Our data policyAssistance writing this document was graciously provided by Sam Glynn, CIPP/E CIPM CDPO.
The main reason we developed Fathom Analytics was to protect people’s privacy while still enabling website owners to understand how their website is performing. As a truly privacy-focused company, our aim is to meet and hopefully exceed current laws around consumer digital privacy protection. Although this piece gets fairly technical, here are the main points:
- Fathom Analytics truly anonymizes visitors through complex hashes, making it possible to track unique visits in the most privacy-focused manner.
- Fathom Analytics is fully GDPR and E-Privacy (including PECR) complaint and will continue to comply with any rule, law or regulation that protects consumer privacy online.
GDPR: general data protection regulation
GDPR applies to data which relates to an identified or identifiable individual who is in the European Union.
Here’s why GDPR likely does not apply to Fathom Analytics:
Recital 26 states that the regulation doesn’t apply to data that has been anonymized. However, for the sake of this document, let’s assume for a minute that GDPR does apply to our software.
If you can identify a device, this means you can identify the individual using the device. You don’t have to know an individual’s name for their data to be regarded as ‘personal data’. We consider this with our software and account for it by using a series of SHA256 hashes that are generated based on a daily salt along with the user’s IP address, user agent, site ID and day of the year. Brute forcing a 256 bit hash would cost 10^44 times the Gross World Product (GWP). 2019 GWP is US$88.08 trillion so we're at least a few dollars short of brute forcing a 256 bit hash.
With that said, our stance is that it’s practically impossible to identify a user from the 256 bit hash we use. Additionally, these hashes are typically removed from our system in 30 minutes or sooner. We also make sure that singling out is impossible, since we never hold 2 identical user hashes in our temporary pageview table and we keep no query log. You can read more about the specifics here.
What does GDPR compliance mean?
GDPR is not about stopping you doing something that is reasonable and legitimate. As long as you comply with the principles and obligations of GDPR, you can process an individual’s personal data.
As a first step, you need to identify your legal basis for processing an individual’s personal data.
Many people focus on consent but GDPR provides other bases. We believe the most appropriate legal basis is ‘legitimate interest’. As a website owner, it is in your legitimate business interest to understand how your website is performing - e.g. the most popular pages, the pages where people linger for longer, the pages where people bounce.
To allow this legal basis, we need to be able to show that the data being gathered and processed is proportionate and necessary for the legitimate interest being pursued.
- We have designed Fathom from the ground-up to ensure everything being done is proportionate and fair and in the most privacy-centric fashion.
- We gather a minimal amount of data to identify specific information about a website’s use. For example, which pages have been visited and how long they were viewed for.
- We do not process an excessive amount of data about each website user to achieve this, and it never stores any personal data in plain text, it is always hashed to make it practically impossible for us or anyone else to “de-hash”./p>
Our hosted version of Fathom Analytics is as anonymous (and therefore private) as any website analytics software could be. Also
- Fathom is a product of Conva Ventures Inc., incorporated in Canada. It makes sense for a number of reasons: the founding partners live there and Canada has decent privacy laws (similar to the EU).
- Unlike other services, our business model is not based on building huge databases of personal data so we can target people or sell their data for other purposes. Website owners will pay us to provide them with a specific analytics service and that is all we will do with the data.
To sum up, we think using Fathom does not expose you to issues under GDPR.
The ‘Cookie Directive’
The other set of rules to be aware of is what is commonly referred to as the ‘Cookie Directive’. The EU Cookie Directive (as it is popularly known) is a 2009 amendment to the E-Privacy Directive of 2002.
Page 20 of the text:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information”
It requires website owners to obtain the consent of website visitors to place and access data (like cookies) on their digital device (e.g. a laptop). A few things to note:
- The scope is not just ‘personal data’ - it’s any data.
- Despite its popular name, the EU Cookie Directive doesn't just apply to cookies - It equally applies to other storage mechanisms (e.g. HTML5 Local Storage).
- The purpose of the directive is to protect the privacy of people’s communications and to restrict tracking of their activity. Therefore, while the text does not mention things like ‘device fingerprinting’, ‘blank gifs’ or ‘web beacons’, these are all mechanisms to track people online and should also be regarded as in-scope.
As a directive, each EU member state was allowed to interpret the rules differently in their national legislation. As a result, some member states require opt-in consent, while others allow for implied consent. Some require notice banners while others do not. Some enforce the rules while others are less active with enforcement.
Things have changed since we first started Fathom Analytics, and our software is now completely cookie free. This is why we consider ourselves fully E-Privacy and GDPR compliant, and why we feel we are the most privacy-centric website analytics solution on the market.
Questions? Let's talk.Effective July 22, 2019