Use of Web-Tracking IDs land Disqus €2.5m Preliminary GDPR Penalty

At the beginning of May the Norwegian data protection authority, Datatilsynet, announced that online comment moderation platform Disqus has been made aware that it will be obliged to pay a fine of  €2.5m as it is breaching the European Union’s General Data Protection Regulation in relation to its tracking of website visitors.

Previously it was discovered, by the Norwegian Broadcasting Corporation during research for a news report about the business practices of Disqus, that data was being gathered through the use of cookies downloaded to the devices used by website visitors. Once gathered, this data was then made available to external advertising partners despite the data subjects not providing authorization for this to happen. The data included IP addresses, browser data and other unique identifiers.

Responding the the ruling, Disqus owner Zeta Global claimed that the GDPR-compliant version of their service was not in use in the Norwegian jurisdiction due to the fact that it is not an EU Member State. The company was of the belief that GDPR is not applicable in the jurisdiction.

Datatilsynet rule that the company (Disqus): “had processed personal data (through tracking, analyzing and profiling and disclosing data to third-party advertisers), without a legal basis under Articles 5(1)(a) and 6(1) of the GDPR.”

Additionally it ruled that (Disqus) “had failed to provide notice of its data processing under Articles 5(1)(a), 12(1) and (13), and that Disqus had generally failed to recognize the GDPR’s applicability to its processing.”

Disqus also defending the practice by saying that #the cookies were not gathering personal data as, in their opinion, individuals should not be identified from their cookie IDs. The was not accepted by Datatilsynet due to the fact that the GDPR explicitly explains that online identifiers represent personal data.

Datatilsynet said: “Regardless of whether this constitutes identifiable information, each cookie ID is unique and placed in the browser of a natural person, enabling the controller to distinguish one website user from another, and to monitor how each user interacts with the website… Hence, a cookie ID fulfils the criteria in Article 4(1) GDPR, and constitutes ‘personal data’.”

In relation to Disqus’ claim that it was unaware that GDPR has to be taken into account in Norway, the regulator ruled that the company had failed in its obligation to ensure that its practices were legal.

Datatilsynet said: “Hidden monitoring or tracking people’s online activity can result in a chilling effect, meaning that they abstain from lawful behavior out of a fear of being watched online.”

Disqus has been allowed until May 31 to appeal the findings of the investigation and subsequent preliminary penalty.