On May 2, 2021, the Norwegian data protection authority, Datatilsynet, notified Disqus Inc. (“Disqus”), a U.S. company owned by Zeta Global, of its intention to issue a fine of 25 million Norwegian Krone (approximately 2.5 million Euros). The preliminary fine was issued for failure to comply with the General Data Protection Regulation’s (“GDPR”) accountability, lawfulness and transparency requirements, primarily due to Disqus’ tracking of website visitors.
Disqus provides an online public comment sharing platform and moderating tools for online publishers. Numerous Norwegian online newspapers used its services through the Disqus plugin (the “widget”). Disqus collected data through cookies placed on the devices of website visitors using the widget, and subsequently passed personal data collected by those cookies to third-party advertising partners and its parent company. The data that was collected included information about other websites running the widget users visited, users’ IP addresses, browser data and unique identifiers. Disqus’ processing for programmatic advertising purposes was exposed by the Norwegian Broadcasting Corporation, which published news articles describing Disqus’ activities.
Datatilsynet concluded that Disqus had processed personal data (through tracking, analyzing and profiling and disclosing data to third-party advertisers), without a legal basis under Articles 5(1)(a) and 6(1) of the GDPR. Datatilsynet also determined that Disqus had failed to provide notice of its data processing under Articles 5(1)(a), 12(1) and (13), and that Disqus had generally failed to recognize the GDPR’s applicability to its processing. Zeta Global confirmed in its communications with the regulator that the GDPR-compliant version of the widget was not implemented in Norway as, given that it was not an EU Member State, Disqus was unaware that the GDPR would apply.
Disqus claimed in its communications with Datatilsynet that it was not subject to the jurisdiction of the regulator as it does not have any business operations in Norway, and that it was unaware that it had collected data relating to Norwegian individuals. The widget was offered on seven Norwegian news websites, however, which, in the view of the regulator, indicated that Disqus offered a service to data subjects in Norway. Furthermore, the widget was available in Norwegian, with a Norwegian country code top-level domain. Datatilsynet therefore concluded that Disqus’ activities were within the scope of Article 3(2)(a) of the GDPR. The regulator further considered that Disqus’ placing of cookies and subsequent tracking of Norwegian data subjects constituted monitoring of individuals under Article 3(2)(b).
Disqus also argued that the information collected was not personal data, as the relevant individuals could not be identified from their cookie IDs. The regulator refuted this on the basis that the GDPR explicitly confirms that online identifiers constitute personal data. Datatilsynet stated, with respect to cookie IDs, “Regardless of whether this constitutes identifiable information, each cookie ID is unique and placed in the browser of a natural person, enabling the controller to distinguish one website user from another, and to monitor how each user interacts with the website…Hence, a cookie ID fulfils the criteria in Article 4(1) GDPR, and constitutes ‘personal data’.”
On the basis that Disqus had not been aware of the GDPR’s applicability to its activities, the regulator concluded that it was clear that Disqus had not assessed the lawfulness of its activities and had failed to fulfil its responsibility to comply with and demonstrate compliance with the GDPR, breaching the accountability principle. Disqus had also failed to provide appropriate notice of its processing to individuals, since the large majority of those who were tracked for online behavioral advertising had no reason to expect that such processing would take place because they had never interacted directly with Disqus. Individuals were therefore unable to assess whether they wanted to be subject to tracking and profiling by Disqus. The regulator stated that Disqus should have provided information, at the latest, when the tracking started, i.e. when the website using the widget was opened.
With regard to determining the applicable legal basis for the processing, Datatilsynet confirmed that Disqus did have a legitimate interest in the processing but that the processing was not necessary for this interest, as the processing activities could have been carried out by less invasive means. In addition, the regulator stated that the fact that the processing constituted profiling affected the legitimate interest balancing test, since this type of processing poses several threats to the fundamental rights and freedoms of individuals, particularly the rights to freedom of expression and freedom of information. Datatilsynet commented, “Hidden monitoring or tracking people’s online activity can result in a chilling effect, meaning that they abstain from lawful behavior out of a fear of being watched online.” As a result, the regulator concluded that Disqus did not satisfy the legitimate interests balancing test and had conducted its processing without a legal basis.
As part of its decision to issue a fine, Datatilsynet considered the fact that there had been large-scale dissemination of the online browsing behavior of data subjects, which could potentially lead to manipulation of those individuals, along with the fact that it was likely that several hundred thousand individuals had been affected, indicating a systemic breach. Datatilsynet also noted that, although Disqus had deleted the relevant information, this was of little significance since the data had already been fed into the online behavioral advertising ecosystem. Furthermore, processing of online reading activity could, through tracking and analysis over time, reveal a lot about the individual. The regulator considered this highly private information, potentially including sensitive information such as political opinions.
Disqus has until May 31, 2021 to comment on the regulator’s findings. Datatilsynet will finalize its decision once it has assessed Disqus’ response.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code