The Washington Post newspaper's online subscription options don't comply with European Union data protection rules – but the UK's privacy watchdog can only issue it with a firm telling off.
The US newspaper offers three options to would-be readers, but only one of those – the most expensive one, costing $9 a month – allows you to switch off tracking and cookies.
The Washington Post's subscription options
Tying this "consent" to access has raised the eyebrows of privacy activists before, who questioned whether this meets the requirements for consent set out in EU data protection laws.
Acting on a complaint from a Reg reader, the Information Commissioner's Office looked into the Post's policies and decided they were indeed in breach of the rules.
"I am of the view that the Washington Post has not complied with their Data Protection obligations," said the case manager in a response seen by El Reg . "This is because they have not given users a genuine choice and control over how their data is used."
Article 7 (4) of the EU's General Data Protection Regulation states: "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
Since the WaPo hasn't offered a free alternative to accepting cookies, the ICO said, "consent cannot be freely given and is invalid".
However, the watchdog's hands are somewhat tied here since the Washington Post is a US-based organisation and is outside its jurisdiction.
GDPR forgive us, it's been one month since you were enforced…
"We have written to the Washington Post about their information rights practices," the ICO said.
"We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies.
"We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter."
Commenting on the decision, Jon Baines, a data protection advisor at law firm Mischon de Reya, said it appears the ICO is "attempting to exercise GDPR's extra-territorial scope against an entity 'offering goods and services to those in the EU’."
But, he added: "As the ICO said, there are likely to be limits to its ability (and willingness) to take enforcement action outside the jurisdiction, so I'd be surprised if this went any further."
Data protection expert Pat Walshe agreed, pointing out that the ICO might be better served focusing on issues closer to home.
"I would respectfully suggest the ICO does not have the resource nor the inclination to pursue cross-border action," he said. "Especially when it diverted 70 staff to work on the Facebook/Cambridge Analytica investigation. It seems to be struggling to cope with complaints raised about UK based data controllers."
Beyond the ICO's resourcing problems, Walshe noted wider difficulties in cross-border enforcement, which comes with "high expectations, but low effectiveness".
For instance, back in 2014, the ICO signed a memorandum of understanding with the Federal Trade Commission that promises mutual assistance in "investigating, enforcing and/or securing compliance with Covered Privacy Violations".
However, Walshe said that a covered privacy violation means practices that would violate the relevant laws in one country and are substantially similar to prohibited practices in the other. "Given that US law doesn't really address consent for cookies and the FTC is kind of wishy washy on it, the MoU would be about as much use as a chocolate teapot in this case."
In light of the "realities of poor enforcement within and across the UK borders", Walshe advised people to block third-party cookies by default and use tools to block online tracking.
The Reg has asked the ICO how many similar complaints and cases it has looked into, and has contacted the Washington Post. ®