GDPR-Compliant Comment Systems: A Real Comparison
Look, I'm going to be honest with you. I spent way too many hours researching GDPR and comment systems because I made the mistake of using Disqus on my site. Then I got an email from a reader in Germany asking about my privacy policy, and I realized I had no idea what data Disqus was actually collecting.
That spiraled into a rabbit hole of GDPR regulations, privacy policies written by lawyers who get paid by the word, and a genuine "oh crap" moment when I realized how much liability I'd taken on just to have a comment box.
So I did the research. Here's what I learned about comment systems that won't land you in legal trouble with the EU.
What Does GDPR-Compliant Even Mean?
Before we get into specific platforms, let's talk about what GDPR actually requires. And no, I'm not a lawyer, so don't take this as legal advice. But here's the gist in normal human language:
You need to have a good reason for collecting data, and you can only collect what you actually need. You can't just hoover up everything and figure out what to do with it later.
People need to actually consent to tracking, not just click through a wall of text nobody reads.
If someone asks for their data, you have to give it to them. If they want it deleted, you delete it. If they want to take it somewhere else, you let them.
And you can't just hand people's data over to random third parties without permission.
The problem is that most comment systems were built before anyone cared about this stuff. They were designed to collect as much data as possible because that's how you make money from free users. GDPR came along and said "yeah, you can't do that anymore."
Let's Talk About Disqus
I used Disqus for two years. It was easy to set up, it worked everywhere, and it was free. Then I actually read their privacy policy.
Disqus tracks you across every website that uses their system. They know what articles you read, what you comment on, how long you spend on pages. They build advertising profiles and sell that data. The free version literally says in their privacy policy: "Disqus is also a marketing and data company, and uses and shares personal data collected from third party sites where our Service is enabled for marketing purposes, including cross-context behavioral advertising."
And here's the thing that really got me: Disqus makes approximately 70+ HTTP requests per page load. They're tracking users even if they never comment. That's not a comment system—that's surveillance infrastructure with a comment box attached.
Can you make Disqus GDPR-compliant? Technically, yes. You need one of those annoying cookie consent banners that asks users to agree to like 40 different tracking purposes. Most people will just leave rather than deal with it.
Oh, and about that compliance claim? Norway fined Disqus €2.5 million in 2021 for tracking "several hundred thousands of individuals" across Norwegian news sites without proper consent. The Norwegian Data Protection Authority found they were potentially revealing users' political opinions through tracking behavior. Disqus initially didn't even realize GDPR applied to Norway (spoiler: it does—they're in the EEA).
So yeah, they're still around, still have 71.8% market share, but that fine isn't exactly reassuring when you're trying to stay compliant.
And here's the thing that bothered me most: even with all the consent stuff, you're still asking your readers to trade their privacy for the ability to leave a comment. That felt wrong.
I started looking for alternatives.
Commento: The Cautionary Tale
⚠️ Warning: Project Abandoned
Commento is effectively dead, and it took users' data with it. If you're using Commento right now, start planning your exit strategy.
Commento looked promising when I first researched it. Open source, no tracking, designed with privacy in mind from the start.
Then I dug deeper and found out the hard way: the hosted service might technically still exist at commento.io, but users have been reporting catastrophic data loss. One person in January 2024 lost years of comments without warning, and support just shrugged and said they couldn't restore them. The original developer abandoned the project around 2020-2021. The community fork called Commento++ tried to continue but also stopped development at the end of 2022.
The silver lining: A complete rewrite called Comentario emerged in 2023 and is actively maintained. It's basically what Commento should have been—actually updated, better performance, proper maintenance. If you were considering the self-hosted Commento approach, Comentario is the real successor.
But honestly? This whole saga is exactly why I got frustrated with the existing options. A promising privacy-focused project just... dies. Your comments disappear. And you're left scrambling to migrate or rebuild.
Hyvor Talk: The Privacy-Focused SaaS
Hyvor Talk checked a lot of boxes when I evaluated it. No tracking, no ads, GDPR-compliant by default. They even let you choose where your data is stored geographically, which is nice if most of your readers are in the EU.
💰 Pricing Update
Everywhere you read "$5/month to start"? That's outdated. They removed their free tier entirely back in September 2020.
Current pricing is:
- Premium: €12/month (~$13 USD) for up to 10 sites
- Business: €40/month (~$43 USD) for up to 50 sites with SSO and no branding
- Enterprise: Custom pricing
So we're looking at $13/month minimum for a personal blog, and if you're doing 100k+ pageviews, you'll be in the €40+ range. That starts to feel steep for a comment box.
To be fair, they're actually legit about privacy. No tracking scripts, no data selling, GDPR compliant with servers in Germany. They've been adding features in 2024—newsletters, memberships, LLM-powered spam detection. They're actively developing and seem to genuinely care about privacy.
If I hadn't built CommentBy, I probably would've gone with Hyvor Talk despite the price. It's solid. But I kept thinking: why should a comment system cost more than my entire hosting bill?
Remark42: For the DIY Crowd
Remark42 is the best self-hosted option if you're comfortable with Docker. It's actively maintained—version 1.14.0 came out in October 2024—and it's genuinely privacy-focused.
The technical setup is surprisingly simple if you know Docker: literally docker compose up -d and you're running. It uses BoltDB (embedded database), so no need to mess with PostgreSQL or MySQL. The resource usage is ridiculously low—under 0.1% CPU and about 80MB RAM on production sites.
Features are solid: social login options, anonymous commenting, image uploads, voting, import from Disqus/WordPress. It's legitimately feature-rich.
GDPR compliance is excellent. Minimal data collection (only hashed user IDs and usernames), no tracking scripts, built-in data export and deletion. Multiple European sites explicitly cite Remark42 in their privacy policies as compliant.
