Washington Post offers invalid cookie consent under EU rules – ICO The Washington Post newspaper's online subscription options don't comply with European Union data protection rules – but the UK's privacy watchdog can only issue it with a firm telling off. The US newspaper offers three options to would-be readers, but only one of those – the most expensive one, costing $9 a month – allows you …
it is rare that they have anything unique.
Disagree here: The Washington Post, along with The New York Times, is one of the places, where most other news outlets copy their U.S-related news from. So you get it first by reading WP. As for cookies, that fight was lost long ago, and efforts to fight them have just caused each site to have the annoying cookie acceptance pop-up that most people click anyway without thinking. A total waste of time. GDPR did not change anything in practice.
"Washington Post isn't alone"
I agree. And contrary to the Washington Post, it also happens in some countries wide scale within the EU. Despite all those mentions of the "huge fines under GDPR".
For example, try to access one of the major Dutch news outlets (e.g. classical newspapers Volkskrant, NRC, Algemeen Dagblad, Trouw, Parool, or regional ones like de Gelderlander), and you'll be confronted with a cookie wall immediately. It will offer users to choice to accept cookies, 3rd party sell off, and tracking, or to go and get your content elsewhere. Now, that doesn't sound very GDPR. Or impressed by GDPR enforcement and consequences. I'll bet a beer here that more than 90% of the major Dutch news outlets do this. So indeed, WP is certainly not unique, and a lot can be done in our own backyard.
"So I don't bother trying to read it."
The BEST plan of all. It _IS_ the "Washington {BLEEP}" after all...
/me points out that G. Gordon Liddy, on his radio show, had a segment called 'review and comment on the news', in which he'd read parts of specific articles and comment on them. The Washington Post, because of their Watergate reporting back in the day, was always referred to as the "Washington {Bleep}", usually with a censorship 'bleep' tone at the appropriate moment when he spoke it's name. Another local radio guy calls it the "Washington COMPost". In any case, I have a low opinion of their 'journalism' although, on occasion, they're like that proverbial broken clock that's right twice a day.
Oh, and don't hold your breath for ANY GDPR support from any media outlets in the USA, unless they have something going on in EU or UK that can somehow take the heat for NOT supporting it. Most likely they'll thumb noses and continue to track you for ad purposes, as always.
Well, fine. But some newspapers and news sites quite successfully expand their readership by deliberately appealing to and attracting people from other countries.
As I understand it, the WP is quite a respectable newspaper, and so could well be of interest to many people in the EU who might subscribe. So whilst the WP can indeed say "Bollocks to EU", might it not be more pragmatic for them to fix their site and so enhance their overseas presence and reputation (and thereby hopefully their revenue)?
@ Paul Kinsler
"But some newspapers and news sites quite successfully expand their readership by deliberately appealing to and attracting people from other countries."
Which is done by appealing to them. That does not require they follow every brain dead idea of every foreign countries government, but by actually providing what the people want.
"As I understand it, the WP is quite a respectable newspaper, and so could well be of interest to many people in the EU who might subscribe."
And those people will use it regardless of the governments crying. So no problem at the WP side. Just because a country (or in this case the EU) would like everyone to bend to their will doesnt mean providers outside that jurisdiction will.
"So whilst the WP can indeed say "Bollocks to EU", might it not be more pragmatic for them to fix their site"
You assume by that the site is broken. Which leads to a big problem because under China's laws a lot of the internet is 'broken' and so all should be fixed to praise the Communist party? Or do we say bollocks to that? Of course we do and so bollocks to the EU imposition, they have no right, no jurisdiction and the WP site is not broke unless WP feel the change is necessary.
"Which is done by appealing to them. That does not require they follow every brain dead idea of every foreign countries government, but by actually providing what the people want."
You mean the law? Yeah, it tends to mean that, actually.
"You assume by that the site is broken. Which leads to a big problem because under China's laws a lot of the internet is 'broken' and so all should be fixed to praise the Communist party?"
I bet you if you want to sell stuff to Chinese people, and even if you are just nearby, and the Chinese government tells you to change your website, you do it. For example, even places that don't sell in China changed the name of Taiwan.
