Disqus is an American company owned by Zeta Global. The company offers an online public comment sharing platform, which was previously used by a number of Norwegian online newspapers, and it also engages in programmatic advertising.
The Norwegian Data Protection Authority was made aware of the matter through news articles by the Norwegian National Broadcaster (NRK). According to the NRK, Disqus conducted unlawful tracking of visitors to Norwegian websites using the Disqus plugin. Their data were then disclosed to third party advertising partners. The NRK further wrote that this happened because Disqus was unaware that the GDPR applied in Norway, which Disqus’ parent company Zeta Global confirmed in an interview.
According to the information available to us, this incident has predominantly been an issue in Norway. The seven affected websites are NRK.no/ytring, P3.no, tv.2.no/broom, khrono.no, adressa.no, rights.no and document.no.
Lack of legal basis, information and accountability
Disqus has argued that their practices could be based on the legitimate interest balancing test as a lawful basis, despite the company being unware that the GDPR applied to data subjects in Norway.
- Based on our investigation so far, we believe that Disqus could not rely on legitimate interest as a legal basis for tracking across websites, services or devices, profiling and disclosure of personal data for marketing purposes, and that this type of tracking would require consent, states Director-General Bjørn Erik Thon.
Our preliminary conclusion is that Disqus has processed personal data unlawfully. However, our investigation also discovered serious issues regarding transparency and accountability.
- In our advance notification, we also consider that Disqus breached the GDPR transparency and information requirements by not giving the data subjects adequate information about the company’s tracking, profiling and disclosure of personal data. Finally, our preliminary conclusion is that Disqus breached the accountability principle by wrongfully considering the GDPR did not apply to data subjects in Norway, says Thon.
Website owners are also responsible under the GDPR for which third parties they allow on their websites. In the present case, the Norwegian Data Protection Authority has focused the investigation on Disqus.
We consider the infringements to be serious. Disqus has tracked which news sites and articles readers in Norway have visited. Additionally, this has happened without the users’ knowledge.
- Hidden tracking and profiling is very invasive. Without information that someone is using our personal data, we lose the opportunity to exercise our rights to access, and to object to the use of our personal data for marketing purposes like in the present case, says Thon.
An aggravating circumstance is that disclosure of personal data for programmatic advertising entails a high risk that individuals will lose control over who processes their personal data.
High administrative fine
An administrative fine should be effective, proportionate and dissuasive.
- The size of the fine is based on a thorough assessment and is set this high because of the fundamental breaches and aggravating circumstances of the case. The infringements have affected several hundred thousands of individuals, the affected personal data are highly private and may relate to minors or reveal political opinions, and the tracking, profiling and disclosure of data was invasive and nontransparent, Thon concludes.
Not a final decision
The document we have issued to Disqus in a draft decision. Disqus has been given the opportunity to comment on our findings within 31 May 2021. We will make our final decision once we have assessed any remarks the company may have.
Advance notification of an administrative fine (PDF)