- The data protection authority in Norway is readying to fine Disqus $3 million for GDPR violations.
- The commenting system is reportedly collecting user data without the users’ consent.
- The decision isn’t final, and Disqus was given until the end of the month to share its remarks.
The Norwegian Data Protection Authority published its intention to fine Disqus €2.5 million ($3 million) for what they characterize as the “serious infringement” of hidden tracking and invasive profiling of users. More specifically, the authority claims that Disqus is tracking which sites and articles are read by users who visit sites where the company's software is used. Due to this being a GDPR violation, the authority considered Disqus estimated annual global turnover, so the fine is 15% of the company’s 2018 figures (when the investigation was launched).
Disqus is an online public comment sharing platform that is a popular choice among news websites. In Norway, several websites incorporate the Disqus commenting system, so Norwegian users are directly affected, which is why the data protection authority was interested in investigating it.
The three points of violation that incur the fine are the following:
- Having processed the personal data of data subjects in Norway, collected from the websites NRK.no/ytring, P3.no, tv.2.no/broom, khrono.no, adressa.no, rights.no, and document.no, through tracking, analyzing and profiling, and disclosing personal data to third-party advertisers, without a legal basis according to Articles 5(1)(a) and 6(1) GDPR.
- Failure to provide the data subjects with information under Articles 5(1)(a), 12(1), and 13 GDPR.
- Failure to identify GDPR as the applicable legal framework for processing the personal data of data subjects in Norway pursuant to Article 5(2) GDPR.
So, all in all, Disqus is accused of breaching the GDPR transparency and information requirements, not communicating what data they are collecting, and not disclosing what they’re doing with it to the registered users. The most problematic point is using this data for marketing purposes, which is underpinned by a very specific legal requirement that Disqus appears to ignore. Additionally, the commenting system appears to hide behind the GDPR compliance that is ensured by the hosting websites, effectively masking its data collection.
The above claims are the result of a preliminary investigation, and the Norwegian data protection authority clarifies that the announcement is neither final nor binding. As such, the violation claims may be retracted if Disqus responds to the investigators with explanations and actual technical details, while the fine amount may be reduced too. Disqus and its parent company, Zeta Global, were given until the end of the month to give their remarks on the investigation findings.