And this is about actual real stuff, not the Chinese being twats.
@ DavCrav
"You mean the law? Yeah, it tends to mean that, actually."
Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK.
"I bet you if you want to sell stuff to Chinese people, and even if you are just nearby, and the Chinese government tells you to change your website, you do it"
So when is the EU gonna start building its great firewall of the EU to keep those dissenting voices from being heard? But no as the article says- "but the UK's privacy watchdog can only issue it with a firm telling off.". Aww didums.
In short WP have done nothing wrong because they are outside the jurisdictions where they would be doing something wrong. And so the people who read it can go on reading it without politics and government getting in the way.
@ Dan 55
"Presumably, then, Apple should just offer one year warranty as they do in the US. Why bother following the law in countries they sell abroad to?"
So you are comparing a physical item being physically sold somewhere against people in the EU being the ones intentionally going to the US (internet) and buying within the US? This is the virtual/internet problem governments seem to struggle with too. Reality is reality, that is where the borders are and jurisdiction pretty much ends without cooperation between governments.
Of course the EU is welcome to copy the Chinese model of blocking anything they disagree with. Firewall themselves from the outside world and so on.
Just realised this also applies/agrees with John Brown (no body) about the physicality of territory. Even if I disagree this is WP's problem.
@ Dan 55
"If WaPo really don't want to offer a service to EU readers they can put up a "we're not serving the EU" page. However, they are."
Why? WP puts up their content for people to access. They are happy for people to access wherever in the world. Some people in the EU might even go as far as VPN to access US services because of the anal retentive EU. People dont have to go to WP if they dont like it, instead this is a gov problem of not liking something people in another country do.
"I assume you also believe Facebook and Twitter and so on should not follow German hate speech rules for users in Germany either?"
Depends what physical assets they have there and if Germany would be cutting them off or even threatening jail if zuck came near the EU. Instead this is a regulator stomping its feet and making a little noise but nothing more.
instead this is a gov problem of not liking something people in another country do.
Isn't everything?
In the age of the Internet, you must get over this physical presence thing. However WaPo does have a physical presence in London as shown above so by your own criteria should also follow the GDPR.
Facebook and Twitter do follow German hate speech laws by the way.
@ Dan 55
"In the age of the Internet, you must get over this physical presence thing."
I agree but probably not as you are thinking. Just because the internet is present in every country shouldnt mean we follow every countries laws (otherwise there would be no internet) but instead that countries stop trying to impose territory restrictions outside their territory.
"However WaPo does have a physical presence in London as shown above so by your own criteria should also follow the GDPR."
However, the watchdog's hands are somewhat tied here since the Washington Post is a US-based organisation and is outside its jurisdiction. I (nor WP) need provide no more answer than no. Actually they could do less than that and file the complaint in their dustbin shaped 'in' tray. No matter how much you complain, moan or argue. You are welcome.
"Facebook and Twitter do follow German hate speech laws by the way."
I like how you say that as some form of revelation.
"Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK."
The WP is trading in the EU. I refer you again to the US attitude to offshore gambling sites which are operating fully within the law of the host nation.
@codejunky
> Ha what a pointless response. They are not breaking the law, that is why the UK/EU can do damp squib about it. Because WP is not breaking the law, WP is in the US not the EU nor UK.
I quite disagree. GDRP (Article 3) rules require anyone who uses data from anyone residing in the EU to abide by the rules.
And if you think that is far reaching, the USA is far more intrusive. Their sanctions, compliance and so on rules apply to anyone being
(a) an american citizen regardless of residence, even if he never touched american soil
(b) anyone with a residence permit for the USA regardless of residence
(c) anyone currently being in the USA
I am still waiting for (d) anyone who is related or married to a,b or c .
I worked as a freelancer for a EU bank and they started with not having american citizens as customers (IRS rules at that time) . After the law changed in the US they dropped that, because they had to implement everything even for EU customers with geo filters.
Case study: An EU citizen on a short trip to the US uses his online banking to send some money to someone on the US sanction list. In the EU this might be allowed, but becaue he is currently in the US the money transfer will be blocked.
