Skip to main content
GDPR-Compliant Visitor Identification: What Is Actually Allowed in 2026
Lead Generation

GDPR-Compliant Visitor Identification: What Is Actually Allowed in 2026

A
Amine Kharbouch
July 7, 2026
11 min read

If your website gets EU traffic and you want to know which companies are visiting, you can generally do that legally. Company-level visitor identification works from business data and typically operates under GDPR's legitimate interest basis. Person-level identification, meaning putting a name and a work email on an anonymous visitor, is a different animal: for EU visitors it effectively requires consent that almost nobody grants, which is why the vendors that offer it, including my own product, restrict it to US traffic. I run VisiLead, a visitor identification platform, so I answer these questions from buyers every week. Here is what GDPR actually requires, how the main platforms handle it in 2026, and what to check before you buy. One caveat up front: I am a founder, not a lawyer, and nothing here is legal advice.

Company-Level Identification Is Workable Under GDPR, Person-Level Is Not

Company-level website visitor identification generally operates under GDPR's legitimate interest basis, while person-level identification of EU visitors effectively requires opt-in consent, which is why person-level features are restricted to US traffic on the major platforms that offer them.

That distinction matters more than anything else in this category. Company-level tools take a visitor's IP address, match it against a database of business IP ranges, and tell you that someone from a specific company looked at your pricing page. The output is firmographic data about an organization, not data about a person. Company names, industries, and employee counts are not personal data.

The input is a different story. The Court of Justice of the EU established in the Breyer case that IP addresses can be personal data, so the matching step is still processing under GDPR. This is why credible vendors do not claim to sit outside GDPR. They claim a lawful basis under it, almost always legitimate interest under Article 6(1)(f), and they back it with a data processing agreement and short retention of the raw IP data.

Person-level identification works completely differently. It matches visitors against identity graphs built from cookies, device IDs, and permissioned data partnerships to return an actual name, a LinkedIn profile, and an email address. For an EU visitor that is profiling of an identifiable individual, and between GDPR and the ePrivacy rules on accessing information stored on a device, it effectively requires opt-in consent. Consent rates for that kind of tracking are extremely low, so no major vendor attempts it in Europe. This is the whole reason RB2B runs person-level identification on US traffic only, and it is why VisiLead identifies companies globally but individual people only on US traffic. A vendor claiming person-level identification of EU visitors without consent should worry you, not impress you.

What GDPR Actually Requires From You and Your Vendor

To run visitor identification on EU traffic you need four things in place: a documented lawful basis, a signed data processing agreement, data minimization in practice, and a working opt-out.

  1. A lawful basis, usually legitimate interest. Article 6(1)(f) lets you process personal data when your legitimate interest is not overridden by the visitor's rights. Recital 47 explicitly says direct marketing may qualify as a legitimate interest. For B2B company identification the balancing test is usually favorable: you are learning which businesses visit your business website, the intrusion on any individual is low, and the data revealed is corporate. You should still write down a short legitimate interest assessment. Regulators ask for it, and it takes an hour.
  2. A data processing agreement. Under Article 28 the vendor processes data on your behalf, so you need a DPA covering what they process, their sub-processors, where data is hosted, and how international transfers are handled. Any vendor that cannot produce a DPA on request is disqualified, whatever their homepage says.
  3. Data minimization and retention limits. Article 5(1)(c) requires you to process only what you need. In practice: filter out ISP and junk traffic instead of storing it, keep raw IPs briefly, and set retention windows that match how long the data is actually useful to sales.
  4. A real opt-out. Article 21 gives visitors the right to object to processing based on legitimate interest. Your privacy policy needs to disclose the identification and offer a way out, and your tooling should respect browser-level signals like Global Privacy Control rather than making people email you.

One more layer sits alongside GDPR: the ePrivacy rules. If a tool sets cookies or reads device identifiers to identify visitors, that access itself requires consent regardless of your GDPR lawful basis. Cookieless IP-based company identification avoids that trigger, which is why most EU-focused vendors are cookieless by design. If you want a grounding in how the tracking itself works before going deeper on compliance, our website visitor tracking guide covers the mechanics.

How the Main Vendors Handle GDPR in 2026

Every major visitor identification vendor takes one of three approaches to GDPR: EU-hosted company-level identification under legitimate interest, US-only person-level identification, or a hybrid that does both with consent controls per region.

