Norwegian DPA Issues 2.5M EUR Preliminary Fine for U.S. Company Utilizing Web-Tracking IDs
On May 2, 2021, the Norwegian data protection authority, Datatilsynet, notified Disqus Inc. (“Disqus”), a U.S. company owned by Zeta Global, of its intention to issue a fine of 25 million Norwegian Krone (approximately 2.5 million Euros). The preliminary fine was issued for failure to comply with the General Data Protection Regulation’s (“GDPR”) accountability, lawfulness and transparency requirements, primarily due to Disqus’ tracking of website visitors.
Disqus provides an online public comment sharing platform and moderating tools for online publishers. Numerous Norwegian online newspapers used its services through the Disqus plugin (the “widget”). Disqus collected data through cookies placed on the devices of website visitors using the widget, and subsequently passed personal data collected by those cookies to third-party advertising partners and its parent company. The data that was collected included information about other websites running the widget users visited, users’ IP addresses, browser data and unique identifiers. Disqus’ processing for programmatic advertising purposes was exposed by the Norwegian Broadcasting Corporation, which published news articles describing Disqus’ activities.
Datatilsynet concluded that Disqus had processed personal data (through tracking, analyzing and profiling and disclosing data to third-party advertisers), without a legal basis under Articles 5(1)(a) and 6(1) of the GDPR. Datatilsynet also determined that Disqus had failed to provide notice of its data processing under Articles 5(1)(a), 12(1) and (13), and that Disqus had generally failed to recognize the GDPR’s applicability to its processing. Zeta Global confirmed in its communications with the regulator that the GDPR-compliant version of the widget was not implemented in Norway as, given that it was not an EU Member State, Disqus was unaware that the GDPR would apply.
Disqus claimed in its communications with Datatilsynet that it was not subject to the jurisdiction of the regulator as it does not have any business operations in Norway, and that it was unaware that it had collected data relating to Norwegian individuals. The widget was offered on seven Norwegian news websites, however, which, in the view of the regulator, indicated that Disqus offered a service to data subjects in Norway. Furthermore, the widget was available in Norwegian, with a Norwegian country code top-level domain. Datatilsynet therefore concluded that Disqus’ activities were within the scope of Article 3(2)(a) of the GDPR. The regulator further considered that Disqus’ placing of cookies and subsequent tracking of Norwegian data subjects constituted monitoring of individuals under Article 3(2)(b).
Disqus also argued that the information collected was not personal data, as the relevant individuals could not be identified from their cookie IDs. The regulator refuted this on the basis that the GDPR explicitly confirms that online identifiers constitute personal data. Datatilsynet stated, with respect to cookie IDs, “Regardless of whether this constitutes identifiable information, each cookie ID is unique and placed in the browser of a natural person, enabling the controller to distinguish one website user from another, and to monitor how each user interacts with the website…Hence, a cookie ID fulfils the criteria in Article 4(1) GDPR, and constitutes ‘personal data’.”
On the basis that Disqus had not been aware of the GDPR’s applicability to its activities, the regulator concluded that it was clear that Disqus had not assessed the lawfulness of its activities and had failed to fulfil its responsibility to comply with and demonstrate compliance with the GDPR, breaching the accountability principle. Disqus had also failed to provide appropriate notice of its processing to individuals, since the large majority of those who were tracked for online behavioral advertising had no reason to expect that such processing would take place because they had never interacted directly with Disqus. Individuals were therefore unable to assess whether they wanted to be subject to tracking and profiling by Disqus. The regulator stated that Disqus should have provided information, at the latest, when the tracking started, i.e. when the website using the widget was opened.
With regard to determining the applicable legal basis for the processing, Datatilsynet confirmed that Disqus did have a legitimate interest in the processing but that the processing was not necessary for this interest, as the processing activities could have been carried out by less invasive means. In addition, the regulator stated that the fact that the processing constituted profiling affected the legitimate interest balancing test, since this type of processing poses several threats to the fundamental rights and freedoms of individuals, particularly the rights to freedom of expression and freedom of information. Datatilsynet commented, “Hidden monitoring or tracking people’s online activity can result in a chilling effect, meaning that they abstain from lawful behavior out of a fear of being watched online.” As a result, the regulator concluded that Disqus did not satisfy the legitimate interests balancing test and had conducted its processing without a legal basis.
As part of its decision to issue a fine, Datatilsynet considered the fact that there had been large-scale dissemination of the online browsing behavior of data subjects, which could potentially lead to manipulation of those individuals, along with the fact that it was likely that several hundred thousand individuals had been affected, indicating a systemic breach. Datatilsynet also noted that, although Disqus had deleted the relevant information, this was of little significance since the data had already been fed into the online behavioral advertising ecosystem. Furthermore, processing of online reading activity could, through tracking and analysis over time, reveal a lot about the individual. The regulator considered this highly private information, potentially including sensitive information such as political opinions.
Disqus has until May 31, 2021 to comment on the regulator’s findings. Datatilsynet will finalize its decision once it has assessed Disqus’ response.