ePrivacy Compliant Website Analytics
Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding ePrivacy compliance, please forward this page to your legal team.
Being compliant with the ePrivacy Directive (ePD) is important for businesses targeting people in the EEA who don’t want to risk fines. We’re going to do a brief dive into the background behind ePrivacy, and how it relates to website analytics, and then we’ll get into how we ensure ePrivacy Directive compliance.
What is the ePrivacy Directive (ePD)?
The Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications is an EU directive created to protect the digital privacy of EU citizens. It addresses the confidentiality of data, spam, cookies and similar technologies.
Because it’s a directive, it means that member states of the European Union have some flexibility over their exact implementation. The ePrivacy Regulation was actually planned to come into effect in May 2018, alongside the GDPR, but it still hasn’t been adopted at the time of writing.
When the regulation goes into effect, all EU members will adopt it fully in their national legislation, and there won’t be any nuance (like there is with the ePrivacy directive).
Is Fathom compliant with the ePrivacy directive?
Whilst there’s clearly a grey area about laws like this, we’ve consulted with legal experts on privacy, tech and EU law, talked through our approach and put together our stance on it. Again, we’re not lawyers, so we can’t issue legal advice, but we can share our legal justification.
Article 5(3) of the ePrivacy directive states the following:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
For those of you who are technical, it’s evident why they’ve put this into place. It’s to stop the invasive practice of fingerprinting that various advertising and analytics companies utilize. Long story short, various advertising & analytics companies will grab an absolute ton of information from your machine (Terminal Equipment) to identify you accurately. And they’ll often be able to do this over the course of months, having the ability to build up an extensive amount of information about you. Now imagine that an analytics company is doing this, and it’s being used on millions of websites, following you wherever you go. Any sane person can see why this is a disaster, and it’s clear why this law is essential.
Take a look at this website to see all of the metrics these companies will look at. This is why they’ve worded it as “Terminal Equipment,” because it then covers things like screen height, screen width, timezone, browser settings, supported video formats, WebGL and various other things. And this is why we’ve gone to great lengths at Fathom to ensure our software can establish uniques without doing this.
At Fathom, we don’t fingerprint your machine using all of this information. Instead, we rely on an IP Address (assigned by your ISP, not stored on your Terminal Equipment) and User-Agent (sent to our servers by your browser, not accessed from your Terminal Equipment).
A quick sidebar on IP Address and User Agents. We produce pseudo-anonymized hashes (which are practically anonymous since it’s practically impossible to identify a user from them, but we have to say “pseudo” because, under GDPR, it technically is when you have trillions of dollars) to identify uniques. We do this because there’s no world in which we’d be comfortable fingerprinting users using the information we spoke about above. Even if ePrivacy didn’t exist, we still wouldn’t do it. We aim to provide customers with privacy-first software, allowing them to gain insight into their website without invading their visitors’ privacy.
After 24 hours, the hashes become anonymized, as we lose the salts (cycled every 24 hours) used to generate them. Even if you had all of the salts for a day, and you had the hashes, you’re not going to be able to brute force things, as you’d have to try every single possible IP Address, User-Agent, Website Address and Salt to brute force it. We’ve done the research, and brute-forcing a 256-bit hash would cost 10^44 times the Gross World Product (GWP). 2019 GWP is US$88.08 trillion, so you’re just not going to do it. But it’s theoretically possible if you have 10^44 x $88.08 trillion burning a hole in your pocket.
That’s our stance on the ePrivacy Directive. We also believe that the ePrivacy Regulation will be much more friendly to companies that are privacy by design (hey, that’s us).
Does Google Analytics comply with the ePrivacy Directive?
At time of writing, Google Analytics sets various cookies on your machine and is likely a huge part of the reason why the ePrivacy Directive exists. Google is an advertising company, they’re not offering “free” analytics because they’re feeling generous. If you want to make Google Analytics comply with the ePrivacy Directive, we believe that you’ll need to ask for user consent. Most people will use those big footer banners that take up half of their website page.
The future for this directive is for it to be replaced with the ePrivacy Regulation, i.e. an EU law that will apply fully to all EU member states (and EEA countries) and will be implemented in the same way. And that’s something we can look forward to. It’s still a proposal but here’s what we can potentially look forward to:
- We’ll see simpler, stronger rules, and there won’t be different implementations of a directive for each country.
- Improved spam protection
Overall, the ePrivacy Directive (and upcoming ePrivacy regulation) has been a great move for the internet, and at Fathom, we’ll keep on top of things and remain compliant.
Check out our compliance to other privacy-focused laws:
Or return to our main compliance page.