back to article Washington Post offers invalid cookie consent under EU rules – ICO

The Washington Post newspaper's online subscription options don't comply with European Union data protection rules – but the UK's privacy watchdog can only issue it with a firm telling off. The US newspaper offers three options to would-be readers, but only one of those – the most expensive one, costing $9 a month – allows you …

Page:

  1. alain williams Silver badge

    Other solution

    run an automatic cookie cleaner that wipes everything when you leave the Washington Post web site. That is the sort of thing that I do. If a site like WP makes it too onerous - I just go elsewhere, it is rare that they have anything unique.

    1. Cl9

      Re: Other solution

      Iirc, if you're using Firefox, it has a 'containers' feature which lets you isolate or group sites into different profiles.

    2. MacroRodent Silver badge
      Meh

      Re: Other solution

      it is rare that they have anything unique.

      Disagree here: The Washington Post, along with The New York Times, is one of the places, where most other news outlets copy their U.S-related news from. So you get it first by reading WP. As for cookies, that fight was lost long ago, and efforts to fight them have just caused each site to have the annoying cookie acceptance pop-up that most people click anyway without thinking. A total waste of time. GDPR did not change anything in practice.

      1. Fred Dibnah

        Re: Other solution

        In that case you could simply go to one of those other outlets which take WP copy, and read it there. No news is so important that a few minutes delay is going to make a difference.

    3. gnasher729 Silver badge

      Re: Other solution

      That's what you do. My wife doesn't know how to do this. And I know how to, but I shouldn't have to.

    4. chivo243 Silver badge
      Meh

      Re: Other solution

      @alain williams

      I've done the same in the past. Some sites I never visit anymore, either due to new privacy regs, adblock nag, or a horrible website refresh that makes your eyes water... I'm looking at you Wired...

    5. Tezfair
      FAIL

      Re: Other solution

      I tend to open these sites in a private window as the cookies will be removed when I exit.

      Washington Post isn't alone. i'm finding more and more websites now bring up a popup that forces accept our cookies or leave popups.

      1. Nattrash
        Pint

        Re: Other solution

        "Washington Post isn't alone"

        I agree. And contrary to the Washington Post, it also happens in some countries wide scale within the EU. Despite all those mentions of the "huge fines under GDPR".

        For example, try to access one of the major Dutch news outlets (e.g. classical newspapers Volkskrant, NRC, Algemeen Dagblad, Trouw, Parool, or regional ones like de Gelderlander), and you'll be confronted with a cookie wall immediately. It will offer users to choice to accept cookies, 3rd party sell off, and tracking, or to go and get your content elsewhere. Now, that doesn't sound very GDPR. Or impressed by GDPR enforcement and consequences. I'll bet a beer here that more than 90% of the major Dutch news outlets do this. So indeed, WP is certainly not unique, and a lot can be done in our own backyard.

    6. GnuTzu Bronze badge

      Re: Other solution -- Privacy Badger + Ghostery :)

      I like the way the EFF's Privacy Badger does this, and I use it in concert with Ghostery. They make a good team.

    7. Mage Silver badge

      Re: Other solution

      It goes into an endless loop if you block their cookies. That's just abusive. So I don't bother trying to read it.

      1. bombastic bob Silver badge
        Devil

        Re: Other solution

        "So I don't bother trying to read it."

        The BEST plan of all. It _IS_ the "Washington {BLEEP}" after all...

        /me points out that G. Gordon Liddy, on his radio show, had a segment called 'review and comment on the news', in which he'd read parts of specific articles and comment on them. The Washington Post, because of their Watergate reporting back in the day, was always referred to as the "Washington {Bleep}", usually with a censorship 'bleep' tone at the appropriate moment when he spoke it's name. Another local radio guy calls it the "Washington COMPost". In any case, I have a low opinion of their 'journalism' although, on occasion, they're like that proverbial broken clock that's right twice a day.

        Oh, and don't hold your breath for ANY GDPR support from any media outlets in the USA, unless they have something going on in EU or UK that can somehow take the heat for NOT supporting it. Most likely they'll thumb noses and continue to track you for ad purposes, as always.

  2. A Non e-mouse Silver badge

    All that the WP has to do is not offer the $6 subscription option to anyone in the EU.

