GDPR has been in force since 2018, and the questions around website visitor tracking have not gone away.

By Serban Giurgi
Share post

Website Visitor Tracking and GDPR: What B2B Companies Need to Know

gdpr-hero

If anything, they have become more specific. B2B teams want a straight answer to one question: can you identify the companies visiting your website without falling foul of GDPR? The short version is yes, when it is done properly. This guide explains what "properly" means, where the real obligations sit, and how Leadfeeder approaches compliance.

A note before we start: This article is for informational purposes only and does not constitute legal advice. For guidance specific to your organisation, consult a qualified legal professional.

Start from the right premise: this involves personal data

Plenty of articles on this topic open by claiming that company-level identification has nothing to do with personal data, so GDPR does not apply. That is the wrong place to start, and it is not the position Leadfeeder takes.

When someone visits your website, their browser sends an IP address. Under GDPR, an IP address can be personal data, because it can be linked, directly or indirectly, to an individual. Leadfeeder's own privacy documentation treats IP addresses as personal data, and most regulatory guidance across the EU does the same.

That matters because it sets the honest frame for everything that follows. B2B visitor identification is not "outside GDPR". It is personal data processing that can be carried out lawfully, with the right legal basis and the right safeguards in place. The goal is not to argue your way out of the regulation. It is to operate cleanly within it.

There is still a real and important distinction to draw here, just not the one usually made. The distinction is between identifying the company an individual is browsing from, and building a profile of that individual across sessions. Company-level identification produces a business record: the organisation, its industry, size, and the pages viewed. It does not create a profile tied to an identifiable individual person. That is a meaningfully lower-risk activity with regard to GDPR than person-level tracking, and it is the activity this guide is about. It still involves personal data at the point an IP address is processed, which is exactly why a lawful basis is needed.

Two different rulebooks: GDPR and ePrivacy

A lot of confusion comes from treating GDPR and the ePrivacy Directive as a single thing. They are separate frameworks with separate requirements, and keeping them apart is the single most important step towards getting this right.

GDPR governs the processing of personal data. Its central question is: do you have a lawful basis for processing this data? There are six lawful bases, and consent is only one of them.

The ePrivacy Directive governs storing or accessing information on a person's device, which in practice means cookies and similar technologies. Its central question is: have you obtained consent before placing non-essential cookies? This is why cookie banners exist.

These two questions are independent. A tool that does not store or access information on the visitor’s device may fall outside the typical cookie-consent scenario, while still needing a GDPR lawful basis for any personal data it processes. Mixing the two is where most compliance explanations go wrong.

Lawful basis: where legitimate interest fits

Of the six lawful bases under Article 6 GDPR, the one most relevant to visitor identification is legitimate interest, under Article 6(1)(f). Legitimate interest allows processing where you have a genuine business reason that is not overridden by the rights and interests of the individual, assessed through a balancing test.

Here is how Leadfeeder applies this to its own processing. Leadfeeder processes personal data on the basis of legitimate interest in marketing its products, improving its services, and growing its business. That position was reached after a balancing of interests test carried out with external legal counsel The balancing weighs Leadfeeder's interest against the rights of data subjects, and is supported by the fact that the data processed consists solely of business data, is drawn from publicly available sources and that objections are actioned quickly.

What this does not mean is that legitimate interest is automatically available to you for your own use of any visitor identification tool. Which lawful basis applies to your processing, and whether it holds up, is a determination for you and your legal team to make and document. Leadfeeder does not provide legal advice to customers, and it remains your responsibility to ensure that any tool is implemented in line with the laws that apply to you. The point of setting out Leadfeeder's own position is transparency, not a template for yours.

How cookieless company identification works

Understanding the mechanism makes the rest concrete.

Traditional tracking tools such as third-party analytics, retargeting pixels, and heatmaps work by placing cookies in the visitor's browser. Those cookies store an identifier that ties browsing behaviour to an individual over time and across sites. That can be both personal data under GDPR and, because it involves storing information on the device, a cookie-consent matter under ePrivacy.

Company identification with Leadfeeder works differently. The Leadfeeder Tracker is a first-party script on your own site. When a visitor lands, the request includes an IP address, which is checked against a database of IP ranges associated with companies and organisations. The output is a company record, for example that a visit came from a device on a particular organisation's network. No third-party cookie follows the individual across the web, no device fingerprint is built, and no identifiable individual is profiled across sessions. As Leadfeeder's documentation puts it, the technology is designed to identify the companies visiting a site, not to track individuals across the web.

Because nothing is stored on or read from the visitor's device in the way cookies are, the ePrivacy cookie-consent question is approached differently from cookie-based tools. The processing of the IP address is still personal data processing under GDPR, which is why it sits under a lawful basis rather than being treated as if no personal data were involved. This is one of the areas where the precise analysis depends on how a tool is configured and on your jurisdiction, so confirm it with your own legal team.

Controller and processor: who is responsible for what

GDPR splits responsibility between the controller, who decides why and how data is processed, and the processor, who processes on the controller's instructions. With visitor identification there are two relationships to keep straight.

When you deploy the Leadfeeder Tracker on your site, or connect your CRM, and share personal data to be processed on your behalf, you are the controller and Leadfeeder acts as your processor. A Data Processing Agreement covers that relationship and is concluded automatically as part of the terms, with no extra paperwork required from you. It is available via the privacy centre.

