UK & GDPR
Is website visitor tracking legal in the UK?
The short answer
Yes — B2B website visitor identification can be operated lawfully in the UK. Company-level identification (matching a visit to a business) generally isn't personal data. Where personal data is involved, the usual lawful basis is legitimate interest under Article 6(1)(f) of the UK GDPR, which requires a documented assessment, transparency in your privacy policy, and an opt-out. This is general guidance, not legal advice.
Not legal advice
This article is general information about UK data protection, not legal advice. Consult your DPO or a data protection professional for your specific circumstances.
Is company-level identification personal data?
Generally, no. UK GDPR governs personal data — information relating to an identified or identifiable living individual. Company-level identification tells you the organisation behind a visit: its name, industry, size, and location. That information relates to a business, not a specific person, so it usually falls outside the definition of personal data.
The distinction matters because it shapes your obligations. Matching a visit to “Acme Ltd” is different from identifying a named individual at that company. The moment you attach a person — a name, job title, or contact details — you are processing personal data, and the rules below apply.
What lawful basis applies when personal data is involved?
When personal data is processed, the usual lawful basis for B2B visitor identification is legitimate interest under Article 6(1)(f) of the UK GDPR. Relying on it isn't automatic — it requires a three-part test:
- 01Purpose — identify a real, specific business interest, such as following up with companies showing buying intent.
- 02Necessity — show the processing is a reasonable way to achieve that purpose, with no less intrusive alternative.
- 03Balancing — weigh your interest against the individual's rights and reasonable expectations.
You should document this in a Legitimate Interests Assessment (LIA), be transparent about the processing in your privacy policy, and give individuals a clear way to opt out. Read our GDPR explainer for how Warm AI applies this in practice.
What about cookies and PECR?
Separately from UK GDPR, cookies and similar storage are governed by the Privacy and Electronic Communications Regulations (PECR), which can require consent before storing or reading information on a visitor's device — regardless of your GDPR lawful basis. Whether consent is needed depends on how your tracker works.
Read the cookie-consent guideWhat do you need to do to stay compliant?
- •Document your lawful basis for any personal data you process.
- •Run a Legitimate Interests Assessment and keep it on file.
- •Publish a clear privacy policy describing the processing.
- •Offer a straightforward opt-out.
- •Use a tool that handles UK and EU traffic at company level first, enriching to person-level only where permitted.
Warm AI is built around these rules — see how Warm AI handles UK traffic or the GDPR explainer.
Not legal advice
This article is general information about UK data protection, not legal advice. Consult your DPO or a data protection professional for your specific circumstances.
Frequently asked questions
Yes, when done correctly. Company-level identification generally isn't personal data, so it falls outside UK GDPR's core restrictions. Where personal data is involved, the usual lawful basis is legitimate interest under Article 6(1)(f), which requires a documented assessment, transparency, and an opt-out.
Want to see how this works in practice for a UK business?
See how Warm AI handles UK traffic