The Norwegian Data Protection Authority published its intention to fine Disqus €2.5 million ($3 million) for what they characterize as the “serious infringement” of hidden tracking and invasive profiling of users. More specifically, the authority claims that Disqus is tracking which sites and articles are read by users who visit sites where the company's software is used. Due to this being a GDPR violation, the authority considered Disqus estimated annual global turnover, so the fine is 15% of the company’s 2018 figures (when the investigation was launched).
Disqus is an online public comment sharing platform that is a popular choice among news websites. In Norway, several websites incorporate the Disqus commenting system, so Norwegian users are directly affected, which is why the data protection authority was interested in investigating it.
The three points of violation that incur the fine are the following:
So, all in all, Disqus is accused of breaching the GDPR transparency and information requirements, not communicating what data they are collecting, and not disclosing what they’re doing with it to the registered users. The most problematic point is using this data for marketing purposes, which is underpinned by a very specific legal requirement that Disqus appears to ignore. Additionally, the commenting system appears to hide behind the GDPR compliance that is ensured by the hosting websites, effectively masking its data collection.
The above claims are the result of a preliminary investigation, and the Norwegian data protection authority clarifies that the announcement is neither final nor binding. As such, the violation claims may be retracted if Disqus responds to the investigators with explanations and actual technical details, while the fine amount may be reduced too. Disqus and its parent company, Zeta Global, were given until the end of the month to give their remarks on the investigation findings.