Is Website Visitor Identification Legal? How to Stay Compliant

website visitor identification compliance

Website visitor identification provides businesses with invaluable data on their website traffic. Marketers can use this data to understand their audiences and personalize their campaigns. This is critical because customers value personalization more than ever.

But it’s essential to understand the legal and ethical considerations involved. This article will explore how these issues affect B2B and B2C businesses pursuing customers in the United States.


We’ll share the information as we understand it, but the author of this blog post is not an attorney. This post should be used for general informational purposes only. It is not legal advice and is not a substitute for the advice of a professional legal practitioner.

Consumer Preferences and Website Visitor Identification

One of the biggest benefits of visitor identification is its impact on marketing personalization. It provides data that facilitate more personalized experiences.

This is important for your business because it’s important to your customers. Over 40% of consumers are willing to change brands based on personalization.

Most consumers of every generation except the Baby Boomer generation like personalized ads. That includes 57% of Millennials and 81% of Generation Z.

Personalization and Consumer Trust

Personalization offers many benefits. And consumers are more likely to share their data for personalized ads if they trust the company. So it’s crucial to handle consumer data responsibly to maintain that trust.

Allowing easy data deletion is one of the top ways for brands to improve trust with their data. Good visitor identification software provides a way to add a suppression audience. That way, you can avoid collecting data you’ve deleted.

The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act is the primary concern for US-based marketing. Some states have their own laws. But you can usually satisfy their requirements by updating your privacy policy.

International regulations such as the General Data Protection Regulation (GDPR) and Canada’s Anti-Spam Legislation (CASL) are only relevant if you’re collecting data on citizens of those countries.

Federal Legislation

CAN-SPAM sets the rules and requirements for commercial email in the US. The Federal Trade Commission (FTC) enforces these requirements. Non-compliance can lead to fines and other penalties.

According to CAN-SPAM, any email that advertises or promotes a product or service is commercial. That includes emails sent to email addresses collected through visitor identification.

But the CAN-SPAM Act does not make unsolicited commercial emails illegal. Businesses can send commercial email messages to anyone, even if they haven’t opted in, as long as they comply with the rules.

This includes:

  • providing an easy way for recipients to opt out
  • honoring all opt-out requests
  • including a mailing address

See our CAN-SPAM Compliance Checklist for more details.

State Legislation

There are also state laws to consider, such as the California Consumer Privacy Act of 2018 (CCPA). But you can usually meet the requirements of all state legislation at once in your privacy policy.

For example, CCPA requires:

  • Letting visitors know what data you collect and how you will use it
  • Allowing visitors to delete their data
  • Allowing visitors to opt out of the share or sale of their data
  • Not discriminating against visitors who exercise their rights under CCPA

Some visitor identification software providers offer geofiltering capabilities. You can exclude states if they’re not in your target market. Then you don’t have to worry about the state’s regulations.

International Legislation

While the GDPR is a European Union regulation, it has global implications. The GDPR sets the rules that everyone must follow when handling the data of EU citizens. See our GDPR Compliance Checklist for more information.

The GDPR requires companies to implement safeguards to protect the personal data they handle. This includes:

  • obtaining consent,
  • ensuring data portability,
  • potentially appointing a Data Protection Officer

For email marketing, the GDPR requires “freely given, specific, informed and unambiguous” consent. This means businesses must clearly explain how they will use the person’s data and document that the person gave consent.

But laws like GDPR and CASL will only apply when you’re marketing to citizens of those countries. If you choose website visitor identification software that doesn’t collect data on those citizens, the laws will not apply.

Is Website Visitor Identification Compliant with Relevant Data Sharing and Privacy Laws?

The answer to this question depends on the visitor identification company you choose. How does it collect and manage the data you receive?

If you use a provider like LeadPost, the data you receive complies with existing laws because:

  • The data is not shared with third parties. It’s for your use only. LeadPost doesn’t share it with third parties. 
  • The data is only collected from US-based website visitors. International privacy laws such as the GDPR and CASL are not applicable.
  • In the US, states are beginning to enact state-level privacy laws. To comply, you may need to update your privacy policies. (See LeadPost’s Terms of Service for guidance.)
  • There are no laws in the US that restrict how you collect mailing addresses for direct mail.
  • In the US, businesses can send emails to anyone as long as they follow certain rules. (See our CAN-SPAM Compliance Checklist for more information.)