For software development and maintenance, contact me at email@example.com or via appsoftware.com
Web Analytics Without the Cookie Notice: GDPR Compliant Web Analytics Using Fathom
Fri, 13 Jan 2023 by garethbrown
An Analysis of Fathom as a GDPR Compliant Analytics Service
Can you use Fathom for web analytics tracking that is compliant with EU data privacy laws? Yes you can.
Fathom is a web analytics service that solves an important problem for businesses with a web presence in the European Union. That is how to track web site / application use in a way that respects the privacy of their users and complies with GDPR (General Data Protection Regulation) laws. This has become even more pressing now that Google Analytics has been ruled illegal by some European data authorities so that it may not be legal to use Google Analytics on a website even with a consent banner / popup.
You can create an account at Fathom here.
Fathom makes money through a monthly subscription, rather than providing a free service with the aim of monetizing user data through advertising, as is the business model for Google Analytics and other web analytics services.
Fathom unambiguously states compliance with GDPR as shown on their home screen:
They also state:
Fathom is a Google Analytics alternative that doesn’t compromise visitor privacy for data. We revolutionized website analytics by making them easy to use and respectful of privacy laws (like GDPR and more).
Your EU traffic is automatically routed through European-owned infrastructure, and our Canadian company has GDPR adequacy ruling. Plus, we're GDPR, CCPA, ePrivacy, PECR (and more) compliant.
[Fathom] Canadian company has GDPR adequacy ruling.
One of the most attractive features of a GDPR compliant analytics service is that your website doesn't need to display a cookie consent banner or popup. Companies who A/B test conversion rates know that small changes to user flows through the UI can have meaningful impacts on conversion rates, in addition to being simply annoying. Stopping a user in their tracks with a consent banner or popup is clearly best avoided.
As Fathom says:
But how is web analytics without requiring a consent banner possible under GDPR and what do Fathom need to do differently to Google Analytics and other analytics services to be compliant?
The following steps Fathom have taken together achieve compliance according to their website:
- No Tracking Between Sites
- Anonymization of User Data
- EU Isolation
- Short Data Retention Periods
- Schrems II Compliance
To explain each of these:
Anonymization of User Data
The finger printing information that is collected is 'hashed'. This is a one way cryptographic function that creates a unique and reproducible string of characters for the combined information that can't be reverse engineered to find out what information the hash was created from.
No Tracking Between Sites
Since the host name is included as an input to the hash, the user can't be tracked between websites. The same IP address and user agent string, but with different host names will produce different hash strings, with no means of comparing to discover if they were generated for the same user. This is crucial for user privacy because a series of sites can be used to identify a user, something not possible with Fathom's hashing technique.
This means that data associated with visits from users in the European Union, where GDPR applies, is only processed on European Servers. Data for the rest of the world will be processed in the US, unless Fathoms 'Extreme EU Isolation' feature is used, where all data including US data is routed through EU servers (in case you want to be absolutely certain that EU data isn't accidentally routed outside of the EU).
Short Data Retention Periods
Where IP addresses are recorded for security purposes, Fathom says that the data is retained for the shortest possible period of time before being removed.
Schrems II Compliance
Previously US companies relied on the Privacy Shield certification for US businesses which was ruled against by the Court of Justice of the European Union (EUCJ), meaning that EU personal data could no longer be legally transferred to the US.
Further detail regarding Fathoms GDPR compliance and data processing mechanisms can be found here:
Fathom Comparison with Other Analytics Services
Sourced from usefathom.com
Features for Avoiding Ad / Tracking Blockers
It seems reasonable that since you're using a privacy conscious service that is fully compliant with the associated user / data protection privacy laws, that your web application should suffer less from the blocking of scripts / requests by ad-blockers. The ad-blockers may not share the same view, but Fathom has a useful feature that allows you to present the Fathom tracking script as a script belonging to your domain.
Fathom allows you to set up a custom domain from which to serve your script via a CNAME in your site's DNS entries. The CNAME entry directs the users browser from a subdomain of your choosing to a CDN that serves the Fathom analytics script. This makes it unlikely that and ad blocker will prevent the Fathom analytics script from loading.
Fathom has a comprehensive set of features that ensure accurate web analytics reporting, without compromising user privacy. The monthly cost associated with Fathom seems modest compared to the cost of losing users due to the frustration of cookie consent banners and pop ups. Further, the user interface for Fathom is clean and simple to use, and a single subscription allows you to track multiple sites, providing that the total page views is within the generous allowance associated with the subscription.
An account can be set up at https://usefathom.com
The use of any information, code samples, or product recommendations on this Website is entirely at your own risk, and we shall not be held liable for any loss or damage, direct or indirect, arising from or in connection with the use of this Website or the information provided herein.