Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding GDPR compliance, please forward this page to your legal team.
The California Consumer Privacy Act (CCPA) is a law intended to protect California citizens’ privacy in a GDPR-like fashion. It’s the first consumer privacy act in the United States, which is incredibly exciting, and other areas of the United States are also getting involved. New York has four pending consumer privacy bills at the time of writing, and we hope to see the rest of the country follow suit in time. Fun fact, we actually co-signed a letter that our friends at DuckDuckGo wrote, along with 23 other tech companies, pushing for amendments to the existing law.
The CCPA ensures the following privacy rights for California consumers:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
So it’s a completely reasonable law, and it’s evident why it was introduced. This is why Fathom fully supports this law and other laws that protect digital privacy.
Do I need to comply with CCPA?
Many people mistakenly believe that the CCPA doesn’t apply to them. But it’s important to remember that it’s not all about revenue, it’s also about users. So if you had a popular website with tens of thousands of users, you could find yourself needing to comply with CCPA.
You need to comply with the CCPA if you do business in California and meet any of the following:
- Have $25 million or more in annual revenue
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices
- Earn more than half of your annual revenue selling California residents’ personal data
Keep in mind that the CCPA might apply to you even though you’re not based in California or intentionally target California residents, as long as you have at least 50,000 Californians using your service.
So please make sure you’re clear if CCPA applies to you (regardless of where your company is based).
Is Fathom Analytics CCPA compliant?
Yes. The CCPA applies to personal information, which in the CCPA (1798.140 (o)) is defined as: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” However, the law text further states that “Personal information” does not include consumer information that is de-identified or aggregate consumer information.”
This is further underlined in section 1798.145(5), where the CCPA obligations don’t restrict a business’s ability to “Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information.”
The keyword here is “de-identified”; however, it’s not straightforward. To “qualify” for this, you have to meet certain requirements. We find these in section 1798.140 (h) of the legal text, where “de-identified” means:
… information that cannot reasonably identify relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information:
- Has implemented technical safeguards that prohibit re-identification of the consumer to whom the information may pertain.
- Has implemented business processes that specifically prohibit re-identification of the information.
- Has implemented business processes to prevent inadvertent release of de-identified information.
- Makes no attempt to re-identify the information.
Fathom Analytics adhere to all four of these requirements when we de-identify the personal information (the IP addresses) we collect.
We still encourage you to include information about Fathom Analytics in your cookie and/or privacy notice for transparency reasons.
You can read more about our technical setup in our data journey. Unlike most analytics companies, we aren’t interested in identifying individuals, and we’ve got de-identification built into the core of our software. Digital privacy is our number one priority.
Based on the above information, yes, we believe that Fathom Analytics is compliant with CCPA.