Intent to issue €2.5M fine to Disqus over GDPR breaches

&gt; <i>Based on our investigation so far, we believe that Disqus could not rely on legitimate interest as a legal basis for tracking across websites, services or devices, profiling and disclosure of personal data for marketing purposes, and that this type of tracking would require consent</i><p>Good to see them taking this seriously. I get the impression a lot of sites&#x2F;services make expansive use of the <i>legitimate interest</i> provision.

Try blocking Disqus with uBlock Origin, turns out you probably won&#x27;t miss it<p><pre><code> ||disqus.com^ </code></pre> You could also try a dynamic filter and disable it on a per-site basis<p><pre><code> * disqus.com * block </code></pre> Or try &quot;medium mode&quot; to take care of Disqus and a whole host of other third party resources that track you<p><a href="https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock&#x2F;wiki&#x2F;Blocking-mode:-medium-mode" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock&#x2F;wiki&#x2F;Blocking-mode:-medium...</a>

Question to anyone who knows; I am assuming if you don’t live in the EU they can’t make you pay a fine. What do they actually do to stop you from doing business in the EU then? Do they outright block your website? I can’t think of how they’d stop you from collecting ad revenue from EU visitors otherwise.

More background: The fine is mainly based on the fact that Disqus forgot to enroll Norwegian IP-addresses into their GDPR «privacy mode».<p>That meant that websites that had enabled a specific setting (&quot;Enable anonymous cookie targeting&quot;) in Disqus were tracking Norwegian without informing them. Most of the websites in Norway and elsewhere did not know they were sharing users data through Disqus.<p>Major sites like the Wirecutter, The Hill, 9to5mac, Breitbart had enabled the setting in 2019. Of the 23 websites I contacted, all 11 that responded told me they were unaware of the tracking and had turned the setting off.<p>(I wrote the investigative articles in 2019 for the Norwegian public broadcaster NRK.)<p>A thread in English from then explains most of the findings: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;martingund&#x2F;status&#x2F;1207327648093003777" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;martingund&#x2F;status&#x2F;1207327648093003777</a>

&quot;Norwegian internet users were tracked by Disqus because the company did not know that Norway introduced the common European privacy regulation GDPR in 2018. It thus took 511 days before Norwegians were incorporated into the company&#x27;s &quot;privacy mode&quot; for GDPR countries and previously collected information was deleted.&quot;[0]<p>It seems that there was some setting that is enabled by default in all other countries than countries with the GDPR law.<p>Also, from an earlier article: &quot;The company also claims that they have not shared Norwegians&#x27; online visits with anyone other than the parent company Zeta Global. Zeta Global describes itself as a &#x27;data-driven marketing company&quot;&#x27; that has information on over two billion identities.&quot;[1]<p>As a Norwegian, it will be interesting following this case.<p>[0]: <a href="https:&#x2F;&#x2F;nrkbeta.no&#x2F;2021&#x2F;05&#x2F;05&#x2F;datatilsynet-varsler-bot-pa-25-millioner-mot-amerikansk-selskap&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nrkbeta.no&#x2F;2021&#x2F;05&#x2F;05&#x2F;datatilsynet-varsler-bot-pa-25...</a><p>[1]: <a href="https:&#x2F;&#x2F;nrkbeta.no&#x2F;2020&#x2F;09&#x2F;04&#x2F;datatilsynet-mener-det-er-sannsynlig-at-disqus-har-brutt-personvernloven&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nrkbeta.no&#x2F;2020&#x2F;09&#x2F;04&#x2F;datatilsynet-mener-det-er-sann...</a>

In case anyone should be wondering, the 25M NOK fine is just about $3M USD. Not something that will seriously hurt the creepy jerks running Disqus, but at least enough for them to notice.

Good reason to mention &quot;Disqus, a dark commenting system&quot; again to remind everyone to avoid using it on your blog or website (it comes integrated with a lot of projects, like static site generator themes).<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26033052" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26033052</a>

What is the deal with the GDPR vis-a-vis US companies?<p>If we have a company incorporated solely in the USA that has web content that violates the GDPR but shows a popup and states in its ToU that the website is not to be used by any person or entity in countries that follow the GDPR, can our company be fined under the GDPR?<p>In other words, do GDPR countries claim jurisdiction over non-GDPR countries&#x27; websites?

From the link &quot;We consider the infringements to be serious. Disqus has tracked which news sites and articles readers in Norway have visited. Additionally, this has happened without the users’ knowledge.&quot; Based on that statement a lot will follow.

I thought their title mis-summarized the text (text says 25 million Norwegian Kroner, title says 2.5 million Euro). Actually it&#x27;s close enough, Google says NOK 25 million is EUR 2.484 million.

<i>&quot;Disqus breached the accountability principle by wrongfully considering the GDPR did not apply to data subjects in Norway&quot;</i><p>Interesting that Norway isn&#x27;t part of EU, but they implement GDPR.

Why Reddit or Discοurse haven&#x27;t created a competing service to Disqus goes beyond me.

I thought it said 2.5B, and thought “they’re finally enforcing the GDPR; great!”<p>Oh well.<p>(Edit: their revenue was $368M over the last 12 months, so €2.5B would be too high. The current fine is still an order of magnitude or two too low to change meaningfully change anyone’s behavior. It’s a couple of days of revenue. They could simply write it off as the cost of doing business, especially if they think the GDPR compliance will impact business growth)<p><a href="https:&#x2F;&#x2F;stockanalysis.com&#x2F;stocks&#x2F;zeta&#x2F;" rel="nofollow">https:&#x2F;&#x2F;stockanalysis.com&#x2F;stocks&#x2F;zeta&#x2F;</a>