TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Daily Dashboard | ICO tells Washington Post it offers invalid cookie consent under GDPR Related reading: OCR issues rule for reproductive health care under HIPAA



The U.K. Information Commissioner's Office has informed The Washington Post its online subscription options do not comply with the EU General Data Protection Regulation, The Register reports. The newspaper allows users to pay $9 a month to turn off trackers and cookies. Since there is no free alternative for accepting cookies, the ICO found "consent cannot be freely given and is invalid." As the newspaper is based in the U.S., the ICO can only issue a warning. "We have told them they should now ensure that users of The Washington Post website have the option to access all levels of subscription without having to accept cookies," the ICO said in a statement. "We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter."
Full Story


If you want to comment on this post, you need to login.

  • comment Justin Snow • Nov 20, 2018
    Why doesn't the ICO have the ability to "order the controller (Washington Post) or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period" or exercise other powers from Article 58.2?  Why are they only able to "issue a warning" in this case?
  • comment Graeme Andrew • Nov 22, 2018
    Agreed, Justin - if the ICO has power to issue a 58.2.a warning surely they also have the power to issue a 58.2.i fine, were they to think the nature and gravity of the offence deserved it.
    Assuming the Post has no previous track record of transgressions I'd suggest a warning or guidance is appropriate at this stage.  However, the statement that 'there is nothing more we can do' is troubling, as it is a) hard to reconcile with the apparent regulatory scope for further action, b) sending out the message that the ICO and by extension the GDPR are toothless ex-EU - which they are not - and therefore c) suggesting other non-EU firms may ignore the regulation with impunity.
    If the UK's ICO does not have the resources for non-UK work can the matter be referred 'upstairs' to the EDPB?
  • comment Renzo Marchini • Nov 22, 2018
    The ICO (many years) ago cautioned against trying to have extra territoriality in any new data protection law for just this sort of reason.  If a controller is actually, physically, out of the territory - the regulator can enforce all it likes but it doesn't mean that there is any prospect of actually collecting a fine (or enforcing an order) in a foreign court.
    That said: I. The Post will (I imagine) have an actual presence (an office or at least a correspondent!). II. The Post wouldn't want the publicity of actually ignoring a fine/order (but equally it wouldn't want the publicity of ignoring a "warning" either). 
    This story though is not reporting an actual decision but only a letter to the complainant (I think) and perhaps that doesn't go quite through the same scrutiny as a formal decision for legal precision).