Update 03_compliance.md

_docs/36_legal/03_compliance.md

@@ -8,60 +8,33 @@ last_modified_at: 2024-08-08
 
 ## GDPR and UK GDPR Compliance
 
-Simple Analytics fully adheres to GDPR and UK GDPR regulations by **refraining from collecting any personal data from end users** (that is, visitors of a customer’s website or app users). We do not place cookies, collect IP addresses, or use device identifiers.
+Simple Analytics fully adheres to GDPR and UK GDPR regulations by **refraining from collecting any personal data from end users** (that is, visitors of a customer’s website or app users). We do not place cookies, collect IP addresses, fingerprint users, or use device identifiers.
 
-Our data minimization strategy is fundamental to our ethics and simplifies compliance. Since GDPR and UK GDPR govern personal data, our approach of not collecting such data ensures full compliance and significantly reduces our customers' compliance burdens as well.
+Our data minimization strategy is fundamental to our ethics and simplifies compliance. Since GDPR and UK GDPR govern personal data, our approach of not collecting such data ensures full compliance and significantly reduces our customers’ compliance burdens as well.
 
 Several providers of web analytics claim GDPR compliance by collecting non-personal data, but the claims are not always true. Sometimes the data is combined in a way that makes the user identifiable and enables tracking- which qualifies as personal data under the GDPR.
 
 At Simple Analytics, **when we say we do not collect personal data, we mean it**. Our non-personal data collection is not combined in a way that can track or identify users- and would not be sufficient to do so anyway. We offer genuine compliance, not dubious legal workarounds.
 
 ## PECR
 
-[ICO](https://ico.org.uk/), UK's independent body set up to uphold information rights, has updated its laws. They published a [blog](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/) with the most common myths about cookies and [complete guidance](https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/) on the use of cookies and similar technologies ([pdf](https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf)).
+[ICO](https://ico.org.uk/), UK’s independent body set up to uphold information rights, has updated its laws. They published a [blog](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/) with the most common myths about cookies and [complete guidance](https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/) on the use of cookies and similar technologies ([pdf](https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf)).
 
-Simple Analytics is PECR compliant and does not need consent. We track page views from a script in the browser where we don't use cookies or similar technologies. We don't store IPs in any way and don't use techniques that identify or track a user. [Read here](/what-we-collect) what metrics we store and or collect.
+Simple Analytics is PECR compliant and does not need consent. We track page views from a script in the browser where we don’t use cookies or similar technologies. We don’t store IPs in any way and don’t use techniques that identify or track a user. [Read here](https://docs.simpleanalytics.com/what-we-collect) what metrics we store and or collect.
 
-### PECR vs. GDPR
-
-Basically, the ICO says: "PECR first, GDPR second."
-
-> The simplest way to understand it is that if your cookies require consent under PECR, then you cannot use one of the alternative lawful bases from the GDPR to set them. If you’re placing cookies, this is why you need to look to PECR first and comply with its specific rules before considering any of the general rules in the GDPR.
-> <small>[source](https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-the-cookie-rules-relate-to-the-gdpr/#GDPR3)</small>
-
-### When do you need consent?
-
-You need consent when cookies are not strictly necessary:
-
-> 'Strictly necessary' means that storage of (or access to) information should be essential, rather than reasonably necessary. It is also restricted to what is essential to provide the service requested by the user. **It does not cover what might be essential for any other uses that you might wish to make of that data.** It is therefore clear that the strictly necessary exemption has a narrow application.
-
-All cookies that are used for analytics do require consent. Simple Analytics does not use any cookies and does not require any consent.
-
-### What ICO says about Simple Analytics
-
-After contacting Daniel Morgan from ICO about the need for consent with Simple Analytics he replied:
+We had a chance to ask the ICO directly about this. After contacting Daniel Morgan from ICO about the need for consent with Simple Analytics he replied:
 
 > [Regulation 6](https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/what-are-the-rules-on-cookies-and-similar-technologies/#rules1) of the PECR requires you to obtain consent from the user wherever you wish to store or gain access to information stored within their terminal equipment (a computer or device). This is applicable to the use of cookies and all [similar technologies](https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/what-are-cookies-and-similar-technologies/#cookies5) and techniques, such as device fingerprinting.
 >
 > If you do not rely on techniques which involve storing or gaining access to information within users' devices in order to produce analytics data for your clients, then this will not fall under Regulation 6 and you will not need to obtain consent.
 
-We do not rely on techniques to store or gaining access to information within users' devices. We do collect information about the devices (like screen size), but that is not applicable to the use of cookies and similar technologies.
-
-Most competitors in the privacy space do use similar technologies like hashing an IP address. For those, you would need consent.
-
-### Tool
-
-Use [ICO's tool](https://ico.org.uk/for-organisations/where-does-consent-apply-for-cookies/) to determine where consent applies for your use of cookies.
-
-We advise you to include us in your privacy policy. [Read more on that here](your-privacy-policy).
-
-<small>Sources used: [insideprivacy.com](https://www.insideprivacy.com/data-privacy/ico-updates-guidance-on-cookies-and-similar-technologies/).</small>
+We do not rely on techniques to store or gain access to information within users’ devices. We do collect information about the devices (like screen size), but that is not applicable to the use of cookies and similar technologies.
 
 ## CCPA compliance
 
 Simple Analytics is **CCPA compliant out of the box** because it avoids collecting any information that falls under the CCPA.
 
-The CCPA applies to the personal information and defines “personal information” as “information that identifies, relates to, or could reasonably be linked with a user or their household”. Simple Analytics collects no such information from the end user.
+The CCPA applies to personal information and defines “personal information” as “information that identifies relates to, or could reasonably be linked with a user or their household.” Simple Analytics collects no such information from the end user.
 
 ## HIPAA Compliance
 
@@ -71,9 +44,7 @@ In other words, **you don’t need to worry about HIPAA**.
 
 ### Why doesn’t Simple Analytics receive PHI?
 
-Because we do not use cookies or other identifiers, we do not fingerprint users, either. In other words, **Simple Analytics is 100% tracking-free** and privacy-friendly. We only use visitors’ IP addresses for communication and drop them right after we serve requests- in other words, IP is never stored or used to track.
-
-Using IP for communication without storing them is not considered collecting personal data. However, this could even be avoided altogether by implementing a proxy. This can be done easily by implementing a few lines of code on your website- click here for a [step-by-step guide](https://docs.simpleanalytics.com/proxy).
+Because we do not use cookies or other identifiers, fingerprint users, or track users in any way. **Simple Analytics is 100% tracking-free** and privacy-friendly.
 
 ### Does Simple Analytics need a BAA?