    1. DavCrav Silver badge

      "All that the WP has to do is not offer the $6 subscription option to anyone in the EU."

      Or the free one. You cannot tie a service to tracking.

    2. codejunky Silver badge

      @ A Non e-mouse

      "All that the WP has to do is"

      Nothing. Nadda. Zip. Zilch. They are in the US and so this bollocks has limited effect of them. It is up to users if they want to use the site.

      1. Paul Kinsler

        Re: Nothing. Nadda. Zip. Zilch.

        Well, fine. But some newspapers and news sites quite successfully expand their readership by deliberately appealing to and attracting people from other countries.

        As I understand it, the WP is quite a respectable newspaper, and so could well be of interest to many people in the EU who might subscribe. So whilst the WP can indeed say "Bollocks to EU", might it not be more pragmatic for them to fix their site and so enhance their overseas presence and reputation (and thereby hopefully their revenue)?

        1. codejunky Silver badge

          Re: Nothing. Nadda. Zip. Zilch.

          @ Paul Kinsler

          "But some newspapers and news sites quite successfully expand their readership by deliberately appealing to and attracting people from other countries."

          Which is done by appealing to them. That does not require they follow every brain dead idea of every foreign countries government, but by actually providing what the people want.

          "As I understand it, the WP is quite a respectable newspaper, and so could well be of interest to many people in the EU who might subscribe."

          And those people will use it regardless of the governments crying. So no problem at the WP side. Just because a country (or in this case the EU) would like everyone to bend to their will doesnt mean providers outside that jurisdiction will.

          "So whilst the WP can indeed say "Bollocks to EU", might it not be more pragmatic for them to fix their site"

          You assume by that the site is broken. Which leads to a big problem because under China's laws a lot of the internet is 'broken' and so all should be fixed to praise the Communist party? Or do we say bollocks to that? Of course we do and so bollocks to the EU imposition, they have no right, no jurisdiction and the WP site is not broke unless WP feel the change is necessary.

          1. DavCrav Silver badge

            Re: Nothing. Nadda. Zip. Zilch.

            "Which is done by appealing to them. That does not require they follow every brain dead idea of every foreign countries government, but by actually providing what the people want."

            You mean the law? Yeah, it tends to mean that, actually.

            "You assume by that the site is broken. Which leads to a big problem because under China's laws a lot of the internet is 'broken' and so all should be fixed to praise the Communist party?"

            I bet you if you want to sell stuff to Chinese people, and even if you are just nearby, and the Chinese government tells you to change your website, you do it. For example, even places that don't sell in China changed the name of Taiwan.

            And this is about actual real stuff, not the Chinese being twats.

            1. codejunky Silver badge

              Re: Nothing. Nadda. Zip. Zilch.

              @ DavCrav

              "You mean the law? Yeah, it tends to mean that, actually."

              Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK.

              "I bet you if you want to sell stuff to Chinese people, and even if you are just nearby, and the Chinese government tells you to change your website, you do it"

              So when is the EU gonna start building its great firewall of the EU to keep those dissenting voices from being heard? But no as the article says- "but the UK's privacy watchdog can only issue it with a firm telling off.". Aww didums.

              In short WP have done nothing wrong because they are outside the jurisdictions where they would be doing something wrong. And so the people who read it can go on reading it without politics and government getting in the way.

              1. Dan 55 Silver badge

                Re: Nothing. Nadda. Zip. Zilch.

                Presumably, then, Apple should just offer one year warranty as they do in the US. Why bother following the law in countries they sell abroad to?

                1. codejunky Silver badge

                  Re: Nothing. Nadda. Zip. Zilch.

                  @ Dan 55

                  "Presumably, then, Apple should just offer one year warranty as they do in the US. Why bother following the law in countries they sell abroad to?"

                  So you are comparing a physical item being physically sold somewhere against people in the EU being the ones intentionally going to the US (internet) and buying within the US? This is the virtual/internet problem governments seem to struggle with too. Reality is reality, that is where the borders are and jurisdiction pretty much ends without cooperation between governments.

                  Of course the EU is welcome to copy the Chinese model of blocking anything they disagree with. Firewall themselves from the outside world and so on.