PlatformIdentification levelGDPR approachEntry price
LeadfeederCompany onlyBuilt and hosted in the EU, legitimate interest, DPA providedFrom 79 EUR/mo annual, free Lite tier
LeadinfoCompany onlyEU-only hosting, cookieless matching, ISO 27001From 69 EUR/mo
AlbacrossCompany onlyEuropean vendor, GDPR and CCPA positioningFrom 59 EUR/mo annual
Lead ForensicsCompany onlyProprietary IP database, quote-only pricingQuote only, about 6,000 USD/yr entry per third-party data
RB2BCompany global, person US-onlyPerson-level restricted to US traffic by designFree company-level tier, 79 USD/mo for person-level
VisiLeadCompany global, person US-onlyConsent-gate mode, Global Privacy Control honoredFree plan, then 29 USD/mo

Leadfeeder

Leadfeeder is the reference point for GDPR-first company identification: built and hosted in the EU, company-level only, operating under legitimate interest with a DPA provided. That posture is a genuine selling point for teams with mostly EU, DACH, or Nordics traffic. Note that the contact emails and phone numbers on its higher Activate plan come from a separate B2B contact database, not from identifying the actual visitor, so the privacy analysis stays company-level. Paid plans start at 79 EUR/mo billed annually, and the billing terms deserve a close read before you sign; see our Leadfeeder pricing breakdown and the full VisiLead vs Leadfeeder comparison.

Leadinfo and Albacross

Leadinfo and Albacross are the picks when European data posture is a hard requirement. Leadinfo runs cookieless IP-to-company matching with EU-only hosting and ISO 27001 certification, starting at 69 EUR/mo, and acquired Visitor Queue in January 2026 to shore up its weaker North American coverage. Albacross positions on GDPR and CCPA compliance with its strongest identification rates in Europe, starting at 59 EUR/mo on annual billing. The trade-off is real on both: reviewers consistently report weak North American match rates, with one Albacross G2 reviewer flatly saying it has no support for North America. If your traffic is mostly US, an EU-first database is the wrong tool no matter how clean the compliance story is.

RB2B

RB2B shows exactly what the person-level trade-off looks like in practice. Its person-level identification, the core of the product, is US-only by design, matching visitors against a proprietary database of permissioned profiles. Company-level identification is global through a reverse-IP partnership and is the part RB2B positions as GDPR-compliant internationally. Since January 2026 the free plan is company-level only, with person-level starting on the 79 USD/mo Starter plan. If you are weighing it against us, the VisiLead vs RB2B comparison covers the differences in detail.

Lead Forensics

Lead Forensics is company-level only, matching visitors against what it calls the largest owned B2B IP database of its kind. There is no person-level visitor identification. Pricing is quote-only on annual contracts, with third-party quote data putting entry contracts around 6,000 USD/yr, so most smaller teams end up looking at Lead Forensics alternatives before the compliance question even comes up.

VisiLead

VisiLead handles GDPR with three specific mechanisms rather than a badge on the homepage. First, company-level identification runs on business data globally, the same legitimate-interest model as the EU vendors, while person-level identification is US traffic only. Second, consent-gate mode: add data-consent=manual to the tracking script and it stays completely inert until your consent management platform explicitly tells it to run, which lets you slot identification into an existing cookie banner flow. Third, Global Privacy Control is honored automatically, so visitors broadcasting an opt-out signal are opted out without writing to support. We also filter junk and ISP traffic before it is stored, which serves data minimization and your wallet at the same time, since credits are only spent on successfully identified companies or people. The free plan includes 10 credits with no credit card, and paid plans start at 29 USD/mo; full details on pricing.

What the best built-in privacy features look like

The visitor intelligence platforms with the best built-in GDPR and privacy compliance features share five traits: cookieless or consent-gated data collection, automatic handling of opt-out signals like Global Privacy Control, transparent hosting and sub-processor documentation, aggressive filtering of junk traffic, and a DPA you can get without a sales call. Use those five as your screen and most of the vendor marketing noise falls away. For a wider look at the tools themselves, the comparison hub and our roundup of the best B2B funnel analytics tools are good starting points.

A GDPR Compliance Checklist Before You Buy

Before buying a visitor identification platform, verify eight things: identification level per region, DPA availability, hosting and sub-processors, your lawful basis documentation, privacy policy updates, consent integration, opt-out handling, and retention settings.

