Fathom Analytics Fathom Analytics

GDPR, CCPA and PECR compliant website analytics

Not all website analytics software are created equal.

Some track personally identifiable information (like IP address, geolocation, or attribute demographic information like age and gender to visits). Website analytics tools like that assume our personal information is useful for making website or business decisions, when for most website owners and businesses, it’s not. And, while it’s creepy, it also creates some legal ramifications if privacy policies and terms aren’t very specifically laid out, worded and displayed on websites.

Some website analytics software, like Fathom Analytics, focus on website visitor privacy. We still track website usage for our customers, but we do this without collecting any personal (i.e. creepy) data about visitors on websites with our tracking code.

Personally identifiable information, when we’re talking about website analytic tools, is important because it very specifically relates to privacy laws that are coming into effect and being used as the basis of lawsuits around the world.

So here’s a look at why Fathom Analytics is GDPR, CCPA and PECR (cookie law) compliant. This is how we collect and use data in our software, and the steps we’ve taken to comply with these important privacy laws—all of which we support. We even signed and backed an amendment to CCPA to protect internet users' privacy to the highest degree.

What is the data we collect and what do we use it for?

Fathom’s main thesis is that data in aggregate is just as useful as data about individuals, and far more privacy-focused too. That’s why we don’t collect or store any personal information, ever, and nothing we do collect could be tied to a specific person. Here’s a complete list of what we collect about our customers website visitors:

Data Example Notes
URL https://usefathom.com We track the URL of each page on your website so we can show which pages are the most popular. Query parameters are discarded except for action, keyword, name, p, page, page_id, pagename, q, s, tab, ref.
Referrer https://twitter.com We use the referrer to show you where your visitors are coming from.
Browser Firefox We track this to show you what browsers your visitors are using when they visit your website.
Device Desktop We use this to tell you what type of device people are using your website with.
Country Canada We show you the country of origin for visitors, but do not get any more granular than this.


Why do website analytics matter for GDPR, CCPA, PECR and other privacy-focused regulations?

You’ve no doubt seen notices on websites you visit asking you to comply with their cookie policies. That’s because websites like that use website analytics software which uses cookies to track visitors. So they need to make you aware that they’re doing that. By using cookies, these websites can fully track you between sessions, and see exactly what you do on their website. Often, by accepting these notices, you’re allowing these websites to do some truly scary things.

To summarize what these privacy laws like GDPR and CCPA mean: they were put into place to protect website visitors from their personal information being tracked, stored, shared and sold. By using cookies or similar technologies, if that personal data is stored or used, then a website must inform every visitor in plain language and get their explicit consent before storing and using that information.

While we aren’t lawyers, we know that with Fathom, we don’t use cookies or similar to store personal information because we don’t track or store personal information. So websites that use Fathom Analytics don’t need to add those annoying cookie policy notices to their websites (which get in the way content, shopping and branding).

Cookie notices and tracking cookies

Website cookies are not delicious like real cookies. They’re used to collect tiny pieces of data on the devices of people using the internet. Browsers then store and send these cookies back to the website on any subsequent visit, making it easy to know a lot about every visitor.

While website cookies are essential to the internet—for things like remembering to keep you logged into sites, or save your shopping cart for later, cookies can also be used for non-essential (or nefarious) purposes, like following you around the internet with targeted ads. And while targeted ads are not specifically illegal (yet), they are both annoying and invasive. Therefore, privacy laws like GDPR and CCPA are useful and important to give users more control over their data.

PECR is a United Kingdom privacy regulation, which stands for Privacy and Electronic Communications Regulations, and applies to websites and businesses in the United Kingdom.

PECR requires website owners to tell visitors what technologies are using cookies to track their personal data and give those visitors the option to opt-out of tracking. Fathom Analytics doesn’t collect or track any personal data, and we are a cookie free analytics service, so PECR notices are not required for our customers.

Can Google Analytics work without cookies?

Fundamentally, Google Analytics is based on using cookies. They set multiple cookies to identify website visitors across different browsing sessions so that data can be used to remember what visitors have done in previous sessions on the website.

However, even if Google Analytics switched from cookies to something different, like localStorage, they still wouldn’t be GDPR or CCPA or PECR compliant without express consent notices, because they’d still be using something (cookies or otherwise) to track personal data from visitors.

