Why Website Visitor Identification Isn’t Always Permitted Under GDPR
GDPR imposes strict requirements on collecting and processing personal data. As soon as you collect data that is traceable to an individual, you must comply with GDPR requirements. In many cases, this means: asking for explicit consent.
The problem with traditional tracking tools? They use cookies that track the behaviour of individual visitors. Google Analytics, heatmap tools, retargeting pixels – they all collect personal data. Cookie banners and consent are then mandatory.
But there’s an important distinction between personal and business data. Company identification based on business data falls under a different category. You identify the organisation visiting your website, not the individual employee.
Personal data such as name, email address or an individual’s IP address fall under GDPR and require consent. Business data such as organisation name, sector, size and the IP range of a corporate network are business data. These fall under legitimate interest.
These Methods Are Prohibited Without Explicit Consent
Let’s be clear about what is NOT permitted without consent:
Tracking cookies track the behaviour of individual visitors over time and across websites. They always fall under cookie legislation and GDPR. Without consent, they are prohibited.
Device fingerprinting combines unique characteristics of a device to identify an individual user. Browser type, screen resolution, installed fonts – this is considered tracking of individuals and is prohibited without consent.
Cross-site tracking follows users across multiple websites. Advertising networks and social media platforms often do this. This also requires explicit consent.
Collecting PII (Personally Identifiable Information) such as names, email addresses, telephone numbers or individual IP addresses is only permitted with consent.
All these methods have one thing in common: they focus on identifying or tracking individual persons. And that’s precisely what GDPR provides protection against.
GDPR-Compliant Alternatives: How to Identify Companies Compliantly
There exists an alternative that is fully GDPR-compliant: cookieless company identification. Instead of tracking individual visitors, you identify the organisation from which the visitor originates.
How does this work? By utilising network metadata and IP ranges. Companies often use fixed IP ranges for their internet traffic. These ranges are public and linked to the organisation, not to individuals. By linking this business data to a company database, you can see which companies visit your website.
The legal basis for this is Article 6(1)(f) GDPR: legitimate interest. Because you only collect company data and don’t track individual persons, you don’t need explicit consent. However, you must be transparent about your data collection and offer an opt-out option.
The core requirements:
- Collect ONLY business data (company name, sector, location)
- Use NO cookies or fingerprinting
- Don’t identify individual persons
- Host your data within the EU
- Ensure a clear privacy policy
- Offer an opt-out option
This approach gives you valuable insights without GDPR risks. You see which companies show interest, which pages they visit and how often they return. Perfect for B2B lead generation.
Leadinfo: 100% GDPR-Compliant Website Visitor Identification
Leadinfo is developed with privacy by design. The tool identifies companies – never individuals.
0 cookies, 0 fingerprinting, 0 personal data. Leadinfo uses no tracking cookies whatsoever. No fingerprinting technology either. No individual visitors are tracked or identified. The system is completely cookieless.
Company identification via IP ranges. Leadinfo analyses the IP address from which a visitor originates. This IP address is linked to a company’s IP range. Subsequently, company data is retrieved: name, sector, size, location.
ISO 27001:2022 certified. Leadinfo is certified by LRQA according to the ISO 27001:2022 standard for information security. Annual audits guarantee compliance.
EU-only hosting. All data is stored in EU data centres (Ireland and Frankfurt). No transfer to the US takes place. Leadinfo is fully Schrems II compliant.
35-40% identification rate. Leadinfo achieves an identification rate of 35-40% in Europe – the highest in the market. Of every 100 company visitors, 35-40 are identified with name and details.
Discover how to convert these identified companies into customers.
Practical Checklist: Is Your Tool GDPR-Compliant?
Use this checklist to assess whether your current identification tool is GDPR-proof:
Does the tool use cookies? If the answer is yes, you must use a cookie banner and ask for consent. Cookieless is always better for compliance and user experience.
Does it collect individual personal data? If the tool collects names, email addresses or individual IPs, strict GDPR requirements apply. Business data only is safer.
Is the data processor located outside the EU? Tools with American or non-EU servers bring Schrems II risks. This can lead to fines. EU-only hosting is the safe choice.
Does the tool have ISO 27001 or comparable certification? Information security is crucial. ISO 27001 demonstrates that the tool has processes and systems for data security.
Does the tool offer opt-out for companies? Companies must be able to indicate that they don’t want to be identified. A clear opt-out page is essential.
If your current tool fails on one or more points, you’re running GDPR risks.
Frequently Asked Questions
Can you identify website visitors without cookies under GDPR? Yes, provided you only collect company data and no individual personal data. Leadinfo uses cookieless technology based on network metadata and falls under legitimate interest (Article 6(1)(f) GDPR). Because companies are considered legal entities and not natural persons, identification at company level is permitted without explicit consent.
What’s the difference between business data and personal data? Personal data is data that is traceable to an individual person: name, email address, individual IP address, telephone number. Business data concerns the organisation as a whole: company name, sector, location, number of employees, IP range of the corporate network. Only personal data falls under strict GDPR requirements.
Is IP address tracking permitted under GDPR? An individual user’s IP address is personal data and requires consent for tracking. However, Leadinfo uses IP ranges at company level. These ranges are business data and identify the organisation, not the person. This falls under legitimate interest and doesn’t require explicit consent. The IP address itself is not stored.
Where is Leadinfo’s data stored? All data is stored in EU data centres, specifically in Ireland (AWS eu-west-1) and Frankfurt (AWS eu-central-1). No transfer to the United States or other countries outside the EU takes place. Leadinfo thereby fully complies with Schrems II requirements and GDPR guidelines for international data transfers.
Does Leadinfo have ISO certification? Yes, Leadinfo is ISO 27001:2022 certified by LRQA. This is the international standard for information security management systems. The certification is annually verified through an independent surveillance audit to guarantee compliance. More information can be found on the GDPR page.
