October 16, 2021

Volume XI, Number 289

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

ICO Warns Prominent US Company to Change Business Model: Paid Subscription Versus FREE with Ads

A European privacy regulator has spoken on a key facet in its General Data Protection Regulation (GDPR) interpretation. The UK’s enforcement office apparently believes that an EU data subject cannot give consent to a company’s use of cookies if the company charges for the option of using its service without cookies or advertisements. So a standard US online business model for the past 20 years in the publishing industry will apparently hereafter be considered illegal in the UK.

The UK Information Commissioner’s Office (ICO) informed The Washington Post its online subscription options do not comply with the GDPR, as reported by UK-based The Register on November 19, 2018.* According to The Register report, the ICO warned the US news publisher its online subscription options fail to allow users to opt out of cookies and other trackers for free because the publisher only offers that option with its paid premium subscription. According to The Register, the ICO suggested the publisher should allow its website users to access all levels of subscription without having to accept cookies. The GDPR limits conditioning consent to processing of personal data (implicated by cookies and other trackers), which must be freely given under the GDPR. The ICO appears to take a view that conditioning consent to cookies on payment is not freely given consent under the GDPR.

Although The Washington Post is a US company, the GDPR applies to companies outside the EU. For example, the GDPR applies to a US company that offers goods or services to individuals inside the EU and processes personal data in connection with that offering (e.g., a US company provides a website or mobile app to individuals in the EU). That said, the applicability of the GDPR to companies outside the EU is still subject to further interpretation. Recently, on November 16, 2018, the European Data Protection Board (EDPB) released guidance on the GDPR’s extraterritorial applicability for public comment before the guidelines are finalized.

Further, the enforceability of the GDPR against companies outside of the EU is still murky at this time. Under the GDPR, the ICO can at least warn a US company against practices that violate the GDPR, but may not be able to do much more to enforce a mandate to a US company. The ICO itself suggests it cannot do much more according to The Register.

Based on a prior Memorandum of Understanding (MOU) in place between the ICO and the US Federal Trade Commission (FTC), the FTC could intervene in this matter. However, US privacy law does not really contemplate consent for cookies. So the FTC’s motivation to deter a “covered privacy violation” under the MOU may be limited because, while the ICO asserts that this activity is in violation of the UK’s data protection laws, US laws do not prohibit substantially similar activities.

Contrast the warning against The Washington Post with the ICO’s enforcement action taken against Canadian company AggregateIQ Data Services Ltd (AggregateIQ). The ICO gave AggregateIQ 30 days to erase personal data of individuals in the UK or face fines. The 30-day time period will begin after the Canadian regulator (Office of the Information and Privacy Commissioner of British Columbia) completes its separate investigation of AggregateIQ’s privacy practices. While the ICO’s enforcement action in the AggregateIQ matter does not relate to data subject consent or the company’s use of cookies, it shows an example of the ICO taking stronger action under the GDPR against a company located outside the EU. To explain the difference, it is possible that Canada may be a more hospitable ground to enforce GDPR rules than the US. Alternatively, the actions of the Canadian company may have been closer to a violation of local law than those of The Washington Post, whose approach on cookies does not violate current US law.

Where does this leave US companies? . . . a little bit in limbo. The ICO appears to be watching US company practices, and may seek to influence them. Its actual ability to do so, whether directly, or with FTC assistance, remains to be seen.

*The Register’s report is available at https://www.theregister.co.uk/2018/11/19/ico_washington_post/.

Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume VIII, Number 330
Advertisement

About this Author

Womble Bond Dickinson, LLP's regional heritage and local knowledge — combined with a transatlantic outlook — generate the insights capable of unlocking more opportunities for our clients.

With locations on both sides of the Atlantic, we provide the breadth of legal experience and services to meet our clients’ needs without losing the intimacy of being connected to our different communities.

These strong local and regional ties enable us to remain close to our clients and the issues they care about.

...
336-721-3734
Advertisement
Advertisement
Advertisement