                  Just realised this also applies/agrees with John Brown (no body) about the physicality of territory. Even if I disagree this is WP's problem.

                  1. Dan 55 Silver badge

                    Re: Nothing. Nadda. Zip. Zilch.

                    If WaPo really don't want to offer a service to EU readers they can put up a "we're not serving the EU" page. However, they are.

                    I assume you also believe Facebook and Twitter and so on should not follow German hate speech rules for users in Germany either?

                    1. codejunky Silver badge

                      Re: Nothing. Nadda. Zip. Zilch.

                      @ Dan 55

                      "If WaPo really don't want to offer a service to EU readers they can put up a "we're not serving the EU" page. However, they are."

                      Why? WP puts up their content for people to access. They are happy for people to access wherever in the world. Some people in the EU might even go as far as VPN to access US services because of the anal retentive EU. People dont have to go to WP if they dont like it, instead this is a gov problem of not liking something people in another country do.

                      "I assume you also believe Facebook and Twitter and so on should not follow German hate speech rules for users in Germany either?"

                      Depends what physical assets they have there and if Germany would be cutting them off or even threatening jail if zuck came near the EU. Instead this is a regulator stomping its feet and making a little noise but nothing more.

                      1. Dan 55 Silver badge

                        Re: Nothing. Nadda. Zip. Zilch.

                        instead this is a gov problem of not liking something people in another country do.

                        Isn't everything?

                        In the age of the Internet, you must get over this physical presence thing. However WaPo does have a physical presence in London as shown above so by your own criteria should also follow the GDPR.

                        Facebook and Twitter do follow German hate speech laws by the way.

                        1. codejunky Silver badge

                          Re: Nothing. Nadda. Zip. Zilch.

                          @ Dan 55

                          "In the age of the Internet, you must get over this physical presence thing."

                          I agree but probably not as you are thinking. Just because the internet is present in every country shouldnt mean we follow every countries laws (otherwise there would be no internet) but instead that countries stop trying to impose territory restrictions outside their territory.

                          "However WaPo does have a physical presence in London as shown above so by your own criteria should also follow the GDPR."

                          However, the watchdog's hands are somewhat tied here since the Washington Post is a US-based organisation and is outside its jurisdiction. I (nor WP) need provide no more answer than no. Actually they could do less than that and file the complaint in their dustbin shaped 'in' tray. No matter how much you complain, moan or argue. You are welcome.

                          "Facebook and Twitter do follow German hate speech laws by the way."

                          I like how you say that as some form of revelation.

              2. John Brown (no body) Silver badge

                Re: Nothing. Nadda. Zip. Zilch.

                "Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK."

                The WP is trading in the EU. I refer you again to the US attitude to offshore gambling sites which are operating fully within the law of the host nation.

              3. Wapiya
                Black Helicopters

                Re: Nothing. Nadda. Zip. Zilch.

                @codejunky

                > Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK.

                I quite disagree. GDRP (Article 3) rules require anyone who uses data from anyone residing in the EU to abide by the rules.

                And if you think that is far reaching, the USA is far more intrusive. Their sanctions, compliance and so on rules apply to anyone being

                (a) an american citizen regardless of residence, even if he never touched american soil

                (b) anyone with a residence permit for the USA regardless of residence

                (c) anyone currently being in the USA

                I am still waiting for (d) anyone who is related or married to a,b or c .

                I worked as a freelancer for a EU bank and they started with not having american citizens as customers (IRS rules at that time) . After the law changed in the US they dropped that, because they had to implement everything even for EU customers with geo filters.

                Case study: An EU citizen on a short trip to the US uses his online banking to send some money to someone on the US sanction list. In the EU this might be allowed, but becaue he is currently in the US the money transfer will be blocked.

                If he uses his mobile while in the US for telephone banking, the geo filter would not kick in (EU mobile number), but he still would be in violation of US sanctions and could go to jail.

                1. codejunky Silver badge

                  Re: Nothing. Nadda. Zip. Zilch.

                  @ Wapiya

                  "I quite disagree. GDRP (Article 3) rules require anyone who uses data from anyone residing in the EU to abide by the rules."

