back to article Washington Post offers invalid cookie consent under EU rules – ICO

The Washington Post newspaper's online subscription options don't comply with European Union data protection rules – but the UK's privacy watchdog can only issue it with a firm telling off. The US newspaper offers three options to would-be readers, but only one of those – the most expensive one, costing $9 a month – allows you …

  1. alain williams Silver badge

    Other solution

    run an automatic cookie cleaner that wipes everything when you leave the Washington Post web site. That is the sort of thing that I do. If a site like WP makes it too onerous - I just go elsewhere, it is rare that they have anything unique.

    1. Cl9

      Re: Other solution

      Iirc, if you're using Firefox, it has a 'containers' feature which lets you isolate or group sites into different profiles.

    2. MacroRodent Silver badge
      Meh

      Re: Other solution

      it is rare that they have anything unique.

      Disagree here: The Washington Post, along with The New York Times, is one of the places, where most other news outlets copy their U.S-related news from. So you get it first by reading WP. As for cookies, that fight was lost long ago, and efforts to fight them have just caused each site to have the annoying cookie acceptance pop-up that most people click anyway without thinking. A total waste of time. GDPR did not change anything in practice.

      1. Fred Dibnah

        Re: Other solution

        In that case you could simply go to one of those other outlets which take WP copy, and read it there. No news is so important that a few minutes delay is going to make a difference.

    3. gnasher729 Silver badge

      Re: Other solution

      That's what you do. My wife doesn't know how to do this. And I know how to, but I shouldn't have to.

    4. chivo243 Silver badge
      Meh

      Re: Other solution

      @alain williams

      I've done the same in the past. Some sites I never visit anymore, either due to new privacy regs, adblock nag, or a horrible website refresh that makes your eyes water... I'm looking at you Wired...

    5. Tezfair
      FAIL

      Re: Other solution

      I tend to open these sites in a private window as the cookies will be removed when I exit.

      Washington Post isn't alone. i'm finding more and more websites now bring up a popup that forces accept our cookies or leave popups.

      1. Nattrash
        Pint

        Re: Other solution

        "Washington Post isn't alone"

        I agree. And contrary to the Washington Post, it also happens in some countries wide scale within the EU. Despite all those mentions of the "huge fines under GDPR".

        For example, try to access one of the major Dutch news outlets (e.g. classical newspapers Volkskrant, NRC, Algemeen Dagblad, Trouw, Parool, or regional ones like de Gelderlander), and you'll be confronted with a cookie wall immediately. It will offer users to choice to accept cookies, 3rd party sell off, and tracking, or to go and get your content elsewhere. Now, that doesn't sound very GDPR. Or impressed by GDPR enforcement and consequences. I'll bet a beer here that more than 90% of the major Dutch news outlets do this. So indeed, WP is certainly not unique, and a lot can be done in our own backyard.

    6. GnuTzu Bronze badge

      Re: Other solution -- Privacy Badger + Ghostery :)

      I like the way the EFF's Privacy Badger does this, and I use it in concert with Ghostery. They make a good team.

    7. Mage Silver badge

      Re: Other solution

      It goes into an endless loop if you block their cookies. That's just abusive. So I don't bother trying to read it.

      1. bombastic bob Silver badge
        Devil

        Re: Other solution

        "So I don't bother trying to read it."

        The BEST plan of all. It _IS_ the "Washington {BLEEP}" after all...

        /me points out that G. Gordon Liddy, on his radio show, had a segment called 'review and comment on the news', in which he'd read parts of specific articles and comment on them. The Washington Post, because of their Watergate reporting back in the day, was always referred to as the "Washington {Bleep}", usually with a censorship 'bleep' tone at the appropriate moment when he spoke it's name. Another local radio guy calls it the "Washington COMPost". In any case, I have a low opinion of their 'journalism' although, on occasion, they're like that proverbial broken clock that's right twice a day.

        Oh, and don't hold your breath for ANY GDPR support from any media outlets in the USA, unless they have something going on in EU or UK that can somehow take the heat for NOT supporting it. Most likely they'll thumb noses and continue to track you for ad purposes, as always.

  2. A Non e-mouse Silver badge

    All that the WP has to do is not offer the $6 subscription option to anyone in the EU.

    1. DavCrav Silver badge

      "All that the WP has to do is not offer the $6 subscription option to anyone in the EU."

      Or the free one. You cannot tie a service to tracking.

    2. codejunky Silver badge

      @ A Non e-mouse

      "All that the WP has to do is"

      Nothing. Nadda. Zip. Zilch. They are in the US and so this bollocks has limited effect of them. It is up to users if they want to use the site.

