Visitor Identification on B2B Websites: Does Company Data Fall Under GDPR?

The core: visitor identification at company level does not fall under personal data. You identify the company behind a website visit, not the individual person. This makes it legally different from systems that collect personal data. Yet it’s essential to understand what is and isn’t allowed, and how to implement this in a fully GDPR-compliant way.

What is visitor identification and how does it work?

Visitor identification is a technology that identifies companies based on their website visits. This happens via IP addresses and network metadata. An IP address is linked to a company through public registrations and network data.

Modern systems use cookieless technology. This means: no cookies, no device fingerprinting, no cross-site tracking. All that happens is that IP information is compared with a company database. The result: you see which company visited your site, which pages they viewed, and how often they returned.

The difference with personal identification is crucial. Visitor identification via Leadinfo shows only company name, sector, size, and location. No name, email address, or personal identifier is recorded. This distinction determines whether GDPR applies.

Company data vs. personal data under GDPR

GDPR protects personal data: information that is directly or indirectly traceable to a natural person. Examples: name, email address, phone number, but also a unique cookie identifier.

Company data does not fall under this. Information such as company name, registration number, sector, number of employees, and business address are not traceable to an individual. These are public company data that are freely accessible.

Is an IP address personal data?

An IP address can be personal data, depending on the context. For an internet provider that can link the IP to a specific household, it is personal data. For you as a website administrator, usually not — unless you collect additional data that allows you to link the IP to a person.

In B2B visitor identification, the IP address is only used to identify the company. No personal profile is built. The Data Protection Authority and case law confirm: the distinction between B2B and B2C is decisive for the legal qualification.

Legitimate interest as legal basis

If visitor identification processes company data, you don’t need explicit consent. The lawful basis is Article 6(1)(f) GDPR: legitimate interest.

This means three things:

1. You have a legitimate business interest: insight into which companies are showing interest.
2. The processing is proportionate: only company level, no personal identification.
3. The visitor’s interests are not disproportionately harmed: there is no invasion of privacy.

The balancing of interests is simple. You want to know which companies visit your website for targeted follow-up. The visitor remains anonymous as a person. The company is publicly accessible in business registers.

Transparency requirements

You must be transparent. This means:

• Privacy policy: explain that you use visitor identification and why.
• Opt-out option: offer companies the opportunity to unsubscribe.
• Clear purpose limitation: use the data only for sales and marketing, not for other purposes.

More information about GDPR compliance can be found on Leadinfo’s GDPR page.

Cookieless visitor identification and GDPR compliance

Cookies fall under the ePrivacy Directive (also known as the Cookie Law). This requires consent for non-essential cookies. Cookieless visitor identification bypasses this completely.

How does cookieless technology work?

• Network metadata: the IP address and associated network data are analysed.
• ASN mapping: Autonomous System Numbers link IP ranges to organisations.
• No fingerprinting: no unique browser or device identifier is created.
• No tracking cookies: nothing is stored in the visitor’s browser.

This makes cookieless identification legally valid without consent. You stay within the boundaries of GDPR and ePrivacy.

ISO 27001 and EU hosting as trust signals

Compliance goes beyond legal texts. Reliable providers offer:

• ISO 27001:2022 certification: annually audited information security.
• EU-only hosting: data remains within European borders (Ireland, Frankfurt).
• Transparent data processing agreement: clear arrangements about data processing.

This eliminates risks such as US data transfers (Schrems II issue) and ensures full compliance with European legislation.

Practical example: Leadinfo and GDPR compliance

Leadinfo is an example of GDPR-proof visitor identification. The core:

• Company identification only: no names, email addresses or personal data.
• Cookieless: no consent required under ePrivacy.
• EU hosting: servers in Ireland and Frankfurt, no US transfers.
• ISO 27001:2022 certified: annual audits by LRQA.
• Transparent opt-out: every company can unsubscribe within 48 hours.

This model demonstrates that visitor identification is fully legitimate, provided you only process company-level data, are transparent via your privacy policy, offer an opt-out, and work with an ISO-certified, EU-hosted provider.

Result: you gain valuable insights without GDPR risks.

Key compliance considerations

Want to deploy visitor identification in a GDPR-compliant way? Pay attention to these points:

1. Clear privacy policy: explain that you use visitor identification, based on legitimate interest, and that you only process company data.
2. Functioning opt-out: ensure companies can unsubscribe and implement this within 48 hours.
3. EU hosting and ISO 27001: choose a provider that meets European standards and is audited annually.
4. Document balancing of interests: include this in your processing register (Article 30 GDPR).
5. No personal identifiers: never process names, email addresses or other direct personal data via visitor identification.

These steps guarantee that you remain within the boundaries of GDPR and ePrivacy. You minimise legal risks and build trust with visitors.

Frequently asked questions

Is visitor identification allowed under GDPR?

Yes, visitor identification is permitted under GDPR, provided you only process company data and do not perform personal identification. The lawful basis is Article 6(1)(f) GDPR: legitimate interest. You must be transparent via your privacy policy and offer an opt-out option.

Do I need to ask for consent for visitor identification?

No, if you use cookieless technology and only apply company-level identification, consent is not required. The ePrivacy Directive (Cookie Law) only requires consent for cookies. Cookieless visitor identification does not fall under this. However, you must communicate clearly in your privacy policy.

Does an IP address fall under personal data?

An IP address can be personal data, depending on the context. For an internet provider that can link the IP to a household, this is the case. In B2B visitor identification, however, the IP is only used to identify the company, not the individual user. This makes it legally a different matter.

What is the difference between company data and personal data?

Company data such as company name, registration number and sector does not fall under GDPR because it is not traceable to a natural person. Personal data is directly or indirectly traceable to an individual (name, email, phone number). With visitor identification at company level, you only collect company data, not personal data.

How do I ensure my visitor identification is GDPR-compliant?

Use a provider that works cookieless, offers EU hosting (no US data transfers), is ISO 27001 certified, and processes only company data. Also ensure a clear privacy policy explaining visitor identification, and offer a functioning opt-out option. Document your balancing of interests in your processing register.