Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Disqus is a third-party comment hosting platform that enables website owners to embed a discussion section directly into their pages. It loads a JavaScript widget that sets persistent tracking cookies and builds cross-site user profiles for advertising purposes. Under GDPR and the ePrivacy Directive, loading Disqus requires prior user consent because it deploys third-party tracking cookies and transfers personal data to Disqus Inc. in the United States before any comment is posted.
Disqus is a cloud-based comment hosting platform founded in 2007, now owned by Zeta Global and headquartered in the United States. It is embedded on millions of websites as a third-party JavaScript widget that replaces or supplements native comment systems. When a visitor loads a page where Disqus is embedded, the script contacts Disqus servers, loads the comment thread, and simultaneously sets tracking cookies, regardless of whether the visitor interacts with the comment section. Disqus is widely used for its ease of integration, spam filtering, and social login options, but its tracking behaviour raises significant GDPR and ePrivacy compliance concerns for any website targeting European visitors.
When Disqus loads, it sets several persistent cookies including disqus_unique (a unique visitor identifier), __jid (session tracking), and G_AUTHUSER_H (authentication state for social login). Disqus collects the visitor IP address, browser fingerprint, referring URL, pages visited, and interaction data. If the visitor is logged into a Disqus or social account, this browsing data is linked to a personal profile. The collected data is used to serve targeted advertising across the Disqus ad network and is shared with advertising partners. The cross-site nature of the Disqus cookie means data is collected even on websites the visitor has never directly engaged with.
Disqus falls squarely within the scope of the ePrivacy Directive because it stores and reads third-party tracking cookies on the user device. Under Article 5(3) of the ePrivacy Directive, prior informed consent is required. Under GDPR Article 6(1)(a), processing personal data for advertising profiling also requires consent. Legitimate interest cannot serve as the legal basis for cross-site tracking used for advertising, as confirmed by multiple EU data protection authority decisions. Loading Disqus without prior consent constitutes a violation of both the ePrivacy Directive and GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Disqus is a US company and processes all data on US-based servers. Data transfers from the EU to the US are subject to GDPR Chapter V requirements. Disqus relies on the EU-US Data Privacy Framework (DPF) for transatlantic transfers. Website owners must verify that Disqus maintains a valid DPF certification and must disclose these transfers in their privacy policy. If DPF certification lapses or is invalidated by a future court ruling, Standard Contractual Clauses (SCCs) are required as a fallback transfer mechanism.
The only valid legal basis for embedding Disqus on a website targeting EU visitors is freely given, specific, informed, and unambiguous consent. Disqus must not be loaded until the visitor actively accepts the relevant cookie category. The script tag must be blocked by default and only activated after consent is recorded. A consent management platform (CMP) that supports third-party script blocking for comment embeds is required. Visitors must be able to withdraw consent as easily as they gave it, which means the comment section must unload when consent is revoked.
To use Disqus in compliance with GDPR and ePrivacy: (1) Block the Disqus embed script by default using a CMP with script-blocking capabilities. (2) Show a placeholder with a clear consent notice in place of the comment section before consent is given. (3) List Disqus in your cookie policy under the advertising or social media category with accurate cookie names and durations. (4) Disclose the US data transfer and the applicable transfer mechanism (DPF or SCCs) in your privacy policy. (5) Include Disqus in your record of processing activities and assess whether a DPIA is required. (6) Consider privacy-friendly self-hosted alternatives such as Commento or Remark42 if consent acceptance rates are low.
Websites using Disqus must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA should be considered for websites with significant EU traffic that embed Disqus, given that Disqus builds cross-site advertising profiles and transfers data to the US. The combination of persistent tracking cookies, cross-site audience profiling, and third-country data transfers constitutes high-risk processing under Art. 35 GDPR.
Sample consent text
We use Disqus to provide a comments section on this website. Disqus uses cookies and collects data about your browsing activity to build audience profiles for advertising. Data is transferred to and processed by Disqus Inc. in the United States. Please accept to load the comments section.
Third-party domains contacted
disqus.comc.disquscdn.comdisqusads.comreferrer.disqus.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| disqus_unique | persistent | 2 years | Assigns a unique identifier to the visitor for comment tracking and moderation purposes |
| __jid | session | session | Stores Disqus session data to maintain user login state in the comment widget |
| G_AUTHUSER_H | persistent | 1 year | Stores the authenticated Google user index for single sign-on in Disqus |
| disqusauth | persistent | 1 year | Authentication token used to keep the user logged in to Disqus across sessions |
Disqus collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Disqus sets persistent cross-site tracking cookies as soon as the page loads, before any visitor interaction. Under the ePrivacy Directive, prior consent is required for any non-essential cookie stored on a user device. Under GDPR, the advertising profiling carried out by Disqus also requires consent under Art. 6(1)(a). You must block the Disqus script until the visitor actively accepts the relevant cookie category.
Disqus sets several persistent cookies: disqus_unique (a cross-site visitor identifier, 2 years), __jid (session tracking, session duration), G_AUTHUSER_H (social login authentication state, 2 years), and disqusauth (Disqus login token, 1 year). These cookies enable visitor identification, session management, social authentication, and cross-site audience profiling for advertising purposes.
The only valid legal basis for loading Disqus on a website targeting EU visitors is consent under Article 6(1)(a) GDPR. Legitimate interest cannot be relied upon for cross-site tracking used for advertising profiling, as confirmed by multiple EU data protection authority decisions. No other legal basis applies to the advertising and tracking components of Disqus.
Yes. Disqus is owned by Zeta Global and processes all data on US-based servers. Data transfers from the EU to the US are subject to GDPR Chapter V. Disqus relies on the EU-US Data Privacy Framework (DPF) for these transfers. You must disclose this transfer in your privacy policy and verify that Disqus maintains a valid DPF certification. If the DPF is invalidated, Standard Contractual Clauses (SCCs) must be in place as a fallback.
A Data Protection Impact Assessment (DPIA) should be considered if your website has significant EU traffic and embeds Disqus, particularly because Disqus combines persistent cross-site tracking, advertising audience profiling, and US data transfers. These three factors together constitute high-risk processing under Article 35 GDPR, which may trigger the DPIA requirement. Consult with your DPO to determine whether a formal DPIA is necessary.
Use a consent management platform (CMP) that supports third-party script blocking. Configure the CMP to block the Disqus embed script by default and inject it only after the visitor actively accepts the advertising or social media cookie category. Display a consent-gated placeholder in place of the comment section before consent is given. Ensure that consent withdrawal removes the Disqus widget from the page and stops all associated data processing.
Yes. Several self-hosted comment systems avoid third-party data transfers entirely. Commento and Remark42 are open-source alternatives that run on your own infrastructure with no cross-site tracking or advertising profiling. For websites that prioritise privacy compliance, a native WordPress comment system or a fully self-hosted solution is the most GDPR-compliant option for user-generated comments.
In your cookie policy, list each Disqus cookie (disqus_unique, __jid, G_AUTHUSER_H, disqusauth) with its name, category (advertising or social media), duration, and purpose. In your privacy notice, include Disqus as a third-party processor, describe its advertising profiling activities, state the legal basis (consent), and disclose the US data transfer with the applicable mechanism (DPF or SCCs). Update both documents whenever Disqus changes its cookie behaviour.