Norwegian DPA issues GDPR non-compliance notice to Disqus
This year has already seen over 100 GDPR non-compliance decisions. Mostly limited to regional companies, but a few have made larger news. The latest company poised to be fined is Disqus.
Disqus is a commenting platform that companies can embed in their sites or applications to allow visitors to leave comments on individual articles or pages. Norway's data protection authority has notified Disqus that they intend to issue a non-compliance fine of NOK 250,000,000 (about EUR 2,500,000).
What Disqus did wrong
When the GDPR went into effect, Disqus set tracking within their commenting plug-in to op-in and required consent from data subjects. While Norway isn't part of the European Union (EU), it is part of the European Economic Area (EEA) and adopted the GDPR shortly after the EU.
It appears that Disqus did not make the same changes to tracking for sites located in Norway, and used an opt-out default instead. Disqus claims that their data collection is of legitimate interest and qualifies as a lawful basis for processing, but given they made changes to the default settings in EU countries and didn't know that Norway had the same GDPR laws it is unlikely that the defense will hold up.
The privacy commissioner also notes that the data collected identifies personally identifiable information (PII) and may include reading and website preferences, potential details about minors, and political opinions. It is suspected that the processing affects the privacy of several hundred thousand individuals.
Where the story goes from here
It's important to note that this is a notice of non-compliance, rather than a direct fine. The Norwegian Data Protection Authority is providing Disqus until May 31, 2021, to respond to their findings at which time a final decision will be made. If it stands, this would be Norway's largest GDPR fine to date and rank within the top 20 GDPR fines issued thus far.
This story is a good reminder that adhering to the toughest standards of all privacy regulation, regardless of where your customers reside, is the safest approach to avoiding non-compliance.