GDPR Compliance of Washington Post Cookie Consent in Question


The United Kingdom’s Information Commissioner’s Office (ICO) discovered that the options for the Washington Post online subscription are not General Data Protection Regulation (GDPR) compliant.

The GDPR does not cover online subscription options, but ICO said it could issue a reprimand. There are three subscription levels being offered by Washington Post but the highest level alone gives users the ability to turn off tracking cookies. Privacy activists question the attachment of cookie consent to access just as they question whether this satisfies the prerequisites for consent defined in the EU data protection regulations. According to GDPR, Washington Post should have given all subscribers a free option to accept cookies or not.

In the viewpoint of the ICO case manager, the Washington Post did not fulfill their Data Protection responsibilities because they did not give consumers the choice and control over the usage of their information. The Washington Post has been reminded about their data rights practices. They must now allow Washington Post website users optional access to all levels of subscription without being required to accept cookies. Hopefully, the Washington Post will pay attention to ICO’s advice. If they decide not to, ICO can’t do anything more about this matter.

This case shows the importance that ICO is putting on making sure that US-based companies comply with GDPR with respect to EU subscribers. If discovered to be in violation of the GDPR rule, companies can be subject to financial fines of up to €20 million or 4% of annual global income, whichever amount is higher.

Since there is uncertainty to some degree when it comes to the extraterritorial applicability of the GDPR and how it may be observed by non-EU based companies, the European Data Protection Board need to create public guidance about the extraterritorial applicability of the GDPR as soon as possible.

Managing Director of Privacy Matters, Pat Walshe, commented that control of the situation may be outside of the coverage of the GDPR rule. In relation to the case, ICO doesn’t have the resource nor the disposition to go after cross-border action, as when it redirected 70 staff to handle the Facebook/Cambridge Analytica case. It appears to be having difficulties in coping with complaints brought up concerning data controllers based in the UK.