                  In the UK superinjunctions can be used to hold back information. Which is then printed anyway in other countries who do not follow such law. A better example could be that China censors its media, so why are we not censoring to the same standard to appease them?

        2. bombastic bob Silver badge
          WTF?

          Re: Nothing. Nadda. Zip. Zilch.

          "WP is quite a respectable newspaper"

          You HAVE read the thing, or at least heard people quote articles from it, right?

          "WP is quite a respectable newspaper"

          I'll accept that at face value. It _IS_ printed on dead trees, made available online, and sold at news outlets of various kinds. What they print in it, however, isn't usually something I want to read.

          Does their web site even work if you have 'noscript' running? my guess is NO.

      2. John Brown (no body) Silver badge

        Re: @ A Non e-mouse

        "Nothing. Nadda. Zip. Zilch. They are in the US and so this bollocks has limited effect of them. It is up to users if they want to use the site."

        That's what people running gambling sites thought when they carried on accepting US gamblers. Until senior execs of the company happened to visit or pass through US territory. Theoretically, if the WP ignores this, any senior exec. passing through the EU could be subject to arrest.

  3. Mephistro Silver badge

    An obvious way to enforce GDPR for foreign websites that refuse to comply is blocking them at country level, or even blocking them in the whole EU.

    1. Mr F&*king Grumpy
      Facepalm

      Build a wall!

      "An obvious way to enforce GDPR for foreign websites that refuse to comply is blocking them at country level, or even blocking them in the whole EU."

      Yes, I'm sure China would be happy to provide consultancy on how to achieve that...

      1. disgustedoftunbridgewells Silver badge

        Re: Build a wall!

        No need to block it, but forcing Visa and Mastercard to refuse payments would work.

      2. Anonymous Coward
        Anonymous Coward

        Re: Build a wall!

        Unregulated foreign gambling sites are regularly blocked in the EU.

        Assets could also be seized if the entity has any UK/EU presence (WP does have a bureau in London).

        1. Alan Brown Silver badge

          Re: Build a wall!

          (WP does have a bureau in London).

          Exactly this. WP does business in the UK - and as such the ICO ruling can (MUST!) be challenged.

          They've been fucking up a number of decisions recently.

  4. Dwarf Silver badge

    Pass me my false teeth Ethel, I’m going to chew their ankles.

    Not much point in having legislation, if it can be ignored by those who find it inconvenient, having said that and given the regional nature of the world, the only other option is some form of inter-region content filtering, which would be a million times worse.

    Looks like the only realistic option is to affect their coverage by not visiting and getting the news some place else. Reducing eyeball counts won’t help their sales to advertisers, so it’s probsbly the only thing that will make any of them listen.

    1. Pascal Monett Silver badge

      Legislation always has a point - for those who are subject to it.

      Before the Internet, this kind of thing would not happen but now, legislation stops at the borders while access is world-wide.

      So you need to have agreements with the countries so that they implement something similar to your legislation - except it's another country, so it's their decision.

      That is what is making the current situation very complicated and frustrating. It remains to be seen how long this will remain acceptable to the public before a global push to stop tracking starts up.

      I'm guessing I won't see it in my lifetime.

      1. codejunky Silver badge

        @ Pascal Monett

        "It remains to be seen how long this will remain acceptable to the public before a global push to stop tracking starts up."

        While framing it as stopping tracking to stir up the public seems to be working so far, most people still want access to the things they use and that is more important to them than government control for our own good.

        It would be interesting to see the publics opinion on the EU's 'walls' from the outside.

        1. John Brown (no body) Silver badge

          Re: @ Pascal Monett

          "While framing it as stopping tracking to stir up the public seems to be working so far, most people still want access to the things they use and that is more important to them than government control for our own good."

          It's about personal privacy and control of snooping on ones data. The US citizenry seem to be very vocal when their government does it to them. Lots of calls for less interference from government. But it seems many are equally vocal about allowing commercial orgs to slurp up their same private data in the name of freedom from government interference. I'm seeing a smidge of a disconnect here.

    2. Voland's right hand Silver badge

      Not much point in having legislation, if it can be ignored by those who find it

      They can. Can their advertisers though?

