UK ICO issues warning to Washington Post over cookie consent practices

In a recent report in The Register it was revealed that the Information Commissioner’s Office (ICO) has warned The Washington Post newspaper about infringing the EU General Data Protection Regulation (GDPR) through it’s cookie policy. The Post offers three types of online subscription - one free but with very restricted access, one at $6 every four weeks and one at $9 every four weeks - but only the most expensive option permits readers to disable tracking and cookies. The other options require readers to consent to cookies, tracking and advertisements.

The ICO has investigated the matter following a complaint, and has found the Post to be in contravention of Article 7(4) of GDPR (“when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”). Because no free subscription option is offered that does not require consent to cookies, it has been concluded that consent cannot be given freely.

As the newspaper is based outside the European Union it is not required to be GDPR compliant, so issuing a warning is really all that the ICO can do. It has warned the newspaper to provide access to all subscription levels without consent to cookies, but if the warning is ignored the matter is unlikely to progress further. Even if there were resources available for enforcement, there is continuing uncertainty about enforcing adherence to GDPR outside the EU even when, as in this case, the personal information collected is being used to target subscribers with advertisements for EU-based goods and services.

In 2014 the ICO signed a Memorandum of Understanding with the US Federal Trade Commission that might have been expected to provide a means of applying pressure here. But US privacy law does not address cookie consent at present, so there is unlikely to be any mileage for the ICO in exploring that option. Further information is expected soon on the enforcement of GDPR outside its own territory, but in the meantime the ICO can only wait and see what, if anything, The Washington Post chooses to do voluntarily.