Disqus and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Disqus, then – when a page with the embedded comment widget is loaded – web server log data, click paths, device data and user-generated content (comments) are processed for the purpose of providing the comment function and, according to the publicly available information from the provider, also for marketing and profiling purposes. Because of this advertising and tracking component, the legal basis is regularly consent under Article 6 (1) (a) GDPR in conjunction with Section 25 (1) TDDDG. This page provides a concise overview of what website operators should know about Disqus and data protection and which mandatory information belongs in the website's privacy policy.

The presentation is based on publicly available information from the provider and on publicly researchable sources; it does not replace a case-by-case review.

A. Purpose and Functionality of Disqus

Disqus is a hosted comment and discussion system that website operators – in particular blogs, online magazines and news portals – embed into their websites via a JavaScript embed (embed.js). The comments are stored not on the operator's own infrastructure but on Disqus's servers and are integrated into the website via an iframe or via JavaScript.

The core integration function covered on this page is the embedded comment widget: visitors to the website can read posts, write comments, vote and reply to other comments. Disqus also provides a central Disqus user account that allows users to participate in discussions across platforms. Other functions such as audience-network advertising, reaction widgets or recommendations are not covered in detail here, but they follow the same data-protection principles.

Disqus was acquired in 2017 by Zeta Global Holdings Corp. Zeta Global describes itself as a marketing and data technology company that uses data to build target-group and advertising profiles. This corporate affiliation is central to the data-protection assessment of the Disqus embed.

B. Disqus in the Privacy Policy – What Mandatory Information Is Required?

The GDPR requires the privacy policy to contain, alongside general information on the website operator, the rights of the data subject and the supervisory authority, the following mandatory information with regard to the tools used: the purposes of processing (Art. 13 (1) (c) GDPR), the legal bases (Art. 13 (1) (c) GDPR), where processing is based on legitimate interests, the specific interests pursued (Art. 13 (1) (d) GDPR), the recipients or categories of recipients (Art. 13 (1) (e) GDPR), information on transfers to third countries and the safeguards (Art. 13 (1) (f) GDPR), and the storage period or the criteria used to determine it (Art. 13 (2) (a) GDPR). If the data are not collected directly from the data subject, the categories of data processed must additionally be named (Art. 14 (1) (d) GDPR).

These mandatory items will now be broken down for Disqus. One important preliminary remark: it is not necessary to address every single tool – including Disqus – with a separate boilerplate clause in the privacy policy. This "boilerplate-per-tool" practice is widespread, but it produces long, repetitive, lawyer-drafted passages that make the privacy policy hard to maintain and barely understandable for readers. That conflicts with the transparency requirement of Art. 12 (1) GDPR.

A topic-oriented approach is more appropriate: processing activities are described by topic (third-party content, tracking, server operation …) and the specific service providers used – such as Disqus – are listed in an appendix titled "Recipients". This is exactly the methodology used by the matterius generator.

C. Provider of Disqus

According to publicly available information, the contractual partner for website operators is:

• Disqus, Inc.
• 3 Park Avenue, 33rd Floor, New York, NY 10016, USA
• Country: USA
• Parent company: Zeta Global Holdings Corp. (USA)
• Privacy policy: https://help.disqus.com/en/articles/1717103-disqus-privacy-policy
• Cookie overview: https://help.disqus.com/en/articles/1717155-use-of-cookies

As Disqus is based in the USA, data is transferred to a third country. Whether Disqus, Inc. or Zeta Global Holdings Corp. are certified under the EU-US Data Privacy Framework (DPF) must be verified by the website operator on a case-by-case basis using the official DPF list (https://www.dataprivacyframework.gov/s/participant-search). According to the publicly available information in the Disqus privacy policy, the provider relies on Standard Contractual Clauses (SCCs) of the EU Commission for transfers from the EEA.

D. Data Processing by Disqus – Step by Step

E. Which Data Disqus Processes

When Disqus is used, the following data are processed according to the publicly available information from the provider: IP address, date and time of the request, referrer, requested URL, browser identifier, operating system, device information, coarse location derived from the IP address, cookie and device IDs, hashed email addresses, click and interaction data within the widget, posted comments and – for logged-in users – Disqus profile data (username, avatar, comment history).

These data can be classified into the following standardised data categories:

• Web server log data: data that the Disqus server receives with each request from the device, in particular IP address, date, time, URL of the requested content, referrer, browser and operating system information, and supplementary technical metadata.
• Click paths: areas of the comment widget accessed and buttons clicked (e.g. up-/downvote, reply, load more), each with date and time.
• Device data: device type, operating system, screen resolution, touch support.
• Browser information: browser name, browser version, possibly installed extensions.
• Coarse location data: location of the user at city or municipality level derived from the IP address.
• User content: content posted by the user in the Disqus widget, in particular comments, replies, ratings (up-/downvotes) and possibly uploaded images or files.
• User account data: when a Disqus account is used: username, email address, avatar, login history, linked devices.
• User profiles: interests, segment assignments and usage histories determined for a user by the provider or by Zeta Global.
• Conversion events: in advertising scenarios, user interactions defined as relevant by the advertiser, e.g. visits to specific pages or clicks on advertisements.