      1. Paul Kinsler

        Re: Nothing. Nadda. Zip. Zilch.

        Well, fine. But some newspapers and news sites quite successfully expand their readership by deliberately appealing to and attracting people from other countries.

        As I understand it, the WP is quite a respectable newspaper, and so could well be of interest to many people in the EU who might subscribe. So whilst the WP can indeed say "Bollocks to EU", might it not be more pragmatic for them to fix their site and so enhance their overseas presence and reputation (and thereby hopefully their revenue)?

        1. codejunky Silver badge

          Re: Nothing. Nadda. Zip. Zilch.

          @ Paul Kinsler

          "But some newspapers and news sites quite successfully expand their readership by deliberately appealing to and attracting people from other countries."

          Which is done by appealing to them. That does not require they follow every brain dead idea of every foreign countries government, but by actually providing what the people want.

          "As I understand it, the WP is quite a respectable newspaper, and so could well be of interest to many people in the EU who might subscribe."

          And those people will use it regardless of the governments crying. So no problem at the WP side. Just because a country (or in this case the EU) would like everyone to bend to their will doesnt mean providers outside that jurisdiction will.

          "So whilst the WP can indeed say "Bollocks to EU", might it not be more pragmatic for them to fix their site"

          You assume by that the site is broken. Which leads to a big problem because under China's laws a lot of the internet is 'broken' and so all should be fixed to praise the Communist party? Or do we say bollocks to that? Of course we do and so bollocks to the EU imposition, they have no right, no jurisdiction and the WP site is not broke unless WP feel the change is necessary.

          1. DavCrav Silver badge

            Re: Nothing. Nadda. Zip. Zilch.

            "Which is done by appealing to them. That does not require they follow every brain dead idea of every foreign countries government, but by actually providing what the people want."

            You mean the law? Yeah, it tends to mean that, actually.

            "You assume by that the site is broken. Which leads to a big problem because under China's laws a lot of the internet is 'broken' and so all should be fixed to praise the Communist party?"

            I bet you if you want to sell stuff to Chinese people, and even if you are just nearby, and the Chinese government tells you to change your website, you do it. For example, even places that don't sell in China changed the name of Taiwan.

            And this is about actual real stuff, not the Chinese being twats.

            1. codejunky Silver badge

              Re: Nothing. Nadda. Zip. Zilch.

              @ DavCrav

              "You mean the law? Yeah, it tends to mean that, actually."

              Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK.

              "I bet you if you want to sell stuff to Chinese people, and even if you are just nearby, and the Chinese government tells you to change your website, you do it"

              So when is the EU gonna start building its great firewall of the EU to keep those dissenting voices from being heard? But no as the article says- "but the UK's privacy watchdog can only issue it with a firm telling off.". Aww didums.

              In short WP have done nothing wrong because they are outside the jurisdictions where they would be doing something wrong. And so the people who read it can go on reading it without politics and government getting in the way.

              1. Dan 55 Silver badge

                Re: Nothing. Nadda. Zip. Zilch.

                Presumably, then, Apple should just offer one year warranty as they do in the US. Why bother following the law in countries they sell abroad to?

                1. codejunky Silver badge

                  Re: Nothing. Nadda. Zip. Zilch.

                  @ Dan 55

                  "Presumably, then, Apple should just offer one year warranty as they do in the US. Why bother following the law in countries they sell abroad to?"

                  So you are comparing a physical item being physically sold somewhere against people in the EU being the ones intentionally going to the US (internet) and buying within the US? This is the virtual/internet problem governments seem to struggle with too. Reality is reality, that is where the borders are and jurisdiction pretty much ends without cooperation between governments.

                  Of course the EU is welcome to copy the Chinese model of blocking anything they disagree with. Firewall themselves from the outside world and so on.

                  Just realised this also applies/agrees with John Brown (no body) about the physicality of territory. Even if I disagree this is WP's problem.

                  1. Dan 55 Silver badge

                    Re: Nothing. Nadda. Zip. Zilch.

                    If WaPo really don't want to offer a service to EU readers they can put up a "we're not serving the EU" page. However, they are.

                    I assume you also believe Facebook and Twitter and so on should not follow German hate speech rules for users in Germany either?

                    1. codejunky Silver badge

                      Re: Nothing. Nadda. Zip. Zilch.

                      @ Dan 55

                      "If WaPo really don't want to offer a service to EU readers they can put up a "we're not serving the EU" page. However, they are."

