Washington Post offers invalid cookie consent under EU rules – ICO

UK watchdog waves fist in paper’s general direction, asks it to stop forcing people to accept tracking

The Washington Post newspaper's online subscription options don't comply with European Union data protection rules – but the UK's privacy watchdog can only issue it with a firm telling off.

The US newspaper offers three options to would-be readers, but only one of those – the most expensive one, costing $9 a month – allows you to switch off tracking and cookies.

For the other two, which are either free (for a limited number of articles) or $6 a month (for unlimited articles), the Post said readers must consent to the use of cookies, tracking and ads by the paper and third parties.

Washington Post subscription page

The Washington Post's subscription options

Tying this "consent" to access has raised the eyebrows of privacy activists before, who questioned whether this meets the requirements for consent set out in EU data protection laws.

Acting on a complaint from a Reg reader, the Information Commissioner's Office looked into the Post's policies and decided they were indeed in breach of the rules.

"I am of the view that the Washington Post has not complied with their Data Protection obligations," said the case manager in a response seen by El Reg. "This is because they have not given users a genuine choice and control over how their data is used."

Article 7 (4) of the EU's General Data Protection Regulation states: "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

Since the WaPo hasn't offered a free alternative to accepting cookies, the ICO said, "consent cannot be freely given and is invalid".

However, the watchdog's hands are somewhat tied here since the Washington Post is a US-based organisation and is outside its jurisdiction.

Hand locking door

GDPR forgive us, it's been one month since you were enforced…


"We have written to the Washington Post about their information rights practices," the ICO said.

"We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies.

"We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter."

Commenting on the decision, Jon Baines, a data protection advisor at law firm Mischon de Reya, said it appears the ICO is "attempting to exercise GDPR's extra-territorial scope against an entity 'offering goods and services to those in the EU’."

But, he added: "As the ICO said, there are likely to be limits to its ability (and willingness) to take enforcement action outside the jurisdiction, so I'd be surprised if this went any further."

Data protection expert Pat Walshe agreed, pointing out that the ICO might be better served focusing on issues closer to home.

"I would respectfully suggest the ICO does not have the resource nor the inclination to pursue cross-border action," he said. "Especially when it diverted 70 staff to work on the Facebook/Cambridge Analytica investigation. It seems to be struggling to cope with complaints raised about UK based data controllers."

Beyond the ICO's resourcing problems, Walshe noted wider difficulties in cross-border enforcement, which comes with "high expectations, but low effectiveness".

For instance, back in 2014, the ICO signed a memorandum of understanding with the Federal Trade Commission that promises mutual assistance in "investigating, enforcing and/or securing compliance with Covered Privacy Violations".

However, Walshe said that a covered privacy violation means practices that would violate the relevant laws in one country and are substantially similar to prohibited practices in the other. "Given that US law doesn't really address consent for cookies and the FTC is kind of wishy washy on it, the MoU would be about as much use as a chocolate teapot in this case."

In light of the "realities of poor enforcement within and across the UK borders", Walshe advised people to block third-party cookies by default and use tools to block online tracking.

The Reg has asked the ICO how many similar complaints and cases it has looked into, and has contacted the Washington Post. ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022