Strong relationships with our publishers and users are essential. A critical part of these relationships is establishing trust and confidence, which is why privacy has always been a priority. Over the last several years we made regular updates, geared towards respecting users’ privacy and ensuring a safe experience on Disqus.
Now, with the General Data Protection Regulation (GDPR) set to take effect, on May 25th, we want to share an update on our work to comply with new regulations and ensure that users and publishers who use Disqus can continue to do so with confidence. In this post, we'll provide an overview of upcoming product and operational changes that expand our already strong privacy framework.
With these updates, we intend to improve the experience for users on Disqus, rather than simply check off boxes for compliance. Although GDPR applies exclusively to data collected from persons located in the European Union (EU), our plans focus on network-wide improvements and new functionalities for all users on Disqus.
What we’re working on
We expect to deliver several updates in advance of May 25. We are still hard at work on these projects and will continue to provide updates as more functionality becomes available and as we have more specific details to share.
Updates to Privacy Controlling
Disqus already offers a strong Do Not Track (DNT) framework. This includes both honoring DNT settings from browsers and allowing users to opt-out of tracking within Disqus for targeted advertising and content recommendations. Currently, users with Disqus accounts can update their settings to opt-out of tracking across all devices and browsers where they are logged in. Logged-out users or readers without Disqus accounts can also opt-out of tracking for individual browsers.
A key piece of our planned updates is to expand on this framework and create a new feature called Privacy Mode that users can opt-in to from the Data Sharing Settings page. When a user is in Privacy Mode, Disqus will not collect or process any personal data, as defined by GDPR. In cases where we do not have a lawful basis for processing personal data we will apply Privacy Mode to requests from IP addresses associated with an EU country.
Facilitating Subject Access Requests
We afford users right to access the information that Disqus holds about them and the right to have that information deleted. Today, users can delete their Disqus account by following the instructions found at this link: Delete My Disqus Account.
Additionally, Disqus users can request access to all the information Disqus holds about them or request that we completely delete all of this information by emailing us at firstname.lastname@example.org. We are working to expand our capabilities to support these types of requests as the deadline for GDPR compliance approaches.
This will include updating the functionality of our support portal - https://disqus.com/support/ - to support requests from users. By May 25th, users will be able to easily submit requests for access and erasure.
New Consent Options
As part of our updates, we will implement new procedures to obtain consent, where needed, from Disqus users located in the EU for the collection of personal data both for processing by Disqus and, where applicable, third parties. This includes updates to our sign-up process and new options for existing users.
What publishers should know and how these updates will impact them:
- In most all cases, unless a publisher integrates Disqus with their own user management system through Single Sign-On (SSO), users sign-up and login to comment through Disqus. This makes Disqus a controller and we are taking necessary steps to ensure we have lawful basis for the collection of personal data that is necessary for using Disqus to comment on publisher sites.
- In the case where a publisher does integrate their own user management system with Disqus through SSO to require a user to sign-up and login through their site, the publisher is the controller of this login data. We require publishers who use SSO to obtain consent from users for the collection and processing of their data, including by Disqus for posting comments.
- Disqus only obtains consent from users for the collection and processing of data necessary for the use of Disqus. Publishers should be taking all necessary steps to comply with GDPR and other applicable regulations for the data they collect and process from visitors to their sites.
- Publishers may receive questions from visitors of their site about the data that Disqus may store about them. Publishers can refer these users to us at https://disqus.com/support/.
- For publishers on Pro and Business plans, we provide reporting on unique visitors, comment readers, and engagers in the Audience Analytics page. As part of our compliance updates, we will no longer use unique identifiers for analytics or any other purposes for users in Privacy Mode. Initially this may impact the accuracy of the reporting we provide on unique user counts.
- Currently, we display email and IP addresses of users next to their comments in the moderation panel. This information has always been strictly for moderation purposes (the ability to ban users by email or IP). In advance of May 25th, we plan to pseudonymise this data. This means that the data will no longer display in the admin panel. However, publishers will still be able to take moderation actions based on email and IP addresses as usual.
We’re here to help
Our goals are to continue to improve the experience for users on our network and provide peace of mind for publishers who use Disqus to connect with their readers and drive engagement. We know that publishers have a lot on their plates and navigating regulations isn’t easy. We’re committed to being a partner to our publishers in their compliance and privacy efforts.
For publishers who have questions about privacy or GDPR compliance, please contact us at email@example.com.