UK ICO Laws Washington Post Cookie Approval is not GDPR Compliant

Nov 22, 2018

The United Kingdom’s Information Commissioner’s Office (ICO) has found that the Washington Post online subscription alternatives are not in compliance with the EU’s General Data Protection Regulation (GDPR).

The online subscription alternatives are not subjected to GDPR, nevertheless, ICO might issue it with a reprimand. The Washington Post makes three separate subscription stages available, however, only the highest level lets users the alternatives of turning off tracking cookies. Tying this “approval” to access has elevated the eyebrows of secrecy activists earlier, who have asked whether this meets the requirements for approval set out in EU data safety rules. According to GDPR rule, Washington Post must have proposed subscribers a free substitute to accepting cookies.

The ICO case manager studying the case said: “I am of the opinion that the Washington Post has not complied with their Data Protection responsibilities. This is because they have not provided users a real choice and control over how their data is used. We have written to the Washington Post concerning their information privileges practices. We have stated them they must now make sure that users of the Washington Post website have the choice to access all stages of subscription without having to accept cookies. We expect that the Washington Post will pay attention to our advice, but if they select not to, there is nothing more we can do in relation to this subject.”

This case underlines the importance that ICO is placing on making certain that US-based are complaint with GDPR in relation to EU subscribers. If businesses are found to be in breach of the GDPR law then they are subject to financial penalties of up to a maximum of €20m or 4% of yearly international income, whichever figure is higher.

As there is some degree of doubt in relation to GDPR’s extraterritorial applicability and how it can be enforced on non-EU based companies, the European Data Protection Board is due to make public supervision around on the GDPR’s extraterritorial applicability soon.

Pat Walshe, Managing Director of Secrecy Matters and privacy advocate, remarking on the problem said that he thought that managing the situation might be beyond the scope of the GDPR law. He said in relation to the problem: “I would respectfully advise the ICO doesn’t have the resource nor the feeling to follow cross-border action. Particularly when it diverted 70 staff to work on the Facebook/Cambridge Analytica inquiry. It appears to be struggling to deal with grievances raised regarding UK based data managers.”