If he uses his mobile while in the US for telephone banking, the geo filter would not kick in (EU mobile number), but he still would be in violation of US sanctions and could go to jail.
@ Wapiya
"I quite disagree. GDRP (Article 3) rules require anyone who uses data from anyone residing in the EU to abide by the rules."
In the UK superinjunctions can be used to hold back information. Which is then printed anyway in other countries who do not follow such law. A better example could be that China censors its media, so why are we not censoring to the same standard to appease them?
"WP is quite a respectable newspaper"
You HAVE read the thing, or at least heard people quote articles from it, right?
"WP is quite a respectable newspaper"
I'll accept that at face value. It _IS_ printed on dead trees, made available online, and sold at news outlets of various kinds. What they print in it, however, isn't usually something I want to read.
Does their web site even work if you have 'noscript' running? my guess is NO.
"Nothing. Nadda. Zip. Zilch. They are in the US and so this bollocks has limited effect of them. It is up to users if they want to use the site."
That's what people running gambling sites thought when they carried on accepting US gamblers. Until senior execs of the company happened to visit or pass through US territory. Theoretically, if the WP ignores this, any senior exec. passing through the EU could be subject to arrest.
Pass me my false teeth Ethel, I’m going to chew their ankles.
Not much point in having legislation, if it can be ignored by those who find it inconvenient, having said that and given the regional nature of the world, the only other option is some form of inter-region content filtering, which would be a million times worse.
Looks like the only realistic option is to affect their coverage by not visiting and getting the news some place else. Reducing eyeball counts won’t help their sales to advertisers, so it’s probsbly the only thing that will make any of them listen.
Legislation always has a point - for those who are subject to it.
Before the Internet, this kind of thing would not happen but now, legislation stops at the borders while access is world-wide.
So you need to have agreements with the countries so that they implement something similar to your legislation - except it's another country, so it's their decision.
That is what is making the current situation very complicated and frustrating. It remains to be seen how long this will remain acceptable to the public before a global push to stop tracking starts up.
I'm guessing I won't see it in my lifetime.
"It remains to be seen how long this will remain acceptable to the public before a global push to stop tracking starts up."
While framing it as stopping tracking to stir up the public seems to be working so far, most people still want access to the things they use and that is more important to them than government control for our own good.
It would be interesting to see the publics opinion on the EU's 'walls' from the outside.
"While framing it as stopping tracking to stir up the public seems to be working so far, most people still want access to the things they use and that is more important to them than government control for our own good."
It's about personal privacy and control of snooping on ones data. The US citizenry seem to be very vocal when their government does it to them. Lots of calls for less interference from government. But it seems many are equally vocal about allowing commercial orgs to slurp up their same private data in the name of freedom from government interference. I'm seeing a smidge of a disconnect here.
Not much point in having legislation, if it can be ignored by those who find it
They can. Can their advertisers though?
The ICO is just being its usual toothless self. Instead of waving its finger it should have gone after the advertising partners most of which HAVE EU PRESENCE and fined the living hell out of them.
They aren't the only US site doing this
It is doubly entertaining seeing this on sites which have a massive Eu exposure including local subsidiaries registered in a Eu country, contracts with Eu entities, etc - namely Accuweather.
It is only a matter of time until they sit on a lit petard though it will probably be served not by the ICO. It is toothless and it takes an act of god for it to enforce the GDPR. We will have to wait for the other, proper authorities. Some of the regional German ones and the Austrian comes to mind here.
1) Wouldn't use a news website that tried to force a subscription on me and/or limited my article views (completely counter-productive if you're then going to shove ads into those views... it's like clamping a car that's parked across your driveway... the person you hurt the most by doing so is yourself).
2) Wouldn't use any international site that, even for a moment, wasn't up on GDPR - most of the US news sites basically just blocked EU access for the first few months, which isn't a solution. They've since caught-up for the most part, which I'm assuming was driven by seeing 50% of their traffic disappear overnight.
