GDPR Compliant Website Analytics
Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding GDPR compliance, please forward this page to your legal team.
The GDPR, General Data Protection Regulation (EU) 2016/679, is a piece of regulation that came out of the European Union and completely shook the world. You likely remember when it first landed, and the business world was panicking about compliance. Some people think it’s a law that’s overreaching, whilst others were incredibly grateful that lawmakers stepped in to protect their digital privacy.
We’ve been working with GDPR (and compliance with it) since we started our business. And yes, it is a good amount of work to get everything in order, but it’s an incredibly fair piece of legislation. When you dive into it, it’s obvious that the lawmakers wanted to leave flexibility in place for businesses whilst protecting the digital privacy of data subjects.
Is Fathom Analytics GDPR Compliant?
Absolutely. There are a few areas where GDPR compliance comes in, like:
- Our customers’ personal data (and we’re the controller)
- Personal data of our customers’ website visitors (and we’re the data processor)
The following information will focus on how Fathom is GDPR compliant when it comes to the personal data of our customers’ website visitors. And whilst we’re not in a position to offer legal advice, we invest heavily on compliance and have a fantastic EEA-based privacy officer who keeps us up to date with all the latest changes.
Here’s what we do to ensure GDPR compliance:
- We focus on the intent of the GDPR. The fundamental goal of the regulation is to protect the privacy of EU citizens. With everything we do, we ask ourselves whether it poses any risk to our customers’ website visitors.
- We are big believers in data minimization. Collecting less data is one of the easiest ways to reduce the risk to data subjects.
- We have a lawful basis for the processing we do. And we run privacy risk assessments whenever we need to make a significant change (e.g. when we had to enable basic, heavily redacted IP access logs after we were DDoS attacked).
- We encourage our customers to do a Legitimate Interest Assessment, which can easily be prepared based on all the information provided on our website.
What personal data does Fathom process under GDPR?
We go into significant detail on this in our Data Journey page, but some key pieces for GDPR are as follows:
- We process personal data (IP Address and User-Agent) on your behalf.
- We keep pseudo-anonymized data for around 48 hours. After that, the hash salts (explained here) are removed from our system, and there’s no reasonable way for anybody to brute force them. The hash salts we use are SHA256 hashes, and brute-forcing this kind of hash would require 10^44 x Gross World Product (GWP). And GWP in 2019 was US$88.08 trillion. So although the data started as pseudo-anonymous, there’s no real path to brute force these hashes once the hash salts have gone, as there are just too many possible combinations to try.
What about Schrems II?
Schrems II was a huge ruling for the world. We’ve gone into it on our blog, and we’re currently working on a groundbreaking solution to address the complexities that Schrems II has introduced.
So the answer is, yes, we’ve built our software with the intent to be GDPR compliant, and we take the privacy of all your website visitors very seriously. All individuals should be protected on the internet, and we wouldn’t dream of profiling them or selling their browsing habits. Fathom’s business model is to charge for software, not to exploit your personal data.
Check out our compliance to other privacy-focused laws:
Or return to our main compliance page.