Earlier this month, the Norwegian data protection authority, Datatilsynet, revealed that it intends to fine Disqus 25m Norwegian Krone (€2.5m) in relation to how it tracks website visitors.
It was discovered that Disqus, an online platform that allows comment and moderation, was collecting data via cookies added to the devices of website visitors. This data was then transferred to third-party advertising partners and its parent company without authorization from the data subjects.
The data collected included users’ IP addresses, browser data and a range of other unique identifiers. This activity was discovered by the Norwegian Broadcasting Corporation during research for a news report about the business practices of Disqus.
The official ruling of the Datatilsynet said that (Disqus): “had processed personal data (through tracking, analyzing and profiling and disclosing data to third-party advertisers), without a legal basis under Articles 5(1)(a) and 6(1) of the GDPR.”
Additionally it ruled that (Disqus) “had failed to provide notice of its data processing under Articles 5(1)(a), 12(1) and (13), and that Disqus had generally failed to recognize the GDPR’s applicability to its processing.”
Defending it’s business practices, Disqus owner Zeta Global claimed that the GDPR-compliant version of their service was not implemented in Norway as it was not an EU Member State and they were not aware that GDPR would apply in that jurisdiction.
In addition to this, it was claimed that the cookies were not gathering personal data as, in their opinion, individuals should not be identified from their cookie IDs; however this, was refuted by the Datatilsynet due to the fact that the GDPR explicitly explains that online identifiers constitute personal data.
Datatilsynet commented, in relation to cookie IDs: “Regardless of whether this constitutes identifiable information, each cookie ID is unique and placed in the browser of a natural person, enabling the controller to distinguish one website user from another, and to monitor how each user interacts with the website… Hence, a cookie ID fulfils the criteria in Article 4(1) GDPR, and constitutes ‘personal data’.”
In considering the claim that Disqus had not known of the GDPR applicability to its activities in Norway, the regulator concluded that Disqus had not adequately reviewed the legality of its business practices and activities and, as such, had failed in its obligation to adhere with the GDPR. In tandem with this it was found that Disqus did not supply proper notice to individuals in relation to the processing of data. As most of the individuals who had their private data recorded for online behavioral advertising were not given the ability to choose if they wanted to participate in this. The data regulator found that Disqus should have, as a minimum, provided information in relation to when the tracking began.
Datatilsynet commented on the preliminary GDPR fine saying: “Hidden monitoring or tracking people’s online activity can result in a chilling effect, meaning that they abstain from lawful behavior out of a fear of being watched online.”
Due to this, a ruling was issued saying Disqus had failed to meet its obligations under GDPR to satisfy the legitimate interests balancing test and had conducted its processing without a legal basis. Disqus has been given until May 31, 2021 to officially respond to the findings of the investigation and subsequent preliminary penalty.