Separately, for the publicly sourced business data Leadfeeder collects through its own crawlers, Leadfeeder is the controller and processes that data for its own purposes under legitimate interest. Knowing which relationship applies to which data is exactly the kind of thing your legal team will check when reviewing a vendor.

As the controller for data processed on your behalf, the heavier obligations sit with you: maintaining your records of processing, handling data subject requests, and making sure your privacy notice reflects what you do, including the use of visitor identification technology and how people can object.

How Leadfeeder approaches compliance

A few specifics your legal team will want to see, all drawn from Leadfeeder's published materials.

Data is stored within the EU. Customer data shared with Leadfeeder is hosted on servers in the European Union, on AWS in Ireland, and contracts sit under EU law.

Sources are public and traceable. Leadfeeder's data foundation is built on official trade registers, public web data, and directory records, with deep links back to sources where possible. Sensitive categories of data are deliberately not collected, and Leadfeeder does not carry out profiling that produces legal or similarly significant effects.

Objections are easy and acted on. Individuals and organisations can object to processing. Leadfeeder maintains a blocklist, checks records against public do-not-call lists, and deletes the personal data of those who object. Requests can be made through the GDPR and compliance page, and a group Data Protection Officer is contactable at dpo@leadfeeder.com.

Treat this as a set of questions rather than answers, because the answers depend on your organisation and should be signed off by your own counsel.

  • Lawful basis: which basis applies to your use of visitor identification, and is your balancing assessment documented?

  • Privacy notice: does it name visitor identification, explain why you use it, and tell people how to object?

  • Cookies: where you do run cookie-based tools such as analytics or retargeting, does your consent banner withhold non-essential cookies until the visitor accepts? This is the ePrivacy question, separate from the lawful-basis question above.

  • Vendor paperwork: is a DPA in place with each vendor before it goes live?

The individual line: if a tool claims to identify named individuals rather than companies, what lawful basis is it relying on, and have you tested that with your legal team?

The bigger picture

GDPR was built to protect individuals. It was not designed to stop B2B companies from understanding which organisations show interest in them. Enforcement has not slowed since 2018, with fines reaching up to 20 million euros, or 4% of global annual turnover, whichever is higher, so the standard is real.

The core use case, knowing which companies are engaging with your website before they ever fill in a form, is compatible with GDPR when it is done on a proper lawful basis, with transparency, and with a clean line drawn at individual-level tracking.

If you want the detail your legal team will ask for, the GDPR and compliance page and the Legal Kit are the place to start.

Frequently Asked Questions for Website Visitor Tracking and GDPR

Does B2B visitor identification involve personal data?

Yes. At the point a visitor's IP address is processed, that is personal data under GDPR, because an IP address can be linked to an individual. The right question is therefore not whether GDPR applies, but whether there is a lawful basis for the processing and whether the right safeguards are in place. Company-level identification is lower-risk than person-level tracking because it produces a business record rather than an individual profile, but it still sits within GDPR.

Do you need consent for cookieless company identification?

This involves two separate questions. The ePrivacy consent requirement applies to storing or accessing information on a person's device, such as cookies. A first-party, server-side IP lookup that does not store anything on the device is treated differently from cookie-based tracking. Separately, the IP address is personal data under GDPR and can be processed under one of the  lawful bases of Art. 6 GDPR. Consent is only one of those possible legal bases, legitimate interest is another. Because the analysis turns on how a specific tool is configured and on your jurisdiction, confirm it with your legal team rather than assuming consent is or is not required.

Does GDPR apply to companies outside the EU?

What matters is where the data subject is located, not where your company is based. If you process the personal data of people in the EU, for example through analytics, cookies, or visitor identification on your site, GDPR applies to you regardless of your own location. Non-EU B2B companies with European website traffic should assume it applies to them.

What should our privacy notice say about visitor identification?

At a minimum it should name the technology, state the purpose, identify the lawful basis you have determined with your legal team, note retention, and explain how to object. Two or three clear sentences in plain language are usually enough. Vague wording such as "we may use third-party analytics tools" is not sufficient if you are running active visitor identification.

Who is the controller and who is the processor?

When you deploy a visitor identification script or connect your CRM and share data to be processed on your behalf, you are the controller and the vendor is your processor, governed by a DPA. For data a vendor collects and uses for its own purposes, the vendor is the controller. Your legal team will want to know which applies to which data before approving a tool.

serban giurgi leadfeeder teamweek
Serban Giurgi

SEO Manager @ Leadfeeder

Serban Giurgi is SEO Manager at Leadfeeder, where he leads end-to-end SEO strategy across technical, content, on-page, off-page, and international markets. His work focuses on connecting search visibility with pipeline by combining intent signals, search behaviour data, and content performance insights.

With experience scaling SEO programmes for B2B SaaS, marketplaces, and large publishers, Serban brings a practical perspective on how organic search drives qualified demand. His background in technical SEO, content quality, and visitor identification informs his approach to turning anonymous traffic into measurable revenue opportunities.

Related articles

best visitor identification software header
Website Visitor Identification

The Story Behind Building the Best Visitor Identification Software for Marketers & Salespeople

Website visitor tracking IP address header image
Website Visitor Identification

Website Visitor Tracking: How to Track IP of Website Visitors

10 Best AI Sales Tools Every B2B Team Needs in 2026
Sales Prospecting

10 Best AI Sales Tools Every B2B Team Needs in 2026

View all articles