      The ICO is just being its usual toothless self. Instead of waving its finger it should have gone after the advertising partners most of which HAVE EU PRESENCE and fined the living hell out of them.

  5. Steve K Silver badge

    They aren't the only US site doing this - e.g. the Verge only has an Accept button, not a reject.

    (Not that I read The Verge, erm... a friend told me)

    1. Voland's right hand Silver badge

      They aren't the only US site doing this

      It is doubly entertaining seeing this on sites which have a massive Eu exposure including local subsidiaries registered in a Eu country, contracts with Eu entities, etc - namely Accuweather.

      It is only a matter of time until they sit on a lit petard though it will probably be served not by the ICO. It is toothless and it takes an act of god for it to enforce the GDPR. We will have to wait for the other, proper authorities. Some of the regional German ones and the Austrian comes to mind here.

      1. John Brown (no body) Silver badge

        "We will have to wait for the other, proper authorities. Some of the regional German ones and the Austrian comes to mind here."

        Come next March, we'll only have the ICO to defend us :-(

  6. Lee D Silver badge

    1) Wouldn't use a news website that tried to force a subscription on me and/or limited my article views (completely counter-productive if you're then going to shove ads into those views... it's like clamping a car that's parked across your driveway... the person you hurt the most by doing so is yourself).

    2) Wouldn't use any international site that, even for a moment, wasn't up on GDPR - most of the US news sites basically just blocked EU access for the first few months, which isn't a solution. They've since caught-up for the most part, which I'm assuming was driven by seeing 50% of their traffic disappear overnight.

    3) If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU and need to offer EU-compliant services. Yes, it's complicated in the modern era, but that's how it works. If you are taking EU money, you need to abide by EU law and - also - pay EU tax.

    1. Def Silver badge

      If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU and need to offer EU-compliant services. Yes, it's complicated in the modern era, but that's how it works. If you are taking EU money, you need to abide by EU law and - also - pay EU tax.

      That's sort of true. A US corporation that has no physical presence in the EU wouldn't have to pay corporation tax in the EU. I don't know if that's the case for the WP, but regardless they do have to collect VAT from EU customers at the customer's local rate, and declare and pay that VAT either in each country individually, or collectively in a single EU country. Which isn't really a tax on the company, it's a tax on EU citizens.

      1. Steve Davies 3 Silver badge

        re: EU presence (or not)

        It is likely that the WP has a UK or at least an Eu bureau which if true, means it does have a presence in the area covered by the GDPR

        1. Def Silver badge

          Re: re: EU presence (or not)

          It is likely that the WP has a UK or at least an Eu bureau...

          I'd find that highly unlikely, actually. About as likely as the Daily Mail having an office in the US.

          And if they did, I'm sure the UK watchdog would have found them by now. Which would have made half of this story redundant. ;)

          1. Anonymous Coward
            Anonymous Coward

            Re: re: EU presence (or not)

            According to... themselves, they have a London bureau. It's headed by Bill Booth (who was previously kicked from WaPo for plagiarism). I can't find an address for it besides a virtual office in WC1N London..

            Edit: Found it on Companies House:

            https://beta.companieshouse.gov.uk/company/BR017676

            https://beta.companieshouse.gov.uk/company/FC032601

            https://beta.companieshouse.gov.uk/company/10402308

          2. DavCrav Silver badge

            Re: re: EU presence (or not)

            "I'd find that highly unlikely, actually. About as likely as the Daily Mail having an office in the US."

            It's exactly as likely. WaPo has a London office and DM has New York and LA offices. The NY one is

            Daily Mail 51 Astor Place 9th Floor New York, NY 10003.

    2. Joe Gurman

      Of course not

      Of course you wouldn't use a news site that actually made you pay for the contents published by its reporters, editors, web designers, &c., because their work is not worth a salary, as is whatever you do for a living.

      No reason to pay for commercial software, when one can pirate it. Likewise music, video, &c. There's so much free tuff out there, everything should be free. And no doubt produced by slave labor.

    3. Phil O'Sophical Silver badge

      If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU

      It's even more complicated than that. GDPR doesn't cover EU citizens, it covers people physically present in the EU. A US citizen who happens to be in the EU on business, and accesses one of those sites, is doing so under GDPR.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019