                      Why? WP puts up their content for people to access. They are happy for people to access wherever in the world. Some people in the EU might even go as far as VPN to access US services because of the anal retentive EU. People dont have to go to WP if they dont like it, instead this is a gov problem of not liking something people in another country do.

                      "I assume you also believe Facebook and Twitter and so on should not follow German hate speech rules for users in Germany either?"

                      Depends what physical assets they have there and if Germany would be cutting them off or even threatening jail if zuck came near the EU. Instead this is a regulator stomping its feet and making a little noise but nothing more.

                      1. Dan 55 Silver badge

                        Re: Nothing. Nadda. Zip. Zilch.

                        instead this is a gov problem of not liking something people in another country do.

                        Isn't everything?

                        In the age of the Internet, you must get over this physical presence thing. However WaPo does have a physical presence in London as shown above so by your own criteria should also follow the GDPR.

                        Facebook and Twitter do follow German hate speech laws by the way.

                        1. codejunky Silver badge

                          Re: Nothing. Nadda. Zip. Zilch.

                          @ Dan 55

                          "In the age of the Internet, you must get over this physical presence thing."

                          I agree but probably not as you are thinking. Just because the internet is present in every country shouldnt mean we follow every countries laws (otherwise there would be no internet) but instead that countries stop trying to impose territory restrictions outside their territory.

                          "However WaPo does have a physical presence in London as shown above so by your own criteria should also follow the GDPR."

                          However, the watchdog's hands are somewhat tied here since the Washington Post is a US-based organisation and is outside its jurisdiction. I (nor WP) need provide no more answer than no. Actually they could do less than that and file the complaint in their dustbin shaped 'in' tray. No matter how much you complain, moan or argue. You are welcome.

                          "Facebook and Twitter do follow German hate speech laws by the way."

                          I like how you say that as some form of revelation.

              2. John Brown (no body) Silver badge

                Re: Nothing. Nadda. Zip. Zilch.

                "Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK."

                The WP is trading in the EU. I refer you again to the US attitude to offshore gambling sites which are operating fully within the law of the host nation.

              3. Wapiya
                Black Helicopters

                Re: Nothing. Nadda. Zip. Zilch.

                @codejunky

                > Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK.

                I quite disagree. GDRP (Article 3) rules require anyone who uses data from anyone residing in the EU to abide by the rules.

                And if you think that is far reaching, the USA is far more intrusive. Their sanctions, compliance and so on rules apply to anyone being

                (a) an american citizen regardless of residence, even if he never touched american soil

                (b) anyone with a residence permit for the USA regardless of residence

                (c) anyone currently being in the USA

                I am still waiting for (d) anyone who is related or married to a,b or c .

                I worked as a freelancer for a EU bank and they started with not having american citizens as customers (IRS rules at that time) . After the law changed in the US they dropped that, because they had to implement everything even for EU customers with geo filters.

                Case study: An EU citizen on a short trip to the US uses his online banking to send some money to someone on the US sanction list. In the EU this might be allowed, but becaue he is currently in the US the money transfer will be blocked.

                If he uses his mobile while in the US for telephone banking, the geo filter would not kick in (EU mobile number), but he still would be in violation of US sanctions and could go to jail.

                1. codejunky Silver badge

                  Re: Nothing. Nadda. Zip. Zilch.

                  @ Wapiya

                  "I quite disagree. GDRP (Article 3) rules require anyone who uses data from anyone residing in the EU to abide by the rules."

                  In the UK superinjunctions can be used to hold back information. Which is then printed anyway in other countries who do not follow such law. A better example could be that China censors its media, so why are we not censoring to the same standard to appease them?

        2. bombastic bob Silver badge
          WTF?

          Re: Nothing. Nadda. Zip. Zilch.

          "WP is quite a respectable newspaper"

          You HAVE read the thing, or at least heard people quote articles from it, right?

          "WP is quite a respectable newspaper"

          I'll accept that at face value. It _IS_ printed on dead trees, made available online, and sold at news outlets of various kinds. What they print in it, however, isn't usually something I want to read.

          Does their web site even work if you have 'noscript' running? my guess is NO.

      2. John Brown (no body) Silver badge

        Re: @ A Non e-mouse

        "Nothing. Nadda. Zip. Zilch. They are in the US and so this bollocks has limited effect of them. It is up to users if they want to use the site."

        That's what people running gambling sites thought when they carried on accepting US gamblers. Until senior execs of the company happened to visit or pass through US territory. Theoretically, if the WP ignores this, any senior exec. passing through the EU could be subject to arrest.

