If complaints start to land against pricing, equivalence or manipulative design, the practical room for publishers could narrow quickly.
For a wider cookie-law update, our piece on the ICO’s cookie consent changes under the Data (Use and Access) Act covers the broader PECR position. If you are assessing your own website stack, our WordPress cookie compliance guide is the practical follow-on.
Sources
- PECR regulation 6
- UK GDPR article 4 and article 7
- ICO call for views, 6 March 2024
- ICO consent or pay guidance, published 23 January 2025
- ICO cookie compliance announcement, 23 January 2025
- EDPB Opinion 08/2024 and EDPB statement, 17 April 2024
