They can't offer to give you access in exchange for consent to use your data. By not granting access at all, they are complying with the GDPR. However, as always, it's important to point out that you don't ever have to ask for consent with the GDRP. If the data you are gathering necessary in order to complete the service, then people can't even object to it. If the data you are gathering is a legitimate interest (for marketing, or whatever), then you don't have to ask for permission, you just have to allow people to object after the fact. It's only if you don't technically need the data to do the job and you have no legitimate interest in the data that you have to ask for consent.

Not to put too fine a point on it, if they have no need for the data and they have no legitimate interest in it and they don't even want to ask for your consent... do you really want to go to that site? It's pretty clear what they think of you.

> If the data you are gathering is a legitimate interest (for marketing, or whatever)

Calling marketing a legitimate interest is a bit of a grey area. The ICO says that by relying on legitimate interests (i.e. not gaining consent) they need to be weighed against the impact they have on the user's privacy and own interests.[0]

So if you are showing first party ads and you aren't collecting more data than is necessary (e.g. anonymised IP address, browser, a list of articles/products the user has viewed) you are probably fine. But if you start linking this with any personal data (e.g. full IP address, email address, date of birth) or intend on sharing it with a third-party you need consent.

[0] https://ico.org.uk/for-organisations/guide-to-the-general-da...

Yes, I totally agree with that assessment. In this context, it's hard to think of a legitimate marketing purpose. Potentially you could do something like record the IP address and if the person comes back put up a banner saying, "I've noticed you were here before. If you pay $X per month, you can skip all the third party ads". That would be legitimate interest I think (you would still have to do something to allow them to object like putting on a button that said, "Never show me this again"). I can't think of any legitimate reason for passing on personal data to a third party, as you say.

Edit: Now that I think about it, the Guardian does exactly that... Probably why I thought of it LOL.

I tend to think it's not compliant, but given there is a complete opt out (that does cost money), and the Post is, by its nature, very US oriented, I think it's unlikely to be a priority for regulators.

What is the loss to a European of being unable to read the post?

They cover stuff outside the US, and people link to it. For example, this HN front-page article from a couple of days ago: https://www.washingtonpost.com/news/voraciously/wp/2018/10/0...