GDPR, CCPA and PECR compliant website analytics
Not all website analytics software are created equal.
Some track personally identifiable information (like IP address, geolocation, or attribute demographic information like age and gender to visits). Website analytics tools like that assume our personal information is useful for making website or business decisions, when for most website owners and businesses, it’s not. And, while it’s creepy, it also creates some legal ramifications if privacy policies and terms aren’t very specifically laid out, worded and displayed on websites.
Some website analytics software, like Fathom Analytics, focus on website visitor privacy. We still track website usage for our customers, but we do this without collecting any personal (i.e. creepy) data about visitors on websites with our tracking code.
Personally identifiable information, when we’re talking about website analytic tools, is important because it very specifically relates to privacy laws that are coming into effect and being used as the basis of lawsuits around the world.
So here’s a look at why Fathom Analytics is GDPR, CCPA and PECR (cookie law) compliant. This is how we collect and use data in our software, and the steps we’ve taken to comply with these important privacy laws—all of which we support. We even signed and backed an amendment to CCPA to protect internet users' privacy to the highest degree.
What is the data we collect and what do we use it for?
Fathom’s main thesis is that data in aggregate is just as useful as data about individuals, and far more privacy-focused too. That’s why we don’t collect or store any personal information, ever, and nothing we do collect could be tied to a specific person. Here’s a complete list of what we collect about our customers website visitors:
|URL||https://usefathom.com||We track the URL of each page on your website so we can show which pages are the most popular. Query parameters are discarded except for action, keyword, name, p, page, page_id, pagename, q, s, tab, ref.|
|Referrer||https://twitter.com||We use the referrer to show you where your visitors are coming from.|
|Browser||Firefox||We track this to show you what browsers your visitors are using when they visit your website.|
|Device||Desktop||We use this to tell you what type of device people are using your website with.|
|Country||Canada||We show you the country of origin for visitors, but do not get any more granular than this.|
Why do website analytics matter for GDPR, CCPA, PECR and other privacy-focused regulations?
To summarize what these privacy laws like GDPR and CCPA mean: they were put into place to protect website visitors from their personal information being tracked, stored, shared and sold. By using cookies or similar technologies, if that personal data is stored or used, then a website must inform every visitor in plain language and get their explicit consent before storing and using that information.
Cookie notices and tracking cookies
Website cookies are not delicious like real cookies. They’re used to collect tiny pieces of data on the devices of people using the internet. Browsers then store and send these cookies back to the website on any subsequent visit, making it easy to know a lot about every visitor.
While website cookies are essential to the internet—for things like remembering to keep you logged into sites, or save your shopping cart for later, cookies can also be used for non-essential (or nefarious) purposes, like following you around the internet with targeted ads. And while targeted ads are not specifically illegal (yet), they are both annoying and invasive. Therefore, privacy laws like GDPR and CCPA are useful and important to give users more control over their data.
PECR is a United Kingdom privacy regulation, which stands for Privacy and Electronic Communications Regulations, and applies to websites and businesses in the United Kingdom.
PECR requires website owners to tell visitors what technologies are using cookies to track their personal data and give those visitors the option to opt-out of tracking. Fathom Analytics doesn’t collect or track any personal data, and we are a cookie free analytics service, so PECR notices are not required for our customers.
Can Google Analytics work without cookies?
Fundamentally, Google Analytics is based on using cookies. They set multiple cookies to identify website visitors across different browsing sessions so that data can be used to remember what visitors have done in previous sessions on the website.
However, even if Google Analytics switched from cookies to something different, like localStorage, they still wouldn’t be GDPR or CCPA or PECR compliant without express consent notices, because they’d still be using something (cookies or otherwise) to track personal data from visitors.
Is Google Analytics even GDPR compliant, CCPA compliant or PECR compliant?
Websites that use Google Analytics can be compliant with these privacy laws. But, since Google Analytics collects a whole lot of personal data about visitors, it’s much easier to be legally liable for that data and it must be properly disclosed to all visitors how and why you track them.
Google says that anyone using their analytics tool must obtain legally express content to:
- Collect, share and use personal data for personalized ads
So Google Analytics can be GDPR, CCPA and PECR compliant, but it takes a lot of work (and probably a team of lawyers). While Fathom simply doesn’t collect that data and those privacy laws don’t apply.
Fathom Analytics is always compliant to GDPR, CCPA and PECR
This means it’s one less thing to have to deal with on our website, and one of the main reasons you should consider Fathom an amazing Google Analytics alternative.
How does Fathom work then, if there’s no cookies and it’s fully privacy-focused?
Fathom Analytics created a ground-breaking technique that’s now used by several others in the industry called “multiple, un-related complex hashes” to make our data completely anonymous for our website analytics. We never keep two page views for a user “in-storage” at any point. As soon as a second page view comes in from a user, the first one is completely wiped before the second is tracked, meaning there’s zero “user session tracking” potential.
What that means is that we don’t store or collect things like user agents, IP addresses or anything else, and instead use one way hashes to determine if a user is unique. This doesn’t mean that their page view history “follows them” around the site via some sort of cookie alternative, it means that we use one-way hashes and existence checks to establish uniques. . And, the best part is this process isn’t reversible or hackable, so even if someone asked us to “de-hash” data, it’s one-way only. This allows us to track both total page views and unique visitors without breaking any privacy laws. To be clear, if authorities gave us an IP address of a user and asked us “Which sites & pages did this person view over the last 7 days?”, we can’t give them an answer. We don’t just hash a visitor IP, and then store that alongside pageviews, we have an incredible system for determining uniques.
This all means that Fathom analytics is the best privacy-focused web analytics software out there.
Data ownership for your website analytics
You own your data if you use Fathom Analytics, period. Although your site analytics are stored on our cloud servers (making them fast to load), you are in complete control and fully own any/all data collected for your website.
- We don’t share or sell your website data, ever, for any reason
- We don’t provide your website data to any third-parties
- We sell software, not data, so your data is paid for when you pay us for your Fathom Analytics plan (we don’t have to sell it to advertisers because that’s not how we make money)
Fathom Analytics is fully GDPR, CCPA, and PECR compliant website analytics
By using our software, you don’t need to have prompts, notices or consent forms annoying your visitors or complicated privacy policies outlining how your analytics is collecting personal data. At Fathom, we don’t track or store any personal data about website visitors ever. Your visitors are free to use your website without distractions.
Give Fathom Analytics a try with a 7-day free trial
Fathom Analytics is a simple analytics tool that’s privacy-friendly for your website visitors. It’s GDPR, PECR and CCPA compliant as well. If you aren’t sure, keep Google Analytics installed while you test out Fathom (both scripts can be on the same site at the same time) and only remove Google Analytics once you see how simple and easy our software is to use.
Ready to get started? Try Fathom today with our 7-day free trial.