back to article Washington Post offers invalid cookie consent under EU rules – ICO

The Washington Post newspaper's online subscription options don't comply with European Union data protection rules – but the UK's privacy watchdog can only issue it with a firm telling off. The US newspaper offers three options to would-be readers, but only one of those – the most expensive one, costing $9 a month – allows you …

Page:

  1. A Non e-mouse Silver badge

    A certain group of UK Newspapers all use the same content platform (How can you tell? All the websites look exactly the same)

    When you first visit the site, it invites you to accept their cookies or to manage them. If you select the manage option, you have to untick over 200 tick boxes to switch off all the tracking they've opted into. They deliberately do not have a "Select All" option, just to help persuade you to accept their tracking cookies.

    1. Dwarf Silver badge

      Contempt of their customers

      @A Non e-mouse

      There must be a little piece of browser code or a browser add-on that can do a group-un-tick client-side, to help those affected by stupid companies that just go out of their way to make things difficult for users - so that they get their way.

      Perhaps the legislation needs updating to add the wording in to ensure that "its simple and fast for the user configure their preferences".

      1. Kevin Johnston

        Re: Contempt of their customers

        You have to be careful with scripted options as I am sure there will be a few 'reversed' selections which will be ticked to say No Thanks. This has always been used by websites to increase their chances of you signing up for stuff and as long as they can show the wording was clear then the fact it was the third option and the first two acted the other way round they can get away with it.

    2. Lee D Silver badge

      Rule #1: You want to make my life difficult with fake options and deliberate obfuscation? Then I don't use your service.

      1. The Nazz Silver badge

        re Lee D's rule #1

        Not unlike a marriage that ends in divorce. Wonder if the other guy(s) is now finding it more difficult. :-)

      2. GatorMark

        That's your prerogative and they know that. I, on the other hand, don't expect to use a service like that for free or without ads. Websites need to make money to keep running.

    3. DropBear Silver badge
      Black Helicopters

      Being the optimistic sort of chap that I am, I can almost see the advent of "toggle every single checkbox you can find on this page" type add-ons, soon followed by plugins for GDPR pages randomly varying their checkbox descriptions as "check to enable / check to disable" randomly pre-ticking half of them simply on the premise that they might only get the "do track" half if you just accept but you have to manually check the meaning and state of each and every one of them to disable them all.

      Then AI-powered add-ons come along that try to figure out which of the checkboxes should be ticked / unticked based on their description wording, then plugins that render those descriptions as images in the worst possible dancing captcha font, and before you know it... wait... what's that noise outside...?

      1. Happy_Jack

        You can already "toggle every single checkbox you can find on this page" using Chris Pederick's Web Developer extension on Chrome, Firefox and Opera. Personally I don't care so much about tracking cookies; they are far less intrusive than those stupid cookie confirmation prompts.

    4. Huw D

      "(How can you tell? All the websites look exactly the same)"

      You know when something's been Mirrored...

    5. Anonymous Coward
      Anonymous Coward

      They almost always do have an 'unselect all'. However it is often not obvious. The certain group of newspapers, if you mean the trinity mirror group does have this option. Just untick the measurement option and all the others then untick.

    6. Cynical Shopper

      Any cookie management screeen that has opt-ins pre-ticked is not GDPR compliant.

    7. Alan Brown Silver badge

      "They deliberately do not have a "Select All" option, just to help persuade you to accept their tracking cookies."

      Point _that_ out to the ICO (Hint: It's not legal)

  2. This post has been deleted by a moderator

    1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble? Silver badge

      Re: One down, 99999999999999999999 to go

      I don't remember EVER having seen a legal cookie "consent" dialog.

      That means you've never seen mine then. It has split the organisation 50 - 50 really. Half think it's a good thing to make cookie consent easy and simple, the other half are complaining like crazy that our traffic analytics currently report less than a quarter of the traffic it recorded this time last year.

      I enjoy my moral high ground.

