Website visitor identification is one of the most powerful tools in modern B2B sales — resolving anonymous website traffic to named individuals and companies, so your team can follow up with genuine intent data. But in Europe, it comes with a compliance minefield that trips up most companies.
The uncomfortable truth: the majority of popular visitor identification tools either violate GDPR by default or sidestep it entirely by simply refusing to identify EU visitors at the person level. Neither approach is acceptable if you are a global company or an EU-based business trying to generate pipeline from your website traffic.
This guide explains exactly what GDPR requires, why so many tools fall short, what to look for in a genuinely compliant solution, and how to implement visitor identification without putting your legal team on edge.
Why Most Visitor Identification Tools Fail GDPR
GDPR (General Data Protection Regulation) applies whenever you process personal data of individuals in the European Economic Area — regardless of where your company is headquartered. An American SaaS company whose pixel fires on an EU resident's browser is subject to GDPR.
Most visitor identification tools were built by US companies for US companies, using data infrastructure built around US privacy norms — which are dramatically more permissive than the EU's. When these companies encounter GDPR, they typically take one of three approaches, all of which are problematic:
The Three Compliance Failure Modes
1. Fire everywhere, document nothing
The pixel runs unconditionally. No consent gate, no privacy policy disclosure, no DPA with customers. This is the most common — and most legally exposed — approach.
2. Just skip EU visitors (the “US-only” workaround)
Tools like RB2B explicitly limit person-level identification to US IP addresses. This technically avoids GDPR liability for person-level processing but completely destroys the value of the tool for EU traffic. You pay the same price and see nothing for European visitors.
3. Claim consent without proper gating
The privacy policy mentions “cookies and tracking” somewhere, but the pixel fires immediately on page load regardless of consent state. Recording a consent decision after the fact does not satisfy GDPR's prior consent requirement for non-essential tracking.
The US-Only Problem: A Legal and Commercial Trap
RB2B is the most prominent example of a tool that explicitly chose US-only person-level identification as its GDPR strategy. On their support documentation, they state this directly: person-level identification is limited to US-based visitors.
For a US-only company with exclusively US traffic, this is a usable solution. For everyone else, it creates two simultaneous problems:
- You still have GDPR exposure. Even though RB2B doesn't perform person-level EU identification, the pixel itself still fires on EU visitors' browsers. Depending on what signals it collects and transmits even at the company-level, there may still be GDPR obligations — particularly around IP address processing (which the CJEU has ruled constitutes personal data for dynamic IPs).
- You lose all EU pipeline. If 30–60% of your website traffic comes from Europe — which is typical for B2B SaaS companies with global markets — you are leaving that entire segment completely dark. No person-level identification, no outreach, no pipeline from a substantial portion of your total addressable market.
Real Cost Illustration
If your website gets 10,000 monthly visitors and 40% are from Europe, a US-only tool identifies visitors from 6,000 of them at best. Cursive's 70% identification rate across global traffic means identifying up to 7,000 visitors — including the 4,000 EU visitors the US-only tool ignores entirely. At typical B2B deal values, that's not a minor gap.
GDPR Legal Bases for Visitor Identification
GDPR (Art. 6) requires a valid legal basis for any processing of personal data. For visitor identification, two bases are most relevant:
Option 1: Explicit Consent (Art. 6(1)(a))
The visitor must actively opt in before the pixel fires. This typically means a cookie consent banner that presents clear choices — and the identification pixel only loads after the visitor clicks “Accept.”
- Must be freely given, specific, informed, and unambiguous
- Granular — visitors must be able to accept analytics without accepting visitor identification, or vice versa
- Withdrawal must be as easy as granting consent
- You must maintain timestamped records of consent decisions
- Silence, pre-ticked boxes, or continued browsing do NOT constitute valid consent
Option 2: Legitimate Interests (Art. 6(1)(f))
For B2B contexts, legitimate interests can be a valid basis for visitor identification — but only when you have properly documented it with a Legitimate Interests Assessment (LIA). The three-part test:
- Purpose test: Do you have a genuine, specific legitimate interest? (B2B marketing and lead generation — yes)
- Necessity test: Is the processing necessary for that purpose? (Visitor identification is the most direct method — yes)
- Balancing test: Do the individual's privacy interests override yours? For B2B professionals receiving relevant commercial outreach in their professional capacity, this is generally defensible — but you must document the reasoning
Important: Legitimate interests is harder to justify for B2C sites, sensitive categories of data, or systematic profiling. For standard B2B SaaS identifying business professionals visiting a commercial website, it is the most common and defensible approach — when documented properly.
