Legal

(not) running Ghost + Disqus in Germany

Philipp Fragstein

3 min read
Photo by Giammarco Boscaro / Unsplash

Running a tech blog in Germany can be quite challenging. Beside all the technical possibilities there're a lot of legal/administrative barriers.

I wanted to embed a simple commenting feature at the end of every post of this tech blog. I could have used the build-in functionality from Ghost requiring my visitors to sign-up or I could use a blog comment hosting service provider like "Disqus".

Since May 2018 every European processing user's data is obliged to comply with the General Data Protection Regulation (GDPR).

Before implementing the Disqus feature into my blog I had to first check the Disqus GDPR compliance state first:

Privacy FAQ
We run on Intercom

After reading Disqus Privacy FAQ I read that they seem to comply to the GDPR. It's hard to tell because there is nothing like an official certificate that could prove a GDPR compliance.

Certificates like privacy shield for data protection exists but doesn't fully comply with the GDPR.

EU-US Privacy Shield – Wikipedia
Wikimedia Foundation, Inc.Autoren der Wikimedia-Projekte

Googeling for Disqus and their GDPR compliance also reveals a $3M fine the company is facing back in 2019.

Disqus facing $3M fine in Norway for tracking users without consent
Disqus, a commenting plug-in that’s used by a number of news websites and which can share user data for ad targeting purposes, is in hot water in Norway for tracking users without their consent. The local data protection agency said today it has notified the U.S.-based company of an intent to fine i…
TechCrunchNatasha Lomas

During my research I also discovered a German legal advice from "Einfach-Abmahnsicher.de"

Einfach Abmahnsicher
So binden Sie Disqus datenschutzkonform auf Ihrer Webseite ein. Rechtstexte einfach und schnell generieren, um sich vor Abmahnungen zu schützen.
Einfach Abmahnsicher

Quote:

Notes on integration
The use of Disqus is problematic if it is to be based on legitimate interests, i.e. no consent is obtained from the user. It is true that Disqus states that since the entry into force of the GDPR, no cookies are stored when the user accesses the site from the EU. However, in the event that users comment, a variety of data is passed on to Disqus, including the email address. In addition, Disqus sets a cookie that advertising networks can use to personalize their advertising. Whether this is always clear to users seems doubtful. Therefore, the use of Disqus without consent is associated with a considerable risk in our view.

I decided to not implement any feature that processes user data in any form. I am not a legal expert and I don't know if an advanced cookie banner itself will solve my problems.

Therefore, If you want to reach out to me contact me over mail (Philipp.Fragstein@gmx.de) or directly over LinkedIn

https://www.linkedin.com/in/philipp-fragstein-174272180