      1. Alan Brown Silver badge

        Re: One down, 99999999999999999999 to go

        "the other half are complaining like crazy that our traffic analytics currently report less than a quarter of the traffic it recorded this time last year."

        And the ones who've read the report from Legal saying that you're not going to be prosecuted?

      2. John Brown (no body) Silver badge

        Re: One down, 99999999999999999999 to go

        "...the other half are complaining like crazy that our traffic analytics currently report less than a quarter of the traffic it recorded this time last year."

        Maybe your company should consider investing in something to locally analyse the web server logs like we used to do in the old fashioned steam powered days of the interwebs?

        "I enjoy my moral high ground."

        Good for you :-)

  3. Keith Oborn

    Ownership and extraterritoriality

    Amusing that the ICO is attempting to apply EU law extraterritorially, Shurely any fule no that only the US can apply its laws in other countries? Or so they always think--.

    Oh yes, who owns the Washington Post, and might have an interest in better tracking of users? And who also makes a shedload of money from Europe?

  4. Crisp Silver badge

    At least things are getting easier in this digital age...

    Remember the days where you had to walk all the way down to the newsagents to pick up the paper and have your tracking chip implanted? Now you can do it all online!

  5. Anonymous Coward
    Anonymous Coward

    Incognito window or new private window, that's why it's there.

    1. Lee D Silver badge

      And it's basically useless as even without cookies they can track enough to link all your information together.

      As I tell the kids in my school, when they think that clearing browser history or using a incognito window will protect them from my wrath - all it does is keep the records off YOUR computer. Not anything further upstream.

      As Chrome itself says right on the Incognito window:

      ---

      "Now you can browse privately, and other people who use this device won’t see your activity. However, downloads and bookmarks will be saved. Learn more

      Chrome won’t save the following information:

      Your browsing history

      Cookies and site data

      Information entered in forms

      Your activity might still be visible to:

      ***Websites that you visit***

      ***Your employer or school***

      ***Your Internet service provider***"

      ---

      They can tie you into any of your other records without even needing anything more than a vague browser fingerprint, a webpixel image with a particular filename, or any one of myriad identifiers that you're giving out.

  6. heyrick Silver badge

    Another American country that doesn't give a damn...

    https://m.mcdonalds.fr/cookies

    You'll need to understand French to read it, but essentially "visiting our site sets cookies and third party stuff will do likewise". I would imagine the UK version would be similar.

    Firefox tells me it blocked AB Tasty, Commander (something), Doubleclick (twice), Google Analytics, and Weborama.

    Informed consent my ass...

  7. Anonymous Coward
    Anonymous Coward

    the watchdog's hands are somewhat tied here

    Oh, and I thought it is so easy, just order ISPs to block access to them bloody pirates, job done ;)

  8. DrXym Silver badge

    At least you can visit the site

    Annoying interstitial or not, it's more than can be said for a LOT of websites in the US. In particular none of the Fox websites work, nor many newspaper websites.

    I really don't see what the problem is with simply treating EU visitors like US ones. They're not under the jurisdiction of the EU legislation so what is the problem?

    1. DavCrav Silver badge

      Re: At least you can visit the site

      "They're not under the jurisdiction of the EU legislation so what is the problem?"

      Most companies don't like judgments against them and large fines, even if it's not immediately collectible. You have to decide never again to go anywhere near that jurisdiction, i.e., the whole EU, forever. WaPo is owned by Bezos, who also owns Amazon, so sufficiently many annoyed judges and politicians will lead to seizures of warehouses.

      1. DrXym Silver badge

        Re: At least you can visit the site

        Washington Post may be owned by Bezos but it does not follow that Amazon is going to be fined or punished for what is a US incorporated and independently operated entity. Something that it does within the jurisdiction of the United States. In fact if you read this article you would see that.

  9. Maelstorm Bronze badge
    Coat

    The EU vs US?

