General
Install script
Script settings
Features
Integrations
Explained
Legal
Affiliate program
API
Events
Account

Compliance edit

Download PDF

GDPR and UK GDPR Compliance

Simple Analytics fully adheres to GDPR and UK GDPR regulations by refraining from collecting any personal data from end users (that is, visitors of a customer’s website or app users). We do not place cookies, collect IP addresses, fingerprint users, or use device identifiers.

Our data minimization strategy is fundamental to our ethics and simplifies compliance. Since GDPR and UK GDPR govern personal data, our approach of not collecting such data ensures full compliance and significantly reduces our customers’ compliance burdens as well.

Several providers of web analytics claim GDPR compliance by collecting non-personal data, but the claims are not always true. Sometimes the data is combined in a way that makes the user identifiable and enables tracking- which qualifies as personal data under the GDPR.

At Simple Analytics, when we say we do not collect personal data, we mean it. Our non-personal data collection is not combined in a way that can track or identify users- and would not be sufficient to do so anyway. We offer genuine compliance, not dubious legal workarounds.

PECR

Simple Analytics is PECR compliant and does not need consent. We track page views from a script in the website where we don’t use cookies or similar technologies. We don’t store IPs in any way and don’t use techniques that identify or track a user. Read here what metrics we store and or collect.

We had a chance to ask the ICO directly about this. After contacting Daniel Morgan from ICO about the need for consent with Simple Analytics, he replied:

Regulation 6 of the PECR requires you to obtain consent from the user wherever you wish to store or gain access to information stored within their terminal equipment (a computer or device). This is applicable to the use of cookies and all similar technologies and techniques, such as device fingerprinting.

If you do not rely on techniques which involve storing or gaining access to information within users’ devices in order to produce analytics data for your clients, then this will not fall under Regulation 6 and you will not need to obtain consent.

We do not rely on techniques to store or gain access to information within users’ devices.

CCPA compliance

Simple Analytics is CCPA compliant out of the box because it avoids collecting any information that falls under the CCPA.

The CCPA applies to personal information and defines “personal information” as “information that identifies, relates to, or could reasonably be linked with a user or their household.” Simple Analytics collects no such information from the end user.

HIPAA Compliance

Simple Analytics can easily comply with HIPAA because it does not collect any personally identifiable data from your visitors. When no personally identifiable data are collected, the data we receive are not protected health information (PHI) and do not fall under the HIPAA Privacy Rule’s disclosure limitations.

Simple Analytics doesn’t receive PHI because we do not use cookies or other identifiers, fingerprint users, or track users in any way. In other words, you don’t need to worry about HIPAA.

You also do not need a BAA to use Simple Analytics. You only need a BAA when an associate receives PHI from you. This is not the case with Simple Analytics: we do not receive any PHI, do not qualify as a business associate, and do not require a business associate agreement.

ePrivacy and TTDSG Compliance

Article 5(3) of the EU’s ePrivacy Directive protects data stored on end-user devices. Simple Analytics complies effortlessly by not collecting such data.

This approach also ensures compliance with the PECR (UK) and TTDSG (Germany), which are implementations of the ePrivacy Directive within national laws.