According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies.

Article 6(1) of the GDPR provides, in part, “[p]rocessing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Article 7(4) states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

According to the story, WaPo offers three options to would-be readers: (1) free access to a limited number of articles each month conditioned upon consent to the use of cookies, tracking and ads by WaPo and third parties; (2) a basic paid subscription that is also contingent upon the reader’s consent to cookies and tracking; and (3) a premium EU subscription, which is the most expensive option at $9 a month but permits readers to opt out of tracking and cookies.

An ICO representative concluded that WaPo’s subscription model does not meet the spirit of the GDPR’s data privacy protections or consent obligations “because they have not given users a genuine choice and control over how their data is used.” The ICO representative further concluded that because the paper has not offered all levels of subscription the ability to opt out of tracking and cookies, “consent cannot be freely given and is invalid.”

According to the ICO’s website, it received 195 concerns from data subjects about website cookies between April 2016 and March 2017, which is the most recent data available. By comparison, in that period, the ICO received 167,018 concerns about nuisance calls, text messages and emails. In terms of enforcement, the ICO notes that its “approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the U.K.,” noting that it maintains “a consumer threat level of ‘low’ in this area due to the very low levels of concerns reported by members of the public.”

While this new warning to WaPo about consumer choice and consent provides a useful guidepost for companies navigating GDPR compliance, it is unlikely to mark a significant pivot in the enforcement direction of the ICO.