    The problem here is that you have an EU entity trying to enforce its laws on a US company. The quote "Given that US law doesn't really address consent for cookies and the FTC is kind of wishy washy on it, the MoU would be about as much use as a chocolate teapot in this case." pretty much sums it up in this case. A case could be made for reputation, but they have to pay the bills somehow. Besides, EU law does not apply inside the US just because the EU says so, especially if laws conflict. This was more or less resolved in previous cases (Yahoo!, France). The same thing applies the opposite way as well (Well, it should). Although nobody could blame you for thinking otherwise with recent developments like the CLOUD act here in the US where US Law Enforcement can force a company to turn over data which is stored on foreign soil (Microsoft, Ireland), which in my opinion, is a violation of the foreign nation's sovereignty. Time for me to grab my jacket and hit the door.

    One other thing... From a technical perspective, you *MUST* have cookies if you log into the site. As a developer, HTTP/HTTPS is a stateless protocol. So you have to have cookies to maintain user state on the server. So basically, if you don't agree to having cookies set on your browser, then you are not going to be logging into a website. That's the short and long of it from a technical aspect. PHP doesn't really give you any other option, unless you handle the session state yourself, but you will still need to have cookies to keep track of it.

    1. Alan Brown Silver badge

      Re: The EU vs US?

      "From a technical perspective, you *MUST* have cookies if you log into the site."

      Only for as long as the site login is maintained. My ones evaporate after 12 hours.

    2. John Brown (no body) Silver badge

      Re: The EU vs US?

      "One other thing... From a technical perspective, you *MUST* have cookies if you log into the site. As a developer, HTTP/HTTPS is a stateless protocol. So you have to have cookies to maintain user state on the server. "

      GDPR and the earlier cookie legislation both take into account essential and functional cookies which are required to make the site work. The ones excluded and which require consent are those which gather and store data that is NOT absolutely required to make it work, eg a site should work just fine without tracking cookies.

  10. Charles Smith

    Wouldn't read it anyway

    I've tried the Washington Post website. I was given a free subscription. I tried it out thinking it was a newspaper with researched and unbiased reporting. I soon discovered it was mostly highly biased political opinion articles. I wouldn't use it again even if they paid me. So their cookie privacy policy is irrelevent to me.

    1. DCFusor Silver badge

      Re: Wouldn't read it anyway

      Hey, no one who thinks believes Jeff Bezos bought the Post because he thought there would be a profitable resurgence in newspapers! Like him or not, he's not dumb.

      It's the political mouthpiece for a person and outfit well above any law they don't like. The purpose often being the prevention of laws they don't like in the first place. Lobbying has a huge profit margin.

      A few other huge companies also seem immune from things like paying taxes in the jurisdiction they make the money in. There's always some country that'll cave and who like sandwiches, thinking a little is better than none. Legislation doesn't seem to affect them much either.

      Could there be a common rea$on for that?

      Big $ pretty much always gets their way, almost like a JEDI...who know where they were going to put a new office from the get-go but found manipulating governments to get even more bennies a fun game anyway.

      Is Jeff is trying to get into the running with Larry Ellison for who can be most evil? With that much power, it's easy to be evil even by accident.

    2. John Brown (no body) Silver badge

      Re: Wouldn't read it anyway

      "I soon discovered it was mostly highly biased political opinion articles."

      That seems to be most news media these days, but the US are masters at it. The only way to try to get any sort of balanced approach is to get news from multiple sites and try to judge which way each site leans and filter it yourself by choosing site leaning in all directions. The problem nowadays though is that so many news sites are leaning to the extremes and it can be hard to find a balance when every view you find is so far out there.

  11. Uberior

    There's a lot of naughtiness out there.

    I have a Wileyfox phone that was sold at a discount due to the Ad-X option. The Ad-X software is run by an organisation outside the UK and is not on the regisrar of Data Controllers.

    A post-GDPR update initially required users to consent to the data collection before the adverts were displayed, obviously, I bypassed the consent each time as I was already fed up of seeing Deborah Meaden scowling at me whilst trying to sell me BitCoin investments. That worked for around a month until a futher update went through that forced consent and doesn't allow the withdrawal of consent.

