Personally, I think that Fathom strikes a good balance between privacy and usability, but it does still use tracking (or at least it did when I was looking at it a few weeks back) - the difference is that it uses fingerprinting instead of cookies. I think it's implemented in a privacy-focused way, but it does look like they are ignoring some of the EU ePrivacy guidance, which explicitly states that consent should be obtained before using fingerprinting, even if PII can't be reverse-engineered from the fingerprint.
As I say, I think their implementation makes a lot of sense, and even as a privacy advocate myself I think those particular pieces of ePrivacy guidance focused on fingerprinting is excessive. But the EU doesn't seem to agree.
We're not ignoring the guidance, it's just such a grey area when it comes to PECR / ePrivacy. Even the ICO's guidance, it talks about "cookie-like" technology. Our technology isn't cookie-like. And our processing isn't cookie-like either. We've had lawyers look at our documentation and all of them have said it's a grey area.
You'll know this but some people reading might not: Under GDPR, there are multiple legal bases for processing and we rely on legitimate interest. PECR / ePrivacy is the grey area for us and other services.
Having said all of this, we're fortunately moving away from requiring any compliance at all... by avoiding the complexities all together. We're rolling a refactor to our data collector over the next few weeks, and we won't have to have these conversations about grey areas anymore :) We've hired a top-tier privacy consultant and are going to be deploying a huge update, putting us at the top of the list for compliant analytics. Every single privacy-focused analytics service is in a grey area right now (some think they're not but they are). We will be the first to move out of this GDPR / ePrivacy grey area dance.
As you say, you see the logic behind the implementation we had, but we're dealing with politicians who don't understand the difference between Google Analytics and privacy-focused analytics. And that's fine, the work they've done has lead to better privacy for everyone, so we appreciate them.
> We're not ignoring the guidance, it's just such a grey area when it comes to PECR / ePrivacy. Even the ICO's guidance, it talks about "cookie-like" technology. Our technology isn't cookie-like. And our processing isn't cookie-like either. We've had lawyers look at our documentation and all of them have said it's a grey area.
That sounds like you are trying to pick and choose the bits you want to hear :)
There have been several ammendments since the original ePrivacy guidance. There is at least one such directive that is very explicit about fingerprinting specifically. If doesn't use ambiguous language, it states clearly that consent is required for fingerprinting.
As I said, I personally think it's just bonkers, and I think your service is absolutely in the spirit of the ePrivacy rules. But you can't say the rules on fingerprinting are not clear.
I'm keen to see what you've got coming, as the only way I see to avoid consent is not to associate identifiers with users at all - so each page hit would be a completely independent object. Can you say anything about your plans here?
Like I say, we've had lawyers review our docs. Even the term "fingerprinting" has more nuance to it. Fingerprinting is used as a way to attempt to set a permanent cookie / identify an individual, and their actions. We don't do this.
And we definitely agree that it's bonkers.
I can't say anything here until we've got our press release out.
> Like I say, we've had lawyers review our docs. Even the term "fingerprinting" has more nuance to it. Fingerprinting is used as a way to attempt to set a permanent cookie / identify an individual, and their actions. We don't do this.
Ouch, I kind of wish you hadn't said that, because it sounds like you're straying dangerously close into weasel words and deliberately incorrectly interpretations. Sorry if that sounds harsh, but what I've read is very clear.
As before I like your solution, and I think it's absolutely in the spirit of privacy. But the guidance is really clear here, and gives examples of fingerprinting. Nobody said a fingerprint has to be a permanent identifier; as far as I recall, Fathom does use fingerprinting to identify individuals, so that a sequence of page views can be attributed to a single visitor. I understand that those fingerprints include a timestamp, and so are only valid for some time (2 hours, or whatever it is).
Thanks for your input here, Gordon. It doesn't sound harsh at all, you clearly care about privacy regulations and you're trying to help. Ultimately, we had moved based on conversations with lawyers. But as I say, we are rolling out changes this week & next, so it doesn't matter what we think about the regulation :) And thanks again for the challenge.
Personally, I think that Fathom strikes a good balance between privacy and usability, but it does still use tracking (or at least it did when I was looking at it a few weeks back) - the difference is that it uses fingerprinting instead of cookies. I think it's implemented in a privacy-focused way, but it does look like they are ignoring some of the EU ePrivacy guidance, which explicitly states that consent should be obtained before using fingerprinting, even if PII can't be reverse-engineered from the fingerprint.
As I say, I think their implementation makes a lot of sense, and even as a privacy advocate myself I think those particular pieces of ePrivacy guidance focused on fingerprinting is excessive. But the EU doesn't seem to agree.