What to Look for in a GDPR-Compliant Visitor Identification Tool
Not all tools market their compliance capabilities equally. Here are the six questions to ask before deploying any visitor identification pixel:
Do they provide a Data Processing Agreement (DPA)?
Required under GDPR Art. 28. Any vendor that processes personal data on your behalf must sign a DPA. If they can't or won't, that's a legal red flag.
Do they support Consent Management Platform (CMP) integration?
The pixel should be blockable via a CMP so it doesn't fire until consent is given. Standard with quality tools — absent from many US-only platforms.
Do they maintain Standard Contractual Clauses (SCCs) for EU→US transfers?
Personal data flowing from EU users to US servers requires SCCs or equivalent safeguards post-Schrems II. Verify your vendor has these in place.
Is a Legitimate Interests Assessment (LIA) available?
For customers relying on legitimate interests as their legal basis, the vendor should be able to provide documentation supporting this position.
Is there a right to erasure / opt-out mechanism?
GDPR grants individuals the right to object to data processing and request erasure. Your vendor must support this workflow.
Does it actually identify EU visitors at the person level?
This is the commercial test. A tool that achieves GDPR compliance by simply not identifying EU visitors has solved the legal problem by eliminating the product value.
GDPR Compliance Comparison: Major Visitor ID Tools
| Tool | Global Person ID | CMP Support | DPA Available | Consent Records | EU-Ready |
|---|---|---|---|---|---|
| Cursive | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| RB2B | ✗ US-only | ~ Partial | ~ Limited | ✗ No | ✗ No person-level |
| Warmly | ~ Limited | ✓ Yes | ✓ Yes | ~ Partial | ~ Company-only EU |
| Leadfeeder | Company only | ✓ Yes | ✓ Yes | ✓ Yes | Company only |
| Lead Forensics | Company only | ✓ Yes | ✓ Yes | ~ Partial | Company only |
Notice the pattern: the tools that achieve broad EU compliance do so by only identifying companies — not individual people. Only Cursive provides both global person-level identification and the compliance infrastructure to support it legally. RB2B's approach is not GDPR compliance — it is GDPR avoidance by product design, at the cost of EU pipeline.
How Cursive Approaches GDPR Compliance
Cursive is built for global B2B teams. That means GDPR compliance is not an edge case — it is a core product requirement. Here is what we do:
Consent-gated pixel loading
Our marketing site uses a Consent Management Tool that blocks all non-essential tracking — Google Analytics, visitor identification pixels — until the visitor explicitly clicks Accept. The pixel never fires before consent.
Timestamped consent records
We record the date, time, and version of the consent notice presented, stored in browser localStorage and available for audit on request.
Data Processing Agreement on request
All Cursive customers can request a DPA covering our processing of personal data as part of the identification service.
Legitimate Interests Assessment available
For customers who rely on legitimate interests as their GDPR legal basis, we can provide supporting documentation for review by your legal team.
Global identification — not a US-only workaround
We identify visitors from the EU, UK, Canada, and APAC with the same person-level precision as US visitors, using infrastructure built to process international data with appropriate safeguards.
Opt-out and erasure support
Individuals can request removal from our identification database by emailing privacy@meetcursive.com. We honor these requests.
5 Steps to Make Your Visitor Identification GDPR Compliant
Whether you are implementing visitor identification for the first time or auditing an existing deployment, these five steps ensure you are covered:
Install a CMP and gate your pixel behind consent
Deploy a Consent Management Platform (or use a tool with built-in CMP integration). Configure it so your visitor identification pixel only loads after the visitor clicks Accept on your cookie/tracking banner. Never fire the pixel on page load unconditionally.
Update your privacy policy to disclose visitor identification
Add a specific section explaining that you use visitor identification technology, what data is collected, why (your legal basis), which third parties are involved, and how visitors can opt out. Generic 'we use cookies' language is not sufficient.
Document your legitimate interests basis (or confirm you have consent)
Write a Legitimate Interests Assessment documenting your purpose, why it's necessary, and the balancing test outcome. Keep it on file — supervisory authorities can request it.
Sign a Data Processing Agreement with your vendor
Request a DPA from your visitor identification provider. If they can't provide one, find a different vendor. This is a non-negotiable legal requirement under GDPR Art. 28.
Implement an opt-out and erasure mechanism
Publish a clear opt-out path in your privacy policy (email address, web form, or browser-level mechanism). Test that it actually works — honoring the right to erasure is an enforceable obligation.
See Cursive's GDPR-Compliant Identification in Action
If your current visitor identification setup is US-only, lacks a DPA, or fires unconditionally without consent gating — you have both a compliance gap and a pipeline gap. Cursive solves both. Get a free visitor identification audit to see what you are missing from your EU and global traffic.
