The UK Information Commissioner’s Office (ICO) informed The Washington Post its online subscription options do not comply with the GDPR, as reported by UK-based The Register on November 19, 2018.* According to The Register report, the ICO warned the US news publisher its online subscription options fail to allow users to opt out of cookies and other trackers for free because the publisher only offers that option with its paid premium subscription. According to The Register, the ICO suggested the publisher should allow its website users to access all levels of subscription without having to accept cookies. The GDPR limits conditioning consent to processing of personal data (implicated by cookies and other trackers), which must be freely given under the GDPR. The ICO appears to take a view that conditioning consent to cookies on payment is not freely given consent under the GDPR.
Although The Washington Post is a US company, the GDPR applies to companies outside the EU. For example, the GDPR applies to a US company that offers goods or services to individuals inside the EU and processes personal data in connection with that offering (e.g., a US company provides a website or mobile app to individuals in the EU). That said, the applicability of the GDPR to companies outside the EU is still subject to further interpretation. Recently, on November 16, 2018, the European Data Protection Board (EDPB) released guidance on the GDPR’s extraterritorial applicability for public comment before the guidelines are finalized.
Further, the enforceability of the GDPR against companies outside of the EU is still murky at this time. Under the GDPR, the ICO can at least warn a US company against practices that violate the GDPR, but may not be able to do much more to enforce a mandate to a US company. The ICO itself suggests it cannot do much more according to The Register.
Based on a prior Memorandum of Understanding (MOU) in place between the ICO and the US Federal Trade Commission (FTC), the FTC could intervene in this matter. However, US privacy law does not really contemplate consent for cookies. So the FTC’s motivation to deter a “covered privacy violation” under the MOU may be limited because, while the ICO asserts that this activity is in violation of the UK’s data protection laws, US laws do not prohibit substantially similar activities.
Where does this leave US companies? . . . a little bit in limbo. The ICO appears to be watching US company practices, and may seek to influence them. Its actual ability to do so, whether directly, or with FTC assistance, remains to be seen.
*The Register’s report is available at https://www.theregister.co.uk/2018/11/19/ico_washington_post/.