  3. Mephistro Silver badge

    An obvious way to enforce GDPR for foreign websites that refuse to comply is blocking them at country level, or even blocking them in the whole EU.

    1. Mr F&*king Grumpy
      Facepalm

      Build a wall!

      "An obvious way to enforce GDPR for foreign websites that refuse to comply is blocking them at country level, or even blocking them in the whole EU."

      Yes, I'm sure China would be happy to provide consultancy on how to achieve that...

      1. disgustedoftunbridgewells Silver badge

        Re: Build a wall!

        No need to block it, but forcing Visa and Mastercard to refuse payments would work.

      2. Anonymous Coward
        Anonymous Coward

        Re: Build a wall!

        Unregulated foreign gambling sites are regularly blocked in the EU.

        Assets could also be seized if the entity has any UK/EU presence (WP does have a bureau in London).

        1. Alan Brown Silver badge

          Re: Build a wall!

          (WP does have a bureau in London).

          Exactly this. WP does business in the UK - and as such the ICO ruling can (MUST!) be challenged.

          They've been fucking up a number of decisions recently.

  4. Dwarf Silver badge

    Pass me my false teeth Ethel, I’m going to chew their ankles.

    Not much point in having legislation, if it can be ignored by those who find it inconvenient, having said that and given the regional nature of the world, the only other option is some form of inter-region content filtering, which would be a million times worse.

    Looks like the only realistic option is to affect their coverage by not visiting and getting the news some place else. Reducing eyeball counts won’t help their sales to advertisers, so it’s probsbly the only thing that will make any of them listen.

    1. Pascal Monett Silver badge

      Legislation always has a point - for those who are subject to it.

      Before the Internet, this kind of thing would not happen but now, legislation stops at the borders while access is world-wide.

      So you need to have agreements with the countries so that they implement something similar to your legislation - except it's another country, so it's their decision.

      That is what is making the current situation very complicated and frustrating. It remains to be seen how long this will remain acceptable to the public before a global push to stop tracking starts up.

      I'm guessing I won't see it in my lifetime.

      1. codejunky Silver badge

        @ Pascal Monett

        "It remains to be seen how long this will remain acceptable to the public before a global push to stop tracking starts up."

        While framing it as stopping tracking to stir up the public seems to be working so far, most people still want access to the things they use and that is more important to them than government control for our own good.

        It would be interesting to see the publics opinion on the EU's 'walls' from the outside.

        1. John Brown (no body) Silver badge

          Re: @ Pascal Monett

          "While framing it as stopping tracking to stir up the public seems to be working so far, most people still want access to the things they use and that is more important to them than government control for our own good."

          It's about personal privacy and control of snooping on ones data. The US citizenry seem to be very vocal when their government does it to them. Lots of calls for less interference from government. But it seems many are equally vocal about allowing commercial orgs to slurp up their same private data in the name of freedom from government interference. I'm seeing a smidge of a disconnect here.

    2. Voland's right hand Silver badge

      Not much point in having legislation, if it can be ignored by those who find it

      They can. Can their advertisers though?

      The ICO is just being its usual toothless self. Instead of waving its finger it should have gone after the advertising partners most of which HAVE EU PRESENCE and fined the living hell out of them.

  5. Steve K Silver badge

    They aren't the only US site doing this - e.g. the Verge only has an Accept button, not a reject.

    (Not that I read The Verge, erm... a friend told me)

    1. Voland's right hand Silver badge

      They aren't the only US site doing this

      It is doubly entertaining seeing this on sites which have a massive Eu exposure including local subsidiaries registered in a Eu country, contracts with Eu entities, etc - namely Accuweather.

      It is only a matter of time until they sit on a lit petard though it will probably be served not by the ICO. It is toothless and it takes an act of god for it to enforce the GDPR. We will have to wait for the other, proper authorities. Some of the regional German ones and the Austrian comes to mind here.

      1. John Brown (no body) Silver badge

        "We will have to wait for the other, proper authorities. Some of the regional German ones and the Austrian comes to mind here."

        Come next March, we'll only have the ICO to defend us :-(

  6. Lee D Silver badge

    1) Wouldn't use a news website that tried to force a subscription on me and/or limited my article views (completely counter-productive if you're then going to shove ads into those views... it's like clamping a car that's parked across your driveway... the person you hurt the most by doing so is yourself).

    2) Wouldn't use any international site that, even for a moment, wasn't up on GDPR - most of the US news sites basically just blocked EU access for the first few months, which isn't a solution. They've since caught-up for the most part, which I'm assuming was driven by seeing 50% of their traffic disappear overnight.

