It has been reported that the Information Commissioner’s Office (ICO) has issued the US-based Washington Post newspaper with a warning about how it obtains consent for cookies from website visitors.
According to a report in The Register, the ICO stated that the Washington Post’s online subscription options do not allow users to opt out of cookies and other trackers free of charge. Such functionality is only possible as part of the newspaper’s premium paid subscription service. The browsing options offered by the Washington Post are:
(iii) a more expensive premium subscription option that gives users access to an unlimited number of articles, free of advertising and ad tracking.
The ICO views this as a contravention of the EU’s General Data Protection Regulation (GDPR). Article 7(4) GDPR states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. In failing to provide a free alternative to accepting cookies, the ICO appears to have determined that consent cannot be freely given by users, and is therefore invalid.
The GDPR applies to the Washington Post, despite it being a US company. We examined the extra territorial application of the GDPR in a recent blog post. Article 3(2) GDPR extends the reach of GDPR to the processing of an EU resident’s personal data by a controller or processor that is based outside of the EU.
The ICO has reportedly since written to the Washington Post advising that all subscription options must be accessible without such access being contingent on the acceptance of cookies.
Publishers have long grappled with how to monetise online content. They typically rely on paid subscriptions from readers or sophisticated online advertising models. Users limiting which cookies are placed on their devices will naturally have a negative effect on any revenue model that relies on online advertising.
However, it is not clear whether the ICO’s letter–writing campaign will have much impact. The ICO and the US Federal Trade Commission (FTC) signed a memorandum of understanding (we reported on this here) for mutual assistance in 2014. The memorandum pledged the two agencies would cooperate to investigate data protection infringements that are common across both countries. However, federal US privacy law does not currently address cookie consent.
Despite this disconnect, the ICO’s approach signals a clear shift towards assertive GDPR enforcement by EU data protection authorities.