There are two sets of EU rules to consider:

Assistance writing this document was graciously provided by Sam Glynn, CIPP/E CIPM CDPO.

1. GDPR: General Data Protection Regulation

GDPR is the regulation that has got everyone’s attention this year. For the purposes of our discussion, it relates to any personal data of visitors to your website.

Personal data is any data that relates to an identified or identifiable individual who is in the European Union.

Does GDPR apply to Fathom?

It is best to assume it does.

If you can identify a device, this means you can identify the individual using the device. You don’t have to know an individual’s name for their data to be regarded as ‘personal data’.

Fathom stores a cookie on the individual’s device to store certain information. The content of this cookie could be regarded as personal data. As you are processing this personal data using Fathom, GDPR applies.

I know we could argue all of this and perhaps we will have to if we struggle to comply with GDPR.

However, the main reason we developed Fathom was to protect people’s privacy while still enabling website owners to understand how their website is performing. So, if we got this right, it should be straightforward to show how Fathom complies with GDPR.

Therefore, rather than getting buried in legal arguments, let’s run with the following assumption: The contents of a Fathom cookie placed by your website is the personal data of the website visitor.

What does GDPR compliance mean?

First up, it does not mean you are doing anything wrong. GDPR is not about stopping you doing something that is reasonable and legitimate.

As long as you comply with the principles and obligations of GDPR, you can process an individual’s personal data.

As a first step, you need to identify your legal basis for processing an individual’s personal data.

Many people focus on consent but GDPR provides other bases. We believe the most appropriate legal basis is ‘legitimate interest’. As a website owner, it is in your legitimate business interest to understand how your website is performing - e.g. the most popular pages, the pages where people linger for longer, the pages where people bounce.

To allow this legal basis, we need to be show that the data being gathered and processed is proportionate and necessary for the legitimate interest being pursued.

We have designed Fathom from the ground-up to ensure everything being done is proportionate and fair.

Fathom gathers a minimal amount of data to identify specific information about a website’s use. For example, which pages have been visited and for long they were viewed.

Fathom does not process an excessive amount of data about each website user to achieve this. Unlike many other analytics services, Fathom does not gather data points such as IP address, device configuration, geo-location data.

Fathom does not store a unique identifier for each website visitor so we can track their path through the website. We regenerate a new identifier for each visitor every time they visit a page. We do not link the old identifier to the new one.

We forget about a site visitor once they have not interacted with the site after 30 minutes.

This means some of the data points available in other analytics tools are currently unavailable to you in Fathom. However, Fathom does provide you with most important data points while also enabling you to show to your website visitors that you’re not sucking up mountains of data about them.

Data sharing: Because Fathom can be self-hosted, when it is, the data you gather about your website’s visitors remains with you - It is never shared with 3rd parties unless you choose to do so.

For a site owner who signs up to our hosted version of Fathom, we will be a data processor working under their instruction. The hosted version will be privacy-centric.

  • We plan to incorporate Fathom in the Netherlands. It makes sense for a number of reasons (After all, Danny lives there!). It also makes things easier under GDPR.
  • We plan to use data centres based in the EU and we will ensure the data does not leave the EU*. This avoids the additional hassle involved in complying with GDPR’s data transfer rules.
  • One exception to this is if Paul accesses the data (e.g. when providing support to a customer). Paul lives in Canada. This is not a problem. Canada is regarded as having appropriate data protection laws (what is terms ‘adequate levels of protection’) so this ‘data transfer’ is not an issue.
  • We will also implement security safeguards to ensure that data being gathered from different sites is never combined into one master database. Unlike other services, our business model is not based on building huge databases of personal data so we can target people for other purposes. Website owners will pay us to provide them with a specific analytics service and that is all we will do with the data.

To sum up, we think using Fathom does not expose you to issues under GDPR.

2. The ‘Cookie Directive’

The other set of rules to be aware of is what is commonly referred to as the ‘Cookie Directive’

The EU Cookie Directive (as it is popularly known) is a 2009 amendment to the E-Privacy Directive of 2002.

Page 20 of the text:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information”

It requires website owners to obtain the consent of website visitors to place and access data (like cookies) on their digital device (e.g. a laptop).

A few things to note:

  • The scope is not just ‘personal data’ - It’s any data.
  • Despite its popular name, the EU Cookie Directive doesn't just apply to cookies - It equally applies to other storage mechanisms (e.g. HTML5 Local Storage).
  • The purpose of the directive is to protect the privacy of people’s communications and to restrict tracking of their activity. Therefore, while the text does not mention things like ‘device fingerprinting’, ‘blank gifs’ or ‘web beacons’, these are all mechanisms to track people online and should also be regarded as in-scope.

As a directive, each EU member state was allowed interpret the rules differently in their national legislation. As a result, some member states require opt-in consent, while others allow for implied consent. Some require notice banners while others do not. Some enforce the rules while others are less active with enforcement.

It’s a mess that hopefully the E-Privacy Regulation that will replace this E-Privacy Directive will resolve. The Regulation is still being negotiated. It is unlikely to be finalised before the end of the 2018.

In the meantime, all we can do is review the latest draft of the Regulation.

At the moment, the Regulation seems to recognize the difference between non-privacy intrusive first-party cookies and the more intrusive 3rd party cookies used to track people and target them for behavioural advertising.

Cookies that are not privacy intrusive may not require consent. This includes cookies that are set to count the number of visitors to a site.

It remains to be seen whether the Regulation (or the guidance issued by the regulators through the European Data Protection Board) will have more granular information about what could fall within the scope of ‘counting the number of visitors to a site’.

However, given the effort we have put in to build privacy into Fathom from the start, we believe we are on the right track.

So, where do we go from here?

We will provide you with all relevant information so you can document how your use of Fathom complies with GDPR. It will also show you how you can comply with the current draft of the E-Privacy Regulation.

Questions? Let's talk.