    3) If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU and need to offer EU-compliant services. Yes, it's complicated in the modern era, but that's how it works. If you are taking EU money, you need to abide by EU law and - also - pay EU tax.

    1. Def Silver badge

      If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU and need to offer EU-compliant services. Yes, it's complicated in the modern era, but that's how it works. If you are taking EU money, you need to abide by EU law and - also - pay EU tax.

      That's sort of true. A US corporation that has no physical presence in the EU wouldn't have to pay corporation tax in the EU. I don't know if that's the case for the WP, but regardless they do have to collect VAT from EU customers at the customer's local rate, and declare and pay that VAT either in each country individually, or collectively in a single EU country. Which isn't really a tax on the company, it's a tax on EU citizens.

      1. Steve Davies 3 Silver badge

        re: EU presence (or not)

        It is likely that the WP has a UK or at least an Eu bureau which if true, means it does have a presence in the area covered by the GDPR

        1. Def Silver badge

          Re: re: EU presence (or not)

          It is likely that the WP has a UK or at least an Eu bureau...

          I'd find that highly unlikely, actually. About as likely as the Daily Mail having an office in the US.

          And if they did, I'm sure the UK watchdog would have found them by now. Which would have made half of this story redundant. ;)

          1. Anonymous Coward
            Anonymous Coward

            Re: re: EU presence (or not)

            According to... themselves, they have a London bureau. It's headed by Bill Booth (who was previously kicked from WaPo for plagiarism). I can't find an address for it besides a virtual office in WC1N London..

            Edit: Found it on Companies House:

            https://beta.companieshouse.gov.uk/company/BR017676

            https://beta.companieshouse.gov.uk/company/FC032601

            https://beta.companieshouse.gov.uk/company/10402308

          2. DavCrav Silver badge

            Re: re: EU presence (or not)

            "I'd find that highly unlikely, actually. About as likely as the Daily Mail having an office in the US."

            It's exactly as likely. WaPo has a London office and DM has New York and LA offices. The NY one is

            Daily Mail 51 Astor Place 9th Floor New York, NY 10003.

    2. Joe Gurman

      Of course not

      Of course you wouldn't use a news site that actually made you pay for the contents published by its reporters, editors, web designers, &c., because their work is not worth a salary, as is whatever you do for a living.

      No reason to pay for commercial software, when one can pirate it. Likewise music, video, &c. There's so much free tuff out there, everything should be free. And no doubt produced by slave labor.

    3. Phil O'Sophical Silver badge

      If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU

      It's even more complicated than that. GDPR doesn't cover EU citizens, it covers people physically present in the EU. A US citizen who happens to be in the EU on business, and accesses one of those sites, is doing so under GDPR.

  7. A Non e-mouse Silver badge

    A certain group of UK Newspapers all use the same content platform (How can you tell? All the websites look exactly the same)

    When you first visit the site, it invites you to accept their cookies or to manage them. If you select the manage option, you have to untick over 200 tick boxes to switch off all the tracking they've opted into. They deliberately do not have a "Select All" option, just to help persuade you to accept their tracking cookies.

    1. Dwarf Silver badge

      Contempt of their customers

      @A Non e-mouse

      There must be a little piece of browser code or a browser add-on that can do a group-un-tick client-side, to help those affected by stupid companies that just go out of their way to make things difficult for users - so that they get their way.

      Perhaps the legislation needs updating to add the wording in to ensure that "its simple and fast for the user configure their preferences".

      1. Kevin Johnston

        Re: Contempt of their customers

        You have to be careful with scripted options as I am sure there will be a few 'reversed' selections which will be ticked to say No Thanks. This has always been used by websites to increase their chances of you signing up for stuff and as long as they can show the wording was clear then the fact it was the third option and the first two acted the other way round they can get away with it.

    2. Lee D Silver badge

      Rule #1: You want to make my life difficult with fake options and deliberate obfuscation? Then I don't use your service.

      1. The Nazz Silver badge

        re Lee D's rule #1

        Not unlike a marriage that ends in divorce. Wonder if the other guy(s) is now finding it more difficult. :-)

      2. GatorMark

        That's your prerogative and they know that. I, on the other hand, don't expect to use a service like that for free or without ads. Websites need to make money to keep running.

    3. DropBear Silver badge
      Black Helicopters

      Being the optimistic sort of chap that I am, I can almost see the advent of "toggle every single checkbox you can find on this page" type add-ons, soon followed by plugins for GDPR pages randomly varying their checkbox descriptions as "check to enable / check to disable" randomly pre-ticking half of them simply on the premise that they might only get the "do track" half if you just accept but you have to manually check the meaning and state of each and every one of them to disable them all.