The downside is the same as any self-hosted solution: you're managing infrastructure. Even with Docker making it easy, you're still responsible for updates, security patches, keeping your VPS running. That's fine if you're technical and want control. For a blogger who just wants comments to work? It's overhead you probably don't need.
CommentBy: Why I Built My Own
Full transparency: I built CommentBy because I was frustrated with all of these trade-offs.
I didn't want to pay $13-40/month for something that should be simple. I didn't want to manage Docker containers and worry about server updates. And I definitely didn't want to use a system that might just disappear one day, taking all my comments with it.
Most importantly, I didn't want to make my readers click through consent forms and wonder what data was being collected just to leave a comment.
So I built what I actually wanted: privacy-first by default, dead simple to set up, doesn't require managing servers, and doesn't cost $25/month for a modest blog.
No tracking, period. We don't collect the data that would make compliance complicated. No advertising profiles, no cross-site tracking, no behavioral analytics. Just comments. That's it.
GDPR-compliant out of the box. Not "compliant with the right cookie banner"—actually compliant because we fundamentally don't collect problematic data. You don't need a consent form for comments that only collect what's necessary for the comment to work.
Actually affordable. Pricing starts at $3/month because I wanted it to be accessible for people running small sites. I'm not trying to build a huge company here. I just wanted a comment system that doesn't suck and doesn't spy on people.
Simple setup. Copy one script tag, paste it where you want comments. That's it. No Docker, no PostgreSQL, no configuration files. Works in minutes.
Your data stays yours. Comments export to standard formats. If you want to leave CommentBy someday, you can take everything with you. No lock-in.
I know this sounds like a sales pitch. It kind of is. But it's also just the truth about why CommentBy exists—I was sick of choosing between privacy, affordability, and simplicity when all three should be table stakes.
A Quick Comparison
| Disqus | Commento | Hyvor Talk | Remark42 | CommentBy | |
|---|---|---|---|---|---|
| Tracks users | Yes | N/A | No | No | No |
| Shows ads | Yes | N/A | No | No | No |
| Shares data with third parties | Yes | N/A | No | No | No |
| Needs cookie banners | Yes | N/A | No | No | No |
| Requires self-hosting | No | Dead | No | Yes | No |
| Easy to set up | Yes | N/A | Yes | Medium | Yes |
| Starting cost (2025) | Free* | Dead | €12/mo | Free** | $3/mo |
| Active maintenance | Yes | No | Yes | Yes | Yes |
*The usual "if it's free, you're the product" caveat applies, plus that €2.5M GDPR fine history
**Free software, but you pay for hosting (~$4-6/month VPS) and your time managing it
What Should You Use?
Depends on what matters most to you.
If you're technical and want complete control: Go with Remark42. It's actively maintained, privacy-focused, and gives you full ownership. Just be ready to manage a VPS and handle updates.
If you want a managed service and don't mind paying more: Hyvor Talk is solid. They've been around for a while, they're serious about privacy, and they keep adding features. Just budget €12/month minimum, not the "$5" you might have read in older articles.
If you're currently using Disqus and feeling anxious about GDPR: Start planning your exit. That €2.5 million fine from Norway wasn't a one-off mistake—it showed a pattern of tracking users without proper consent. The legal risk might be small, but more importantly, do you really want to be in the business of surveilling your readers?
If you're using Commento: Seriously, migrate now. The reports of data loss are real, and the project is abandoned. Your comments could disappear tomorrow.
If you want something simple, privacy-focused, and won't break the bank: This is literally why I built CommentBy. At $3/month, it's cheaper than Hyvor Talk, simpler than self-hosting Remark42, and won't disappear like Commento did. But I'm obviously biased.
The Migration Question
I know what you're thinking: "I already have comments in [current system]. What happens to those?"
Most alternatives let you import existing comments. CommentBy supports imports from Disqus, WordPress, and standard formats. Hyvor Talk has import tools. The self-hosted options have various import scripts.
The actual process is usually:
- Export your data from current system
- Set up the new system
- Import the old comments
- Swap out the embed code on your site
Takes an hour or two, not including the time waiting for exports and imports to process. It's not fun, but it's not impossible either.
Why This Actually Matters
Here's the thing: GDPR isn't just bureaucratic nonsense. The fines can be massive, sure—€2.5 million is real money. But beyond that, it's actually forcing us to think about whether we should be collecting all this data in the first place.
Do you really need to know everywhere your readers go on the internet just to let them comment on your blog post? Of course not.
The best way to be GDPR-compliant is to not collect the data that would get you in trouble. Then you don't need complicated consent flows, you don't need to hire a lawyer to review your privacy policy every six months, and you don't need to worry about whether you're accidentally violating someone's privacy rights.
You just... don't have the problem.
That's the philosophy behind CommentBy. Don't collect what you don't need. Make privacy the default, not an add-on feature.
My Recommendation
Pick a system that's privacy-first by design. Whether that's CommentBy, Hyvor Talk, or self-hosted Remark42 doesn't matter as much as making sure you're not building your comment system on top of an advertising platform.
Your readers will appreciate it, even if they never say so. And you'll sleep better knowing you're not one data breach or regulatory change away from a problem.
And if you're still using Disqus, maybe start thinking about that migration. Not just because of the €2.5M fine—though that should give you pause—but because in 2025, we can do better than making our readers choose between commenting and their privacy.
Or check out any of the other options I mentioned—Hyvor Talk if you don't mind paying more, Remark42 if you want to self-host. The important thing is making a choice that doesn't treat privacy as an afterthought.
Because honestly, in 2025, we can do better than that.