    1. Alan Brown Silver badge

      "The Ad-X software is run by an organisation outside the UK and is not on the regisrar of Data Controllers."

      If they're targetting UK individuals, they need to be on the register. Tell the ICO.

      "That worked for around a month until a futher update went through that forced consent and doesn't allow the withdrawal of consent"

      Which is completely and utterly illegal under EU _AND_ USA laws.

  12. holmegm

    Wait, what?

    What, what?

    I thought the rest of the world was just going to *have* to tremble and comply with this legislation ... if they wanted to do any business with EU citizens.

    This terrifying consequence here is a tad underwhelming, given what I was lead to expect.

    1. Alan Brown Silver badge

      Re: Wait, what?

      "I thought the rest of the world was just going to *have* to tremble and comply with this legislation ... if they wanted to do any business with EU citizens."

      The problem here is that each EU country gets to choose its own level of enforcement.

      UK "authorities" love to play the game of "oh, it's out of the country, we wash our hands of it", even when you can prove the trail comes back into the country later on.

      _other_ EU authorities take a far different point of view on the matter and the UK is regarded as the dog in the manger about this issue.

      It's one of the reasons that a lot of EU states are saying "about bloody time, good riddance" regarding Brexit. The UK has been systematically sabotaging a huge number of law changes aimed at protecting individuals and consumer rights, along with deliberately nobbling its own enforcement agencies when laws are forced to be passed, in order to be "appearing" to be enforcing, but not actually doing anything.

  13. Alan Brown Silver badge

    Um... ICO copping out.

    If the boot was on the OTHER foot, American authorities would be using "Long Arm" statutes to come down hard on any UK outfit breaching USA laws (what do you think all those extradition demands were about when noone had set foot on US soil, for starters?)

    What this needs is someone to file a complaint with German privacy authorities as they take this shit seriously and don't pull "oh, it's all in another country so we can't do anything about it" bullshit, when the laws are clearly written so they DO have extraterritorial cover.

  14. hoss1

    Los Angeles Times has a great solution to GDPR. They just block all access to their website from Europe.

    If you browse to the LA times website from Europe you get this message (some 6 months after GDPR went into effect still):

    Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.

  15. ma1010 Silver badge
    Alert

    Well, how about litigation?

    Paging Max Schrems, or someone else who can and will file such a lawsuit. Since WP does business in the EU, they either need to comply with the law there or cease doing business there, as far as I understand the GDPR. And since they've been ignoring the GDPR and doing business in the EU, they are subject to some serious fines, right?

    A lawsuit of this sort would be, I think, a good thing, as the law needs to be tested in court and clarified as to how it will work in the real world.

  16. SImon Hobson Silver badge

    Personally I think the ICO is wrong here.

    As has already been pointed out, there are salaries and other costs to be paid if you want news*. So you either pay directly (eg by taking a subscription), or you pay indirectly (the paper gets paid by advertisers). If you refuse the tracking cookies then the advertisers won't pay as much - so the difference has to come from somewhere.

    At least they offer the choice - unlike the likes of FaecesBork who don't seem to have realised that GDPR (or indeed, any other law) actually exists.

    And of course, no-one has mentioned all those sites that say "you can turn off these other cookies by going to [long list of scum sites] and ask them to stop tracking you".

  17. 10forcash Bronze badge

    Simple fix

    Either the US media comply or prohibit by copyright terms of use 'Royal' photos, gossip & baby news from being published by non DPA(2018) compliant means.

    That should sort it!

    Personally, if I ever feel the urge to read anything published as 'news' from that side of the pond, I would probably look on the BBC website for it - can't say for sure as it's not an urge I've ever had, and at my age, I've had a few!

  18. GatorMark

    Companies need to make money

    These companies need to make money. They aren't paying writers with monopoly money. I don't see the problem.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019