      Then AI-powered add-ons come along that try to figure out which of the checkboxes should be ticked / unticked based on their description wording, then plugins that render those descriptions as images in the worst possible dancing captcha font, and before you know it... wait... what's that noise outside...?

      1. Happy_Jack

        You can already "toggle every single checkbox you can find on this page" using Chris Pederick's Web Developer extension on Chrome, Firefox and Opera. Personally I don't care so much about tracking cookies; they are far less intrusive than those stupid cookie confirmation prompts.

    4. Huw D

      "(How can you tell? All the websites look exactly the same)"

      You know when something's been Mirrored...

    5. Anonymous Coward
      Anonymous Coward

      They almost always do have an 'unselect all'. However it is often not obvious. The certain group of newspapers, if you mean the trinity mirror group does have this option. Just untick the measurement option and all the others then untick.

    6. Cynical Shopper

      Any cookie management screeen that has opt-ins pre-ticked is not GDPR compliant.

    7. Alan Brown Silver badge

      "They deliberately do not have a "Select All" option, just to help persuade you to accept their tracking cookies."

      Point _that_ out to the ICO (Hint: It's not legal)

  8. This post has been deleted by a moderator

    1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble? Silver badge

      Re: One down, 99999999999999999999 to go

      I don't remember EVER having seen a legal cookie "consent" dialog.

      That means you've never seen mine then. It has split the organisation 50 - 50 really. Half think it's a good thing to make cookie consent easy and simple, the other half are complaining like crazy that our traffic analytics currently report less than a quarter of the traffic it recorded this time last year.

      I enjoy my moral high ground.

      1. Alan Brown Silver badge

        Re: One down, 99999999999999999999 to go

        "the other half are complaining like crazy that our traffic analytics currently report less than a quarter of the traffic it recorded this time last year."

        And the ones who've read the report from Legal saying that you're not going to be prosecuted?

      2. John Brown (no body) Silver badge

        Re: One down, 99999999999999999999 to go

        "...the other half are complaining like crazy that our traffic analytics currently report less than a quarter of the traffic it recorded this time last year."

        Maybe your company should consider investing in something to locally analyse the web server logs like we used to do in the old fashioned steam powered days of the interwebs?

        "I enjoy my moral high ground."

        Good for you :-)

  9. Keith Oborn

    Ownership and extraterritoriality

    Amusing that the ICO is attempting to apply EU law extraterritorially, Shurely any fule no that only the US can apply its laws in other countries? Or so they always think--.

    Oh yes, who owns the Washington Post, and might have an interest in better tracking of users? And who also makes a shedload of money from Europe?

  10. Crisp Silver badge

    At least things are getting easier in this digital age...

    Remember the days where you had to walk all the way down to the newsagents to pick up the paper and have your tracking chip implanted? Now you can do it all online!

  11. Anonymous Coward
    Anonymous Coward

    Incognito window or new private window, that's why it's there.

    1. Lee D Silver badge

      And it's basically useless as even without cookies they can track enough to link all your information together.

      As I tell the kids in my school, when they think that clearing browser history or using a incognito window will protect them from my wrath - all it does is keep the records off YOUR computer. Not anything further upstream.

      As Chrome itself says right on the Incognito window:

      ---

      "Now you can browse privately, and other people who use this device won’t see your activity. However, downloads and bookmarks will be saved. Learn more

      Chrome won’t save the following information:

      Your browsing history

      Cookies and site data

      Information entered in forms

      Your activity might still be visible to:

      ***Websites that you visit***

      ***Your employer or school***

      ***Your Internet service provider***"

      ---

      They can tie you into any of your other records without even needing anything more than a vague browser fingerprint, a webpixel image with a particular filename, or any one of myriad identifiers that you're giving out.

  12. heyrick Silver badge

    Another American country that doesn't give a damn...

    https://m.mcdonalds.fr/cookies

    You'll need to understand French to read it, but essentially "visiting our site sets cookies and third party stuff will do likewise". I would imagine the UK version would be similar.

    Firefox tells me it blocked AB Tasty, Commander (something), Doubleclick (twice), Google Analytics, and Weborama.

    Informed consent my ass...

  13. Anonymous Coward
    Anonymous Coward

    the watchdog's hands are somewhat tied here

    Oh, and I thought it is so easy, just order ISPs to block access to them bloody pirates, job done ;)

  14. DrXym Silver badge

    At least you can visit the site

    Annoying interstitial or not, it's more than can be said for a LOT of websites in the US. In particular none of the Fox websites work, nor many newspaper websites.