3) If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU and need to offer EU-compliant services. Yes, it's complicated in the modern era, but that's how it works. If you are taking EU money, you need to abide by EU law and - also - pay EU tax.
If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU and need to offer EU-compliant services. Yes, it's complicated in the modern era, but that's how it works. If you are taking EU money, you need to abide by EU law and - also - pay EU tax.
That's sort of true. A US corporation that has no physical presence in the EU wouldn't have to pay corporation tax in the EU. I don't know if that's the case for the WP, but regardless they do have to collect VAT from EU customers at the customer's local rate, and declare and pay that VAT either in each country individually, or collectively in a single EU country. Which isn't really a tax on the company, it's a tax on EU citizens.
It is likely that the WP has a UK or at least an Eu bureau...
I'd find that highly unlikely, actually. About as likely as the Daily Mail having an office in the US.
And if they did, I'm sure the UK watchdog would have found them by now. Which would have made half of this story redundant. ;)
According to... themselves, they have a London bureau. It's headed by Bill Booth (who was previously kicked from WaPo for plagiarism). I can't find an address for it besides a virtual office in WC1N London..
Edit: Found it on Companies House:
https://beta.companieshouse.gov.uk/company/BR017676
https://beta.companieshouse.gov.uk/company/FC032601
https://beta.companieshouse.gov.uk/company/10402308
Of course you wouldn't use a news site that actually made you pay for the contents published by its reporters, editors, web designers, &c., because their work is not worth a salary, as is whatever you do for a living.
No reason to pay for commercial software, when one can pirate it. Likewise music, video, &c. There's so much free tuff out there, everything should be free. And no doubt produced by slave labor.
If they took money from a single EU citizen / EU-registered card to access their site - then they are trading in the EU
It's even more complicated than that. GDPR doesn't cover EU citizens, it covers people physically present in the EU. A US citizen who happens to be in the EU on business, and accesses one of those sites, is doing so under GDPR.
A certain group of UK Newspapers all use the same content platform (How can you tell? All the websites look exactly the same)
When you first visit the site, it invites you to accept their cookies or to manage them. If you select the manage option, you have to untick over 200 tick boxes to switch off all the tracking they've opted into. They deliberately do not have a "Select All" option, just to help persuade you to accept their tracking cookies.
@A Non e-mouse
There must be a little piece of browser code or a browser add-on that can do a group-un-tick client-side, to help those affected by stupid companies that just go out of their way to make things difficult for users - so that they get their way.
Perhaps the legislation needs updating to add the wording in to ensure that "its simple and fast for the user configure their preferences".
You have to be careful with scripted options as I am sure there will be a few 'reversed' selections which will be ticked to say No Thanks. This has always been used by websites to increase their chances of you signing up for stuff and as long as they can show the wording was clear then the fact it was the third option and the first two acted the other way round they can get away with it.
Being the optimistic sort of chap that I am, I can almost see the advent of "toggle every single checkbox you can find on this page" type add-ons, soon followed by plugins for GDPR pages randomly varying their checkbox descriptions as "check to enable / check to disable" randomly pre-ticking half of them simply on the premise that they might only get the "do track" half if you just accept but you have to manually check the meaning and state of each and every one of them to disable them all.
Then AI-powered add-ons come along that try to figure out which of the checkboxes should be ticked / unticked based on their description wording, then plugins that render those descriptions as images in the worst possible dancing captcha font, and before you know it... wait... what's that noise outside...?
Amusing that the ICO is attempting to apply EU law extraterritorially, Shurely any fule no that only the US can apply its laws in other countries? Or so they always think--.
Oh yes, who owns the Washington Post, and might have an interest in better tracking of users? And who also makes a shedload of money from Europe?
And it's basically useless as even without cookies they can track enough to link all your information together.
As I tell the kids in my school, when they think that clearing browser history or using a incognito window will protect them from my wrath - all it does is keep the records off YOUR computer. Not anything further upstream.