In addition to privacy notices relating to laws and regulations, websites and businesses who use Google Analytics have several requirements they must legally adhere to for their website. For example, they must have a privacy policy which makes notice of the cookies or identifiers used to collect data, which then needs to be provided to all website visitors in a clear and comprehensive way. In addition, if Google Analytics users also enable things like demographic or re-marketing data, their notices and privacy policies must be even more in-depth and comprehensive.

Is Google Analytics even GDPR compliant, CCPA compliant or PECR compliant?

Websites that use Google Analytics can be compliant with these privacy laws. But, since Google Analytics collects a whole lot of personal data about visitors, it’s much easier to be legally liable for that data and it must be properly disclosed to all visitors how and why you track them.

Whereas with Fathom Analytics, because we don’t track any personally identifiable information (PII) about anyone, you can mention Fathom is used in your privacy policy and that we track anonymously, but you do not have to put notices on your website to that effect (unless you want to market how well you treat the privacy of your website visitors, which some of our customers do).

Google says that anyone using their analytics tool must obtain legally express content to:

So Google Analytics can be GDPR, CCPA and PECR compliant, but it takes a lot of work (and probably a team of lawyers). While Fathom simply doesn’t collect that data and those privacy laws don’t apply.

Fathom Analytics is always compliant to GDPR, CCPA and PECR

Fathom doesn’t collect personal data or use cookies. This makes us fully compliant without complicated cookie notices or specific wording in privacy policies. So you, our customers don’t have to annoy their website visitors with notices that take up valuable screen space.

This means it’s one less thing to have to deal with on our website, and one of the main reasons you should consider Fathom an amazing Google Analytics alternative.

How does Fathom work then, if there’s no cookies and it’s fully privacy-focused?

Fathom Analytics created a ground-breaking technique that’s now used by several others in the industry called “multiple, un-related complex hashes” to make our data completely anonymous for our website analytics. We never keep two page views for a user “in-storage” at any point. As soon as a second page view comes in from a user, the first one is completely wiped before the second is tracked, meaning there’s zero “user session tracking” potential.

What that means is that we don’t store or collect things like user agents, IP addresses or anything else, and instead use one way hashes to determine if a user is unique. This doesn’t mean that their page view history “follows them” around the site via some sort of cookie alternative, it means that we use one-way hashes and existence checks to establish uniques. . And, the best part is this process isn’t reversible or hackable, so even if someone asked us to “de-hash” data, it’s one-way only. This allows us to track both total page views and unique visitors without breaking any privacy laws. To be clear, if authorities gave us an IP address of a user and asked us “Which sites & pages did this person view over the last 7 days?”, we can’t give them an answer. We don’t just hash a visitor IP, and then store that alongside pageviews, we have an incredible system for determining uniques.

This all means that Fathom analytics is the best privacy-focused web analytics software out there.

Data ownership for your website analytics

You own your data if you use Fathom Analytics, period. Although your site analytics are stored on our cloud servers (making them fast to load), you are in complete control and fully own any/all data collected for your website.

Fathom Analytics is fully GDPR, CCPA, and PECR compliant website analytics

By using our software, you don’t need to have prompts, notices or consent forms annoying your visitors or complicated privacy policies outlining how your analytics is collecting personal data. At Fathom, we don’t track or store any personal data about website visitors ever. Your visitors are free to use your website without distractions.

Give Fathom Analytics a try with a 7-day free trial

Fathom Analytics is a simple analytics tool that’s privacy-friendly for your website visitors. It’s GDPR, PECR and CCPA compliant as well. If you aren’t sure, keep Google Analytics installed while you test out Fathom (both scripts can be on the same site at the same time) and only remove Google Analytics once you see how simple and easy our software is to use.

Ready to get started? Try Fathom today with our 7-day free trial.

Fathom Analytics (screenshot)

Make the switch from Google Analytics

You can see a full list of our features here.

If you’re already using Google Analytics but confused or overwhelmed by how it works, or if you just don’t want to support a company that treats you like a product, then check out Fathom Analytics. We’re a great alternative to Google Analytics, and you can give us a try with our 7-day free trial.