Disqus Faces Potential Fine in Norway for Data Tracking Practices

Disqus, a widely used commenting platform integrated into numerous news websites, is currently facing scrutiny in Norway. The concern revolves around the company’s practices of collecting and utilizing user data for targeted advertising without obtaining explicit consent.

GDPR Compliance Concerns

Norway’s data protection authority has announced its intention to impose a fine of €2.5 million (approximately $3 million) on the U.S.-based company. This action stems from alleged violations of the General Data Protection Regulation (GDPR), specifically concerning accountability, lawfulness, and transparency.

Requests for comment have been directed to Zeta Global, the parent company of Disqus.

Investigation Findings

The investigation, initiated in 2019, focused on Norway’s national press and revealed that default settings within the Disqus plug-in automatically enrolled websites in sharing user data from millions of users, including those in the United States.

While the company implemented an opt-in consent mechanism for users in most European countries to comply with GDPR, it seemingly operated under the assumption that the regulation did not extend to Norway.

Norway's GDPR Adoption

Despite not being a member of the European Union, Norway is part of the European Economic Area (EEA). The EEA adopted the GDPR in July 2018, coinciding with its implementation across the EU. Norway also incorporated the regulation into its national legislation at the same time.

Affected Websites

The Norwegian Data Protection Authority (Datatilsynet) reports that the unlawful data sharing primarily impacted Norway. Seven websites were specifically identified as affected:

• NRK.no/ytring
• P3.no
• tv.2.no/broom
• khrono.no
• adressa.no
• rights.no
• document.no

Legitimate Interest Argument Rejected

Disqus attempted to justify its practices by citing the “legitimate interest balancing test” as a lawful basis for data processing. However, the DPA director-general, Bjørn Erik Thon, refuted this claim, stating the company was unaware that GDPR applied to Norwegian users.

The investigation concluded that relying on legitimate interest for cross-website tracking, profiling, and data disclosure for marketing purposes is inappropriate and requires explicit user consent.

Transparency and Accountability Issues

Thon further emphasized that the investigation uncovered significant deficiencies in transparency and accountability regarding data handling practices.

The DPA asserts that the violations are substantial, impacting “several hundred thousands of individuals.” The compromised personal data is considered highly sensitive, potentially including information about minors or revealing political viewpoints.

The tracking methods employed were deemed invasive and lacked transparency.

Next Steps

Disqus has been granted until May 31st to respond to the investigation’s findings before a final decision regarding the fine is issued.

Publishers Receive Reminder Regarding Data Responsibilities

Datatilsynet, the Norwegian data protection authority, has issued a cautionary notice to publishers utilizing the Disqus platform. They emphasized that website operators bear legal responsibility for the third-party services integrated into their sites, as stipulated by the GDPR.

Essentially, ignorance of default data-sharing configurations does not absolve publishers of their legal obligations. It is their duty to understand how any third-party code on their website handles user data.

The DPA clarified that the current investigation centers on Disqus, offering publishers a chance to rectify any issues before further scrutiny takes place.

Norway’s DPA articulated the severity of unauthorized profiling in straightforward terms. According to Thon, “Hidden tracking and profiling is very invasive.”

Without awareness of personal data usage, individuals are deprived of their rights to access and object to data utilization for marketing purposes.

Furthermore, sharing personal data for programmatic advertising carries a substantial risk of individuals losing control over their data processing.

Across Europe, the issue of adtech tracking and GDPR compliance has presented a significant challenge for data protection authorities. These authorities have faced criticism for a perceived lack of enforcement since the regulation’s implementation in May 2018.

For instance, the U.K.’s ICO has been investigating complaints regarding the use of personal data in real-time bidding (RTB) for behavioral advertising for several years.

Despite repeated warnings to the industry about unlawful practices, the ICO has yet to issue any fines or enforcement orders.

The regulator is currently facing legal action from complainants due to this inaction.

Ireland’s DPC, responsible for overseeing numerous adtech companies with regional headquarters in the country, has several ongoing GDPR investigations into adtech practices, including RTB.

However, nearly three years after the regulation’s application, the DPC has not yet delivered any decisions in this area.

This lack of action has contributed to increasing pressure on its overall GDPR enforcement record, both domestically and internationally, including scrutiny from the European Commission.

The situation differs in Belgium, where the DPA appears to be moving towards a significant ruling against current adtech practices.

A preliminary report from its investigatory division questioned the legal validity of consents obtained through the IAB Europe’s “Transparency and Consent” framework (TCF).

The TCF was found to be non-compliant with the GDPR’s principles of transparency, fairness, and accountability, as well as lawful processing.

A final decision is anticipated this year, and a ruling upholding the division’s findings could severely impact the behavioral ad industry’s ability to track and target users in Europe.

Research indicates that a vast majority of internet users in Europe would opt-out of tracking if presented with a genuine GDPR-compliant choice – one that is specific, clear, informed, and freely given, without any deceptive practices.