As Chrome itself says right on the Incognito window:
---
"Now you can browse privately, and other people who use this device won’t see your activity. However, downloads and bookmarks will be saved. Learn more
Chrome won’t save the following information:
Your browsing history
Cookies and site data
Information entered in forms
Your activity might still be visible to:
***Websites that you visit***
***Your employer or school***
***Your Internet service provider***"
---
They can tie you into any of your other records without even needing anything more than a vague browser fingerprint, a webpixel image with a particular filename, or any one of myriad identifiers that you're giving out.
https://m.mcdonalds.fr/cookies
You'll need to understand French to read it, but essentially "visiting our site sets cookies and third party stuff will do likewise". I would imagine the UK version would be similar.
Firefox tells me it blocked AB Tasty, Commander (something), Doubleclick (twice), Google Analytics, and Weborama.
Informed consent my ass...
Annoying interstitial or not, it's more than can be said for a LOT of websites in the US. In particular none of the Fox websites work, nor many newspaper websites.
I really don't see what the problem is with simply treating EU visitors like US ones. They're not under the jurisdiction of the EU legislation so what is the problem?
"They're not under the jurisdiction of the EU legislation so what is the problem?"
Most companies don't like judgments against them and large fines, even if it's not immediately collectible. You have to decide never again to go anywhere near that jurisdiction, i.e., the whole EU, forever. WaPo is owned by Bezos, who also owns Amazon, so sufficiently many annoyed judges and politicians will lead to seizures of warehouses.
Washington Post may be owned by Bezos but it does not follow that Amazon is going to be fined or punished for what is a US incorporated and independently operated entity. Something that it does within the jurisdiction of the United States. In fact if you read this article you would see that.
The problem here is that you have an EU entity trying to enforce its laws on a US company. The quote "Given that US law doesn't really address consent for cookies and the FTC is kind of wishy washy on it, the MoU would be about as much use as a chocolate teapot in this case." pretty much sums it up in this case. A case could be made for reputation, but they have to pay the bills somehow. Besides, EU law does not apply inside the US just because the EU says so, especially if laws conflict. This was more or less resolved in previous cases (Yahoo!, France). The same thing applies the opposite way as well (Well, it should). Although nobody could blame you for thinking otherwise with recent developments like the CLOUD act here in the US where US Law Enforcement can force a company to turn over data which is stored on foreign soil (Microsoft, Ireland), which in my opinion, is a violation of the foreign nation's sovereignty. Time for me to grab my jacket and hit the door.
One other thing... From a technical perspective, you *MUST* have cookies if you log into the site. As a developer, HTTP/HTTPS is a stateless protocol. So you have to have cookies to maintain user state on the server. So basically, if you don't agree to having cookies set on your browser, then you are not going to be logging into a website. That's the short and long of it from a technical aspect. PHP doesn't really give you any other option, unless you handle the session state yourself, but you will still need to have cookies to keep track of it.
"One other thing... From a technical perspective, you *MUST* have cookies if you log into the site. As a developer, HTTP/HTTPS is a stateless protocol. So you have to have cookies to maintain user state on the server. "
GDPR and the earlier cookie legislation both take into account essential and functional cookies which are required to make the site work. The ones excluded and which require consent are those which gather and store data that is NOT absolutely required to make it work, eg a site should work just fine without tracking cookies.
I've tried the Washington Post website. I was given a free subscription. I tried it out thinking it was a newspaper with researched and unbiased reporting. I soon discovered it was mostly highly biased political opinion articles. I wouldn't use it again even if they paid me. So their cookie privacy policy is irrelevent to me.
Hey, no one who thinks believes Jeff Bezos bought the Post because he thought there would be a profitable resurgence in newspapers! Like him or not, he's not dumb.
It's the political mouthpiece for a person and outfit well above any law they don't like. The purpose often being the prevention of laws they don't like in the first place. Lobbying has a huge profit margin.
A few other huge companies also seem immune from things like paying taxes in the jurisdiction they make the money in. There's always some country that'll cave and who like sandwiches, thinking a little is better than none. Legislation doesn't seem to affect them much either.
Could there be a common rea$on for that?
Big $ pretty much always gets their way, almost like a JEDI...who know where they were going to put a new office from the get-go but found manipulating governments to get even more bennies a fun game anyway.