    I really don't see what the problem is with simply treating EU visitors like US ones. They're not under the jurisdiction of the EU legislation so what is the problem?

    1. DavCrav Silver badge

      Re: At least you can visit the site

      "They're not under the jurisdiction of the EU legislation so what is the problem?"

      Most companies don't like judgments against them and large fines, even if it's not immediately collectible. You have to decide never again to go anywhere near that jurisdiction, i.e., the whole EU, forever. WaPo is owned by Bezos, who also owns Amazon, so sufficiently many annoyed judges and politicians will lead to seizures of warehouses.

      1. DrXym Silver badge

        Re: At least you can visit the site

        Washington Post may be owned by Bezos but it does not follow that Amazon is going to be fined or punished for what is a US incorporated and independently operated entity. Something that it does within the jurisdiction of the United States. In fact if you read this article you would see that.

  15. Maelstorm Bronze badge
    Coat

    The EU vs US?

    The problem here is that you have an EU entity trying to enforce its laws on a US company. The quote "Given that US law doesn't really address consent for cookies and the FTC is kind of wishy washy on it, the MoU would be about as much use as a chocolate teapot in this case." pretty much sums it up in this case. A case could be made for reputation, but they have to pay the bills somehow. Besides, EU law does not apply inside the US just because the EU says so, especially if laws conflict. This was more or less resolved in previous cases (Yahoo!, France). The same thing applies the opposite way as well (Well, it should). Although nobody could blame you for thinking otherwise with recent developments like the CLOUD act here in the US where US Law Enforcement can force a company to turn over data which is stored on foreign soil (Microsoft, Ireland), which in my opinion, is a violation of the foreign nation's sovereignty. Time for me to grab my jacket and hit the door.

    One other thing... From a technical perspective, you *MUST* have cookies if you log into the site. As a developer, HTTP/HTTPS is a stateless protocol. So you have to have cookies to maintain user state on the server. So basically, if you don't agree to having cookies set on your browser, then you are not going to be logging into a website. That's the short and long of it from a technical aspect. PHP doesn't really give you any other option, unless you handle the session state yourself, but you will still need to have cookies to keep track of it.

    1. Alan Brown Silver badge

      Re: The EU vs US?

      "From a technical perspective, you *MUST* have cookies if you log into the site."

      Only for as long as the site login is maintained. My ones evaporate after 12 hours.

    2. John Brown (no body) Silver badge

      Re: The EU vs US?

      "One other thing... From a technical perspective, you *MUST* have cookies if you log into the site. As a developer, HTTP/HTTPS is a stateless protocol. So you have to have cookies to maintain user state on the server. "

      GDPR and the earlier cookie legislation both take into account essential and functional cookies which are required to make the site work. The ones excluded and which require consent are those which gather and store data that is NOT absolutely required to make it work, eg a site should work just fine without tracking cookies.

  16. Charles Smith

    Wouldn't read it anyway

    I've tried the Washington Post website. I was given a free subscription. I tried it out thinking it was a newspaper with researched and unbiased reporting. I soon discovered it was mostly highly biased political opinion articles. I wouldn't use it again even if they paid me. So their cookie privacy policy is irrelevent to me.

    1. DCFusor Silver badge

      Re: Wouldn't read it anyway

      Hey, no one who thinks believes Jeff Bezos bought the Post because he thought there would be a profitable resurgence in newspapers! Like him or not, he's not dumb.

      It's the political mouthpiece for a person and outfit well above any law they don't like. The purpose often being the prevention of laws they don't like in the first place. Lobbying has a huge profit margin.

      A few other huge companies also seem immune from things like paying taxes in the jurisdiction they make the money in. There's always some country that'll cave and who like sandwiches, thinking a little is better than none. Legislation doesn't seem to affect them much either.

      Could there be a common rea$on for that?

      Big $ pretty much always gets their way, almost like a JEDI...who know where they were going to put a new office from the get-go but found manipulating governments to get even more bennies a fun game anyway.

      Is Jeff is trying to get into the running with Larry Ellison for who can be most evil? With that much power, it's easy to be evil even by accident.

    2. John Brown (no body) Silver badge

      Re: Wouldn't read it anyway

      "I soon discovered it was mostly highly biased political opinion articles."

