Fathom Analytics

CCPA Compliant Website Analytics

DRAFT. This page is currently a draft and is still undergoing internal review by our privacy officer. We expect to finalize it by 18th January 2021.

Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding CCPA compliance, please forward this page to your legal team.

The California Consumer Privacy Act (CCPA) is a law intended to protect California citizens’ privacy in a GDPR-like fashion. It’s the first consumer privacy act in the United States, which is incredibly exciting, and other areas of the United States are also getting involved. New York has four pending consumer privacy bills at the time of writing, and we hope to see the rest of the country follow suit in time. Fun fact, we actually co-signed a letter that our friends at DuckDuckGo wrote, along with 23 other tech companies, pushing for amendments to the existing law.

The CCPA ensures the following privacy rights for California consumers:

So it’s a completely reasonable law, and it’s evident why it was introduced. This is why Fathom fully supports this law and other laws that protect digital privacy.

Do I need to comply with CCPA?

Many people mistakenly believe that the CCPA doesn’t apply to them. But it’s important to remember that it’s not all about revenue, it’s also about users. So if you had a popular website with tens of thousands of users, you could find yourself needing to comply with CCPA.

You need to comply with the CCPA if you do business in California and meet any of the following:

  1. Have $25 million or more in annual revenue
  2. Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices
  3. Earn more than half of your annual revenue selling California residents’ personal data

Keep in mind that the CCPA might apply to you even though you’re not based in California or intentionally target California residents, as long as you have at least 50,000 Californians using your service.

So please make sure you’re clear if CCPA applies to you (regardless of where your company is based).

Is Fathom Analytics CCPA compliant?

Yes. In section 1798.145(5), they have made exceptions to what the CCPA applies to. You should still be careful with what information you collect about your website visitors, and you should check with your legal team if you're not certain about your CCPA compliance.

The exception is as follows:

“The obligations imposed on businesses by this title shall not restrict a business’ ability to … Collect, use, retain, sell or disclose consumer information that is de-identified or in the aggregate consumer information.”

“De-identified” is defined in 1798.140(h) as follows:

“De-identified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information:

  1. Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain
  2. Has implemented business processes that specifically prohibit reidentification of the information.
  3. Has implemented business processes to prevent inadvertent release of de-identified information.
  4. Does not attempt to reidentify the information.

Fathom adheres to all 4 of these conditions, and we take the privacy of your website visitors very seriously.

Clarip, a privacy governence platform, has a great page here on deidentified & aggregate information too:

Businesses only need to disclose or delete personal information, defined as information that can be linked to a particular individual, device or household. If information is deidentified or aggregated, then it can be kept or sold.

However, when businesses decide to deidentify personal information, they need to make sure that it is not possible to subsequently re-associate it with a particular person. This has been the subject of much study over the past few years and there have been cases where people have been able to associate deidentified data with a particular person through a small number of data points when combined with external information about a particular person. Businesses that engage in this process need to be careful that they are not falling into a trap and thinking there personal information is covered when it is not.

As we stated above, we take de-identification very seriously, and we detail everything in our privacy-first data journey document.

Conclusion

Fathom collects an absolutely minimal amount of personal information. We process the IP Address, keep it in our access logs (which are automatically deleted after 24 hours), and then we de-identify the data. We never want to tie IP Address behaviour to actual individuals, so we don’t keep that data. You can read more about this in our Data Journey. Unlike most analytics companies, we aren’t interested in identifying individuals, and we’ve got deidentification built into the core of our software. Digital privacy is our number one priority.

Based on the above information, yes, we believe that Fathom Analytics is compliant with CCPA.

Check out our compliance to other privacy-focused laws:

Or return to our main compliance page.