Is Jeff is trying to get into the running with Larry Ellison for who can be most evil? With that much power, it's easy to be evil even by accident.
"I soon discovered it was mostly highly biased political opinion articles."
That seems to be most news media these days, but the US are masters at it. The only way to try to get any sort of balanced approach is to get news from multiple sites and try to judge which way each site leans and filter it yourself by choosing site leaning in all directions. The problem nowadays though is that so many news sites are leaning to the extremes and it can be hard to find a balance when every view you find is so far out there.
There's a lot of naughtiness out there.
I have a Wileyfox phone that was sold at a discount due to the Ad-X option. The Ad-X software is run by an organisation outside the UK and is not on the regisrar of Data Controllers.
A post-GDPR update initially required users to consent to the data collection before the adverts were displayed, obviously, I bypassed the consent each time as I was already fed up of seeing Deborah Meaden scowling at me whilst trying to sell me BitCoin investments. That worked for around a month until a futher update went through that forced consent and doesn't allow the withdrawal of consent.
"The Ad-X software is run by an organisation outside the UK and is not on the regisrar of Data Controllers."
If they're targetting UK individuals, they need to be on the register. Tell the ICO.
"That worked for around a month until a futher update went through that forced consent and doesn't allow the withdrawal of consent"
Which is completely and utterly illegal under EU _AND_ USA laws.
"I thought the rest of the world was just going to *have* to tremble and comply with this legislation ... if they wanted to do any business with EU citizens."
The problem here is that each EU country gets to choose its own level of enforcement.
UK "authorities" love to play the game of "oh, it's out of the country, we wash our hands of it", even when you can prove the trail comes back into the country later on.
_other_ EU authorities take a far different point of view on the matter and the UK is regarded as the dog in the manger about this issue.
It's one of the reasons that a lot of EU states are saying "about bloody time, good riddance" regarding Brexit. The UK has been systematically sabotaging a huge number of law changes aimed at protecting individuals and consumer rights, along with deliberately nobbling its own enforcement agencies when laws are forced to be passed, in order to be "appearing" to be enforcing, but not actually doing anything.
If the boot was on the OTHER foot, American authorities would be using "Long Arm" statutes to come down hard on any UK outfit breaching USA laws (what do you think all those extradition demands were about when noone had set foot on US soil, for starters?)
What this needs is someone to file a complaint with German privacy authorities as they take this shit seriously and don't pull "oh, it's all in another country so we can't do anything about it" bullshit, when the laws are clearly written so they DO have extraterritorial cover.
Los Angeles Times has a great solution to GDPR. They just block all access to their website from Europe.
If you browse to the LA times website from Europe you get this message (some 6 months after GDPR went into effect still):
Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.
Paging Max Schrems, or someone else who can and will file such a lawsuit. Since WP does business in the EU, they either need to comply with the law there or cease doing business there, as far as I understand the GDPR. And since they've been ignoring the GDPR and doing business in the EU, they are subject to some serious fines, right?
A lawsuit of this sort would be, I think, a good thing, as the law needs to be tested in court and clarified as to how it will work in the real world.
Personally I think the ICO is wrong here.
As has already been pointed out, there are salaries and other costs to be paid if you want news*. So you either pay directly (eg by taking a subscription), or you pay indirectly (the paper gets paid by advertisers). If you refuse the tracking cookies then the advertisers won't pay as much - so the difference has to come from somewhere.
At least they offer the choice - unlike the likes of FaecesBork who don't seem to have realised that GDPR (or indeed, any other law) actually exists.
And of course, no-one has mentioned all those sites that say "you can turn off these other cookies by going to [long list of scum sites] and ask them to stop tracking you".
Either the US media comply or prohibit by copyright terms of use 'Royal' photos, gossip & baby news from being published by non DPA(2018) compliant means.
That should sort it!
Personally, if I ever feel the urge to read anything published as 'news' from that side of the pond, I would probably look on the BBC website for it - can't say for sure as it's not an urge I've ever had, and at my age, I've had a few!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
