A European privacy regulator has spoken on a key facet in its General Data Protection Regulation (GDPR) interpretation. The UK’s enforcement office apparently believes that an EU data subject cannot give consent to a company’s use of cookies if the company charges for the option of using its service without cookies or advertisements. So a standard US online business model for the past 20 years in the publishing industry will apparently hereafter be considered illegal in the UK.

The UK Information Commissioner’s Office (ICO) informed The Washington Post its online subscription options do not comply with the GDPR, as reported by UK-based The Register on November 19, 2018.* According to The Register report, the ICO warned the US news publisher its online subscription options fail to allow users to opt out of cookies and other trackers for free because the publisher only offers that option with its paid premium subscription. According to The Register, the ICO suggested the publisher should allow its website users to access all levels of subscription without having to accept cookies. The GDPR limits conditioning consent to processing of personal data (implicated by cookies and other trackers), which must be freely given under the GDPR. The ICO appears to take a view that conditioning consent to cookies on payment is not freely given consent under the GDPR.

Although The Washington Post is a US company, the GDPR applies to companies outside the EU. For example, the GDPR applies to a US company that offers goods or services to individuals inside the EU and processes personal data in connection with that offering (e.g., a US company provides a website or mobile app to individuals in the EU). That said, the applicability of the GDPR to companies outside the EU is still subject to further interpretation. Recently, on November 16, 2018, the European Data Protection Board (EDPB) released guidance on the GDPR’s extraterritorial applicability for public comment before the guidelines are finalized.

Further, the enforceability of the GDPR against companies outside of the EU is still murky at this time. Under the GDPR, the ICO can at least warn a US company against practices that violate the GDPR, but may not be able to do much more to enforce a mandate to a US company. The ICO itself suggests it cannot do much more according to The Register.

Based on a prior Memorandum of Understanding (MOU) in place between the ICO and the US Federal Trade Commission (FTC), the FTC could intervene in this matter. However, US privacy law does not really contemplate consent for cookies. So the FTC’s motivation to deter a “covered privacy violation” under the MOU may be limited because, while the ICO asserts that this activity is in violation of the UK’s data protection laws, US laws do not prohibit substantially similar activities.

Contrast the warning against The Washington Post with the ICO’s enforcement action taken against Canadian company AggregateIQ Data Services Ltd (AggregateIQ). The ICO gave AggregateIQ 30 days to erase personal data of individuals in the UK or face fines. The 30-day time period will begin after the Canadian regulator (Office of the Information and Privacy Commissioner of British Columbia) completes its separate investigation of AggregateIQ’s privacy practices. While the ICO’s enforcement action in the AggregateIQ matter does not relate to data subject consent or the company’s use of cookies, it shows an example of the ICO taking stronger action under the GDPR against a company located outside the EU. To explain the difference, it is possible that Canada may be a more hospitable ground to enforce GDPR rules than the US. Alternatively, the actions of the Canadian company may have been closer to a violation of local law than those of The Washington Post, whose approach on cookies does not violate current US law.

Where does this leave US companies? . . . a little bit in limbo. The ICO appears to be watching US company practices, and may seek to influence them. Its actual ability to do so, whether directly, or with FTC assistance, remains to be seen.

*The Register’s report is available at https://www.theregister.co.uk/2018/11/19/ico_washington_post/.