Website visitor identification on autopilot: The GDPR and UWG traps

The Big Promise

In our recent comparative test of the B2B visitor recognition solutions Leadfeeder, Leadinfo and SalesViewer, we noticed a significant difference: While SalesViewer focuses on pure company identification, Leadfeeder and Leadinfo also directly provide extensive, personal contact information about the recognized companies. In the company details, you get access to contact names, LinkedIn URLs and business email addresses, and in some cases even telephone numbers. Leadinfo goes one remarkable step further: The tool integrates a marketing automation module called “Autopilot”, which allows users to have these extracted contacts addressed fully automatically via email routes or LinkedIn messages. However, what sounds like a major job relief for the sales team turns out to be highly problematic when viewed from a legal point of view.

Where does this personal data come from? (Article 14 GDPR & AVV case)

If hundreds of personal email addresses of employees of the associated company suddenly appear in a dashboard for an IP address, the question of the origin of this data is inevitable. Vendors presumably collect them by scraping business networks such as LinkedIn or buying and merging them from external brokers and services (such as Apollo.io, Hunter.io, or Cognism).

The duty to provide information that is not being met: These data sets (name, photo, email address, etc.) are undoubtedly personal data. According to Article 14 (3) GDPR, a controller is obliged to inform the data subject within one month at the latest if personal data has not been collected directly from him or her. The providers create large address books. It is doubtful whether they will inform those affected about this storage in accordance with the GDPR (all affected Publicare employees have not yet been informed).

Divided responsibility (controller/responsible person vs. processor/order processor): Many users could be lulled into believing that the system is being used solely as part of normal order processing. However, a closer look at Leadinfo's order processing agreement (AVV/DPA) reveals a legally explosive division. It states accordingly that Leadinfo acts as an order processor for the customer in pure website tracking. However, when “maintaining and enriching the Leadinfo database,” the provider expressly acts as its own responsible party. Leadinfo is therefore building up a customer-independent data pool that is not covered by pure order processing for the website operator.

GDPR customer responsibility: If Leadinfo (as controller) transmits address data from this data pool to its customers (as a further controller), the customers may in turn be required to inform the data subjects in accordance with Article 14 GDPR. In addition, the transfer of address data from Leadinfo to customers requires a legal basis within the meaning of Article 6 GDPR — which is quite problematic in view of the limited usability of the data (more on this in a moment).

The Cold Calling Trap (UWG)

Simply providing email addresses is one thing, using them for sales is another. The display of personal email addresses in company details almost entices users into a “calculated breach of law.”

§ 7 UWG and the Prohibition of Email Advertising: In Germany (similar to many other EU countries), Section 7 UWG sets strict requirements for commercial contacts. Cold calling by email is only permitted in a B2B environment without prior opt-in (express consent) from the recipient only if the business relationship already exists (and some other requirements, see § 7 paragraph 3 UWG), otherwise unlawful. So when a tool presents the sales representative with a list of 50 employees from the identified company and they blindly send emails, the company is committing a clear violation.

Infrastructure for illegality: The Leadinfo Autopilot is particularly critical here. The software provides a technical infrastructure and automation, the use of which for cold calling via e-mail amounts to illegal action, as the necessary consent for this mass communication is missing. In doing so, the provider is in fact encouraging the illegal action of its customers.

The Cookie & Local Storage Chaos (TDDDG)

While SalesViewer uses cookie-free recognition technology, competitors work more technologically aggressively in the standard setting.

Lack of consent with Leadfeeder and Leadinfo: In Leadfeeder's standard setup, a tracking cookie (_lfa) is set, even if no consent has yet been given by the user via a cookie consent banner (e.g. Cookiebot). Leadinfo also uses such storage techniques as standard. Instead of traditional cookies, the tool stores data in the browser's “local storage.” Legally, however, this makes no difference: According to § 25 TDDDG, the storage and reading of information on the user's device (regardless of whether cookie or local storage) is subject to consent, unless it is technically necessary.

Misleading “GDPR compliance”: Leadinfo advertises its solution as “cookieless” and states that it is “100% GDPR-compliant.” However, if a solution stores data in local storage without being asked, it violates the TDDDG. Although the TDDDG is not the GDPR, but another legal norm — the label “GDPR-compliant” is nonetheless misleading in this context.

The consequence for website operators: In order to use Leadfeeder and Leadinfo in a legally secure manner, the scripts must be strictly banned behind a cookie wall. However, since approval rates for marketing cookies in the B2B sector are often only 50 to 70 percent, blocking scripts across the board would result in a massive loss of recognized companies. To prevent this, complex technical measures are required, such as setting up a special 'consent mode' via Google Tag Manager using custom HTML tags and specific triggers. Only through this complex setup can a fallback mechanism be activated, which ensures that basic tracking and company recognition take place even if the user refuses to play cookies (and thus also storage in local storage).

Conclusion: Risk assessment for companies

The use of software solutions that present contact data on a silver platter and carry out tracking in the legal grey area requires a tough risk assessment. If sales employees are encouraged to send cold calling emails without opt-in using the supplied contact lists, the employer bears the full risk of a warning. SaaS providers usually protect themselves here: For example, Leadfeeder obliges the person responsible (website operator) in its contract terms to provide comprehensive exemption from claims for damages and places the burden of proof on him.

Anyone who wants to operate securely and without liability risk under data protection law is well advised to use platforms with a restrictive approach (like SalesViewer) and manually research and contact the buying center via platforms such as LinkedIn. This may be less convenient at first, but it reduces the risk of illegal mass mailings and, through targeted, manual research, leads indirectly to more relevant communication — instead of recipients annoyed in the spam folder.

Check out the following articles on the topic of lead qualification: B2B website visitor recognition in an indirect sales model and Lead qualification is a marathon — not a sprint

‍

Please note: This article is an English translation of an original text written in German for a German audience. It was prepared for informational purposes only and reflects the context, terminology, and legal framework applicable in Germany at the time of writing. Any references to laws, regulations, or legal concepts pertain specifically to German law and may not apply in other jurisdictions. This translation is provided without any guarantee of accuracy or completeness and should not be considered legal advice.