Disqus issued fine against breaking GDPR consent rules for 2.5 million euros

The popular web comment system Disqus, a US company owned by Zeta Global has been under fire recently by the Norwegian Data Protection authority for breaking rules and failing to comply with GDPR (General Data Protection Regulations) and utilising web tracking IDs for website visitors without user consent.

Disqus issued fine against breaking GDPR rules & web tracking for 2.5 million euros

On May 2, 2021, the Norwegian data protection authority (Datatilsynet) informed Disqus of their intention to issue a fine of around 2.5 million euros for failing to comply with the GDPR. This fine included accountability, lawfulness and transparency requirements related to the GDPR.

Disqus is a comment system where website owners can render a fully managed comment section on their website, like under an article or under documentation for example. It is a public comment sharing platform for online publishers with moderation tools. Disqus provides the comment system which loads on installed websites and they were fined for tracking visitors without proper consent. Done through the use of cookies and tracking IDs.

As the Disqus comment system is installed via a plugin, it is easy to set up and Disqus were collecting tracking cookies, personal data and passing this data across domains and over to third-party advertising partners without proper consent from users, which is strictly required by the GDPR.

The data collected was also going to its parent company, Zeta Group, users must give permission for this transaction of data. Personal data that was collected ranged from user’s IP addresses, browser data and cookie IDs. The company was first found at fault by the Norwegian Broadcasting Corporation, which published news articles describing Disqus’ activities. The data they were collecting isn’t illegal but they must obtain explicit permission from the user first.

Through the investigation led by the Norwegian DPA, they concluded that the US company Disqus, had processed personal user data via web tracking tools, analysing and profiling collected data and transferring user data over to third-party advertising partners without any user consent. All this falls under the GDPR and there was no legal right in the way users data was handled. Disqus also had been found to not provide any notice of its data processing to users, which is a requirement under the GDPR.

After contacting the parent company of Disqus, they had confirmed that the GDPR compliant version of the comment system was not being used in Norway because Zeta Global did not consider Norway under the GDPR because they are not an EU member state, so they did not think the laws would apply - Some of the latest confusion with how far the GDPR actually travels and how unaware a company can be to receive a fine of around 2.5 million euros.

Under the GDPR law a company is responsible for ensuring they are collecting data with respect to user privacy and privacy law regulations. Even if they don’t have a physical presence within Europe, data collected from GDPR jurisdictions must follow the requirements and law of the GDPR.

Disqus stated that because they don’t have “any business operations in Norway, and that it was unaware that it had collected data relating to Norwegian individuals”. However, the Norwegian DPA found that Disqus met the criteria of the GDPR law as Disqus were serving the comment system via a Norwegian country code top-level domain and that they were serving cookies which could be used to track users across domains without permission. Disqus argued that cookie IDs are not personal information but under the GDPR they are deemed so, because cookie IDs can be used to track individuals across websites and domains, tracking their every move or action on a website, so it is deemed personal data to that user. The GDPR explicitly confirms that online identifiers constitute personal data.

Disqus claimed that they were not aware of the misuse of user data but as a company that processes the mentioned data, they are accountable to ensure that they are processing data under the applicable privacy laws like the GDPR. The regulator condulced that Disqus was at fault and they failed to show lawfulness of its actions, they had failed to take action and show responsibility to comply with and demonstrate GDPR compliance, Disqus breached the accountability principle and broke user privacy of thousands.

Because Disqus also failed to present users with a data processing statement, most users who were affected by this misuse of data had no idea to expect that they were being tracked and profiled. Users were therefore unable to assess whether they wanted to be subject to tracking and profiling by Disqus.

As for any further legal action taken by the Norwegian DPA, they have confirmed that Disqus should have at least provided users with information about how their data was being processed. Disqus was found to have no legal basis for how they collected and tracked data across their comment system.

The GDPR regulator determined that due to Disqus’ actions, a large portion of the data collected has probably affected the rights of thousands of users relating to the freedom of expression and freedom of information. And because the data collected was without valid consent, the data is deemed to be a systemic breach. It was also confirmed by Datatilsynet that Disqus deleted the relevant data from their systems but the damage has already been done because the data was already fed into the monitoring and analysis tools that they were using, becoming part of the online behavioral advertising ecosystem.

The regulator deemed that the data collected was highly private and sensitive because processing of online reading activity could, through tracking and analysis over time, reveal a lot about the individual, such as political opinions. You can see how easily it is to lose control over user consent and do damage to privacy. It is important to consider all the data companies collect and see if it breaks any laws and or regulations.

Currently, Disqus has until May 31st, 2021 to respond before any final decision is made to any further legal action and the Norwegian DPA will confirm its decisions after assessing any response from Disqus.

What to do as a publisher installed Disqus?

Publishers have already installed the comment system Disqus can manage user's consent with consent manager like UniConsent CMP to comply with GDPR. Only load the Disqus tag and send data to Disqus once a user has given consent.

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: hello@uniconsent.com