      That seems to be most news media these days, but the US are masters at it. The only way to try to get any sort of balanced approach is to get news from multiple sites and try to judge which way each site leans and filter it yourself by choosing site leaning in all directions. The problem nowadays though is that so many news sites are leaning to the extremes and it can be hard to find a balance when every view you find is so far out there.

  17. Uberior

    There's a lot of naughtiness out there.

    I have a Wileyfox phone that was sold at a discount due to the Ad-X option. The Ad-X software is run by an organisation outside the UK and is not on the regisrar of Data Controllers.

    A post-GDPR update initially required users to consent to the data collection before the adverts were displayed, obviously, I bypassed the consent each time as I was already fed up of seeing Deborah Meaden scowling at me whilst trying to sell me BitCoin investments. That worked for around a month until a futher update went through that forced consent and doesn't allow the withdrawal of consent.

    1. Alan Brown Silver badge

      "The Ad-X software is run by an organisation outside the UK and is not on the regisrar of Data Controllers."

      If they're targetting UK individuals, they need to be on the register. Tell the ICO.

      "That worked for around a month until a futher update went through that forced consent and doesn't allow the withdrawal of consent"

      Which is completely and utterly illegal under EU _AND_ USA laws.

  18. holmegm

    Wait, what?

    What, what?

    I thought the rest of the world was just going to *have* to tremble and comply with this legislation ... if they wanted to do any business with EU citizens.

    This terrifying consequence here is a tad underwhelming, given what I was lead to expect.

    1. Alan Brown Silver badge

      Re: Wait, what?

      "I thought the rest of the world was just going to *have* to tremble and comply with this legislation ... if they wanted to do any business with EU citizens."

      The problem here is that each EU country gets to choose its own level of enforcement.

      UK "authorities" love to play the game of "oh, it's out of the country, we wash our hands of it", even when you can prove the trail comes back into the country later on.

      _other_ EU authorities take a far different point of view on the matter and the UK is regarded as the dog in the manger about this issue.

      It's one of the reasons that a lot of EU states are saying "about bloody time, good riddance" regarding Brexit. The UK has been systematically sabotaging a huge number of law changes aimed at protecting individuals and consumer rights, along with deliberately nobbling its own enforcement agencies when laws are forced to be passed, in order to be "appearing" to be enforcing, but not actually doing anything.

  19. Alan Brown Silver badge

    Um... ICO copping out.

    If the boot was on the OTHER foot, American authorities would be using "Long Arm" statutes to come down hard on any UK outfit breaching USA laws (what do you think all those extradition demands were about when noone had set foot on US soil, for starters?)

    What this needs is someone to file a complaint with German privacy authorities as they take this shit seriously and don't pull "oh, it's all in another country so we can't do anything about it" bullshit, when the laws are clearly written so they DO have extraterritorial cover.

  20. hoss1

    Los Angeles Times has a great solution to GDPR. They just block all access to their website from Europe.

    If you browse to the LA times website from Europe you get this message (some 6 months after GDPR went into effect still):

    Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.

  21. ma1010 Silver badge
    Alert

    Well, how about litigation?

    Paging Max Schrems, or someone else who can and will file such a lawsuit. Since WP does business in the EU, they either need to comply with the law there or cease doing business there, as far as I understand the GDPR. And since they've been ignoring the GDPR and doing business in the EU, they are subject to some serious fines, right?

    A lawsuit of this sort would be, I think, a good thing, as the law needs to be tested in court and clarified as to how it will work in the real world.

  22. SImon Hobson Silver badge

    Personally I think the ICO is wrong here.

    As has already been pointed out, there are salaries and other costs to be paid if you want news*. So you either pay directly (eg by taking a subscription), or you pay indirectly (the paper gets paid by advertisers). If you refuse the tracking cookies then the advertisers won't pay as much - so the difference has to come from somewhere.

    At least they offer the choice - unlike the likes of FaecesBork who don't seem to have realised that GDPR (or indeed, any other law) actually exists.

    And of course, no-one has mentioned all those sites that say "you can turn off these other cookies by going to [long list of scum sites] and ask them to stop tracking you".

  23. 10forcash Bronze badge

    Simple fix

    Either the US media comply or prohibit by copyright terms of use 'Royal' photos, gossip & baby news from being published by non DPA(2018) compliant means.

    That should sort it!

    Personally, if I ever feel the urge to read anything published as 'news' from that side of the pond, I would probably look on the BBC website for it - can't say for sure as it's not an urge I've ever had, and at my age, I've had a few!

  24. GatorMark

    Companies need to make money

    These companies need to make money. They aren't paying writers with monopoly money. I don't see the problem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019