  1. Confirm what the tool identifies in each region. Company-level everywhere and person-level US-only is the defensible pattern in 2026.
  2. Get the DPA before the demo call ends. Read the sub-processor list and the international transfer mechanism.
  3. Ask where visitor data is hosted and whether EU traffic data stays in the EU, if that matters to your DPO or your customers.
  4. Write a short legitimate interest assessment covering why you identify visiting companies and why the impact on individuals is minimal.
  5. Update your privacy policy to disclose visitor identification, the provider, the lawful basis, and the objection route.
  6. Wire the script into your consent flow if your legal team wants consent gating. Check the vendor actually supports a manual consent mode rather than loading by default.
  7. Verify opt-out signals work. Send a request with Global Privacy Control enabled and confirm the visit is not processed.
  8. Set retention to what sales actually uses. If nobody looks at visits older than 90 days, do not store a year.

What a Vendor Saying GDPR Compliant Actually Means

No visitor identification vendor can make you GDPR compliant, because under GDPR you are the data controller and the vendor is only your processor. The vendor's job is to give you compliant infrastructure: lawful data sourcing, a DPA, EU hosting options, consent controls, opt-out handling. Your job is the lawful basis, the disclosures, and the decision to use the tool at all.

Two more honest limits. First, GDPR compliant on a homepage is a marketing claim, not a certification; nobody issues an official GDPR stamp, so the DPA and the technical controls are the evidence that counts. Second, enforcement posture varies by country. German data protection authorities, for example, read legitimate interest more narrowly than most, so a setup that is uncontroversial for French traffic may deserve a second look if the DACH region is your core market. If EU traffic is a large share of your revenue, spend the money on an hour with a privacy lawyer. It is the cheapest insurance in this whole category, and it is the one thing no blog post, including this one, can replace.

Frequently Asked Questions

Q: Is website visitor identification legal under GDPR? A: Company-level identification is generally lawful under GDPR's legitimate interest basis, because the output is firmographic data about a business rather than personal data about an individual. You still need a DPA with the vendor, a documented legitimate interest assessment, a privacy policy disclosure, and an opt-out route, since the IP matching step itself is processing under GDPR.

Q: Why is person-level visitor identification US-only on major platforms? A: Identifying the individual person behind a visit requires matching cookies, device IDs, and identity-graph data, which for EU visitors requires opt-in consent under GDPR and the ePrivacy rules. Almost no visitor consents to that, so vendors like RB2B and VisiLead simply do not run person-level identification on non-US traffic and offer company-level identification globally instead.

Q: Do I need a cookie banner to use a visitor identification tool? A: Not necessarily. Cookieless tools that identify companies from IP addresses do not trigger the ePrivacy consent requirement that cookies do. Many legal teams still prefer to gate the script behind consent anyway, which is why VisiLead offers a data-consent=manual mode that keeps the script inert until your consent platform activates it.

Q: Is an IP address personal data under GDPR? A: Yes, the Court of Justice of the EU held in the Breyer case that IP addresses can be personal data. That means even company-level identification involves processing personal data at the matching step, which is why vendors rely on legitimate interest as a lawful basis and keep raw IP retention short rather than claiming GDPR does not apply.

Q: What is Global Privacy Control and do visitor identification tools honor it? A: Global Privacy Control is a browser signal that broadcasts a visitor's opt-out preference automatically. It is legally binding for California traffic under CCPA and maps naturally to the GDPR right to object. Support varies by vendor, so test it; VisiLead honors GPC out of the box and skips processing for visitors sending the signal.

Q: Which visitor identification platform is the most GDPR-friendly? A: For EU-heavy traffic, Leadfeeder, Leadinfo, and Albacross all offer EU-based, company-level-only identification with strong European coverage. For mixed or US-heavy traffic, a hybrid like VisiLead gives you company-level identification globally, person-level identification on US traffic only, consent gating, and Global Privacy Control support, starting at 29 USD/mo with a free plan to test on your own traffic.

Amine Kharbouch
Amine KharbouchFounder, VisiLead

Writes about B2B revenue tooling — visitor identification, intent data, and how mid-market teams operationalize buyer signals without enterprise budgets.

Ready to identify your website visitors?

Start converting anonymous traffic into qualified leads with VisiLead. Free plan available — no credit card required.

Get Started Free