Fathom Analytics is quite fool proof. No cookies (hence no consent) required, completely anonymized data that still identifies unique visitors and provided valuable analytics.
Not true. Consent has nothing to do with cookies. If you look at what the ePrivacy Directive article 5.3. says, it's pretty clear:
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, ... "
So even Fathom, and other analytics tools that use browser fingerprinting or similar methods require consent.
And also, the whole no cookie, no consent -mantra does not respect user privacy. In some ways, browser fingerprinting is even worse because that's much harder for an average user to block than cookies.
It might be true, if the stored data is truly anonymized, as they seem to not be storing any data on the browser.
There is a fuzzy line somewhere between access-logs and user-tracking.
Personally I think that at that point, one should just stop loading analytic scripts and stick to server-side access-log analytic toolg like goaccess.io.
> completely anonymized data that still identifies unique visitors
That's an oxymoron. If your "completely anonymized data" is unique enough to reidentify unique visitors with reasonable probability then it isn't "completely anonymized" - it's pseudonymous.
That's the problem with all these supposedly GDPR-compliant analytics things - the GDPR outlaws analytics without consent (there's no case law whether it would fall under legitimate interest, but I doubt it), there's no way around it. It doesn't matter what technical means you use (whether cookies, fingerprinting, or a crystal ball) - if your analytics "work" in the sense that you can tell unique users apart, then you are in breach because you are effectively collecting/computing and storing some sort of identifier that can reidentify a user with reasonable accuracy.
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, ... "
So even Fathom, and other analytics tools that use browser fingerprinting or similar methods require consent.
And also, the whole no cookie, no consent -mantra does not respect user privacy. In some ways, browser fingerprinting is even worse because that's much harder for an average user to block than cookies.