In November 2018 and yesterday, I blogged about how the UK ICO found The Washington Post's cookie consent options failed to satisfy the consent requirements under the GDPR.
For consent to be valid, it must be voluntary. The DPA found cookie consent to be voluntary and therefore valid because there were no significant negative consequences to refusing consent. If a reader does not want to accept cookies, then (a) they can pay for a monthly subscription that was not expensive, or (b) they can use an alternative source of information (see decision hosted on Mega.nz).
Not surprisingly, the DPAs are arriving at different decisions. The real question will be which DPA - UK or Austrian - will the other DPAs follow.
Image by Andrew Magill on Flickr and licensed under CC BY 2.0.