
Plausible and Fathom analytics are not GDPR compliant - ellinoora
https://blog.paranoidpenguin.net/2020/07/plausible-analytics-review-browser-fingerprinting-and-cname-cloaking/
======
dylz
I agree wholeheartedly with this, and also toss simpleanalytics into the ring.
They explicitly advertise the ability to bypass blockers and set up custom
subdomains on their frontpage, which IMO _the person that is blocking it does
not wish to send telemetry_, forcing them to do it is both a forced opt-in and
rude as hell.

If you are going to try to turn a profit by yelling about how you're so
respectful and compliant, maybe not intentionally try to bypass end-users'
explicit, human-set, consensual opt-out with your forced shady opt-in.

You are not being "privacy friendly", you are refusing the user's explicit "no
consent, please don't do this" and forcing yourself on them anyway.

\--

An unrelated note on technical infrastructure: many of these projects are EU
based and proudly tell everyone that they are EU based.

Unfortunately, for example - see
[https://en.wikipedia.org/wiki/CLOUD_Act](https://en.wikipedia.org/wiki/CLOUD_Act):

\- Plausible hosts on DigitalOcean

\- Plausible uses Cloudflare

\- Simpleanalytics uses Cloudflare

\- Fathom is on AWS

------
ellinoora
Both Fathom [1] and Plausible [2] claim to be GDPR compliant, but they are
not.

They use a technique called "device fingerprinting" by collecting online
identifiers, such as IP addresses, and browser characteristics for
identification. Thus user consent is needed.

1: [https://usefathom.com/gdpr-ccpa-pecr-
compliant](https://usefathom.com/gdpr-ccpa-pecr-compliant) 2:
[https://plausible.io/data-policy](https://plausible.io/data-policy)

~~~
ezekg
Plausible's fingerprinting uses a rotating salt, which is rolled daily and the
previous salt is discarded. That means the hash can't be tied to a given user
and their IP/browser at a later date. How is that not GDPR compliant? How is
Volument better?