F. What the Website Operator Uses the Data for When Using Disqus

The website operator typically uses Disqus to provide visitors with a comment and discussion function on its own website without having to develop and host such a function in-house. In addition, the operator can analyse reach and engagement data for its posts and – if Disqus's advertising functions are used – generate advertising revenue or measure advertising performance.

The purposes that the website operator typically pursues when using Disqus can be classified into the following standardised purpose categories:

• Provision of functionality: providing the comment and discussion function on the website, including displaying existing comments, posting new comments, replying and voting.
• Security and abuse prevention: detecting and preventing spam, abusive contributions and bot use; authenticating comment authors.
• General product improvement: analysing which posts generate particularly many reactions in order to align the editorial offering with user interests.
• General marketing: reach analysis and performance measurement of content with regard to user engagement.
• User profile creation and user-individual marketing: where Disqus's/Zeta Global's advertising and audience functions are used, building user profiles and aligning advertising with individual interests.
• Legal enforcement: assertion, exercise or defence of legal claims, e.g. in the case of unlawful comments.

G. Legal Bases for Using Disqus

In terms of how it works, Disqus falls into the category of third-party content / user-generated content with a tracking (marketing) component: it is externally embedded content from a US provider that already triggers connections to third-party servers when the page is loaded, can set cookies, and – according to the provider's own statements – processes data for marketing and profiling purposes.

Because of this advertising and tracking component and the direct embedding of third-party servers, the legal basis is regularly consent under Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TDDDG – depending on whether the device is accessed or only a connection to a third-party server is established, in the form of a third-party content consent, a function consent or a marketing consent.

Where the website operator only loads the Disqus widget after the user has actively consented (e.g. via a consent banner or an interstitial click area), the consent is the legal basis. For the processing of any consent records, additional legal bases such as legal obligations (Art. 7 GDPR, Art. 24 (1) GDPR) and legitimate interests in legal enforcement (Art. 6 (1) (f) GDPR) come into consideration.

The specific legal basis depends on the individual case and must be assessed by the website operator, in particular depending on how the widget is embedded, whether a consent management system is in place and whether Disqus's advertising functions are active.

H. Special Aspects and Notes on Using Disqus

• Third-country transfer / DPF: Disqus, Inc. is based in the USA. Any DPF certification of Disqus or Zeta Global must be verified by the website operator using the DPF list. According to publicly available information, Disqus relies on EU Standard Contractual Clauses.
• Corporate group: Disqus, Inc. is a subsidiary of Zeta Global Holdings Corp. The provider itself states that data are shared with Zeta Global and used further for marketing purposes.
• DPA: Whether and in what form Disqus offers a Data Processing Agreement under Art. 28 GDPR or a Joint Controllership arrangement under Art. 26 GDPR must be clarified via the Disqus help centre or directly with the provider. Where Disqus acts as an independent controller for advertising, no DPA applies in that respect.
• Opt-out / data subject rights: Users can exercise data subject rights via Disqus's OneTrust DSAR portal (link see Section D above). Industry-standard opt-outs additionally apply to advertising tracking (e.g. https://www.youronlinechoices.eu/).
• Cookies: According to its own cookie information, Disqus uses first-party and third-party cookies, including disqus_unique, __qca, testCookie as well as cookies of sub-processors such as scorecardresearch.com and quantserve.com.
• Settings for the website operator: In the Disqus admin area, data-protection-relevant options can be configured, in particular the display of advertisements ("Ads"), the data sharing with Zeta Global ("Data Sharing") and moderation. Website operators should actively review these toggles and configure them in a privacy-friendly way where possible.
• Two-click / consent solution: Embedding the Disqus widget only after the user has actively consented (e.g. via a consent banner or an interstitial click area) significantly reduces the data-protection risk.

I. FAQ on Disqus and Data Protection

J. Conclusion on Disqus and Data Protection and Next Step

Disqus is a US-based comment system with corporate ties to a marketing and data group (Zeta Global). When used on a website, the embed alone already transmits web server log data, click paths, device and browser information, coarse location data and – when commenting – user-generated content and user account data to Disqus. According to the provider, data are also used for profiling and target-group advertising. Because of this tracking and marketing component, consent is regularly the appropriate legal basis.

It is generally not advisable for the website operator to address every single tool – including Disqus – with its own boilerplate clause in the privacy policy. Such clauses make the privacy policy long, hard to maintain and barely understandable for readers, which conflicts with the transparency requirement of Art. 12 (1) GDPR.

A structured, topic-oriented approach is more appropriate: processing activities are described in general terms by topic block (third-party content, user-generated content, tracking, server operation …); Disqus is mentioned only in the appendix "Recipients" as a specific service provider used. This is the methodology of the matterius generator.

K. Curator of This Page on Disqus and Data Protection

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com