Privacy & Information Security Law Blog

On November 19, 2018, The Register reported that the UK Information Commissioner’s Office (“ICO”) issued a warning to the U.S.-based The Washington Post over its approach to obtaining consent for cookies to access the service.

The Washington Post presents readers with three options to access its service: (1) free access to a limited number of articles dependent on consent to the use of cookies and tracking for the delivery of personalized ads; (2) a basic subscription consisting of paid access to an unlimited number of articles that is also dependent on consent to the use of cookies and tracking; or (3) a premium subscription consisting of paid access to an unlimited number of articles with no on-site advertising or third party ad tracking for a higher fee.

Responding to a complaint submitted by a reader of The Register, the ICO concluded that since The Washington Post has not offered a free alternative to accepting cookies, consent cannot be freely given and the newspaper is in contravention of Article 7(4) of the EU General Data Protection Regulation (“GDPR”). Article 7(4) provides that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

The ICO has issued a written warning to The Washington Post to ensure access to all three subscription levels without users having to consent to the use of cookies. Although The Washington Post is a U.S.-based company, Article 3(2) of the GDPR provides that the regulation applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU where the processing activities are related to the offering of goods or services to those individuals inside the EU.

Despite issuing a warning, the ICO has noted that if the newspaper decides not to change its practices for obtaining consent for cookies, there is nothing else the regulator can do on the matter. Aside from issues around resources to pursue cross-border enforcement, there continues to be uncertainty around the GDPR’s extraterritorial applicability and its enforceability against non-EU based organizations.

As we previously reported, the FTC and ICO signed a Memorandum of Understanding (the “Memorandum”) in 2014 to facilitate mutual assistance and the exchange of information in investigating and enforcing covered privacy violations. However, the term “covered privacy violation” refers to practices that violate the applicable privacy laws of one participant country to the Memorandum and that are the same or substantially similar to practices prohibited by privacy laws in the other participant country. As U.S. privacy law does not address the issue of cookie consent, the issue is unlikely to fall under the scope of the Memorandum.

The European Data Protection Board is expected to release guidance around the GDPR’s extraterritorial applicability in the coming weeks.