Compliance Blog

Do I Need a Cookie Banner for a B2B Website?

Yes, if your website sets non-strictly-necessary cookies on EU visitors. The ePrivacy Directive's consent requirement applies to the terminal equipment of natural persons, not to companies. Your B2B buyers are individual employees. When they visit your website, they are natural persons and the ePrivacy Directive applies. The B2B nature of your commercial relationship is not relevant to the cookie consent question.

The legal basis: ePrivacy Directive Article 5(3)

The cookie consent requirement comes from the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC), not from GDPR. Article 5(3) states: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC."

"Subscriber or user" means any natural person using an electronic communications service. It does not mean "consumer" as defined in consumer protection law. It does not mean "B2C customer." It means any individual accessing a website. A procurement manager at a company visiting your pricing page is a user under Article 5(3). The exemption in Article 5(3) applies only to cookies "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."

The misconception: GDPR's B2B treatment does not extend to ePrivacy

GDPR does not apply to legal persons. If you process data about a company (company name, company address, company registration number), GDPR does not apply. Some B2B companies extend this logic to conclude that their website analytics are exempt from consent requirements because their target audience is companies, not consumers. This reasoning is incorrect.

The ePrivacy Directive's scope is not the same as GDPR's scope. ePrivacy applies to natural persons using electronic communications services. When a buyer at a company visits your website, they are a natural person using an electronic communications service (the internet). Their employer's legal status is irrelevant. The cookies set on their device during that visit require consent regardless of whether you classify the visit as "B2B traffic."

The EDPB has confirmed this position. The European Commission's review of the ePrivacy Regulation (the proposed replacement for the ePrivacy Directive) has been ongoing for several years but has not yet produced a final text. Until the Regulation replaces the Directive, the current rule applies: prior consent for all non-strictly-necessary cookies, for all website visitors, regardless of commercial context.

What counts as strictly necessary

The strictly necessary exemption is narrow. The EDPB's guidelines on the use of cookies (Opinion 04/2012 and subsequent guidance) identify the following categories as potentially strictly necessary:

• User input cookies: Session cookies that track user input, such as items added to a shopping cart or form field data carried across pages in a multi-step process.
• Authentication cookies: Cookies used to authenticate a logged-in user for the duration of a session.
• Security cookies: Cookies used for fraud detection or preventing CSRF attacks.
• Load balancing cookies: Session cookies used by load balancers that do not persist across sessions and do not identify individual users.
• Cookie consent cookies: A cookie that stores the user's cookie consent preference is necessary to honour that preference on subsequent visits.

The following categories are not strictly necessary regardless of their business importance to you:

• Analytics cookies (Google Analytics, Mixpanel, Heap, Amplitude, Hotjar, Clarity)
• Marketing and retargeting cookies (Google Ads, LinkedIn Insight Tag, Meta Pixel)
• A/B testing cookies (Optimizely, VWO)
• Personalisation cookies (content or pricing adjusted based on previous visits)
• Live chat and customer support cookies (Intercom, Drift, HubSpot chat widget)
• Video embed cookies (YouTube, Vimeo when embedded in third-party mode still sets cookies on some configurations)

What the cookie banner must do

The EDPB has published guidelines on consent (05/2020) that set out the requirements for valid cookie consent:

• Freely given: Consent must not be conditional on accepting cookies. Withholding access to the website entirely for non-consent is only justified in limited circumstances where cookies are genuinely required for the service.
• Specific: Consent must be given separately for different purposes. A single "accept all" button covering analytics and advertising is valid if "reject all" is equally prominent and easy. Bundling all categories without separate controls is not acceptable.
• Informed: The user must be told what cookies are set, by whom, and for what purpose, before consenting.
• Unambiguous affirmative action: Pre-ticked boxes, implied consent, and continued browsing do not constitute valid consent. The user must actively indicate agreement.
• Withdrawable: It must be as easy to withdraw consent as to give it. A link to cookie settings in the footer satisfies withdrawal; there is no requirement for a permanent banner.
• Refuse option as prominent as accept: The reject option must not require more clicks than the accept option. Most DPAs interpret this to require "Accept All" and "Reject All" at the same level of prominence on the first layer of the banner.

Practical implications for a typical B2B SaaS marketing site

A B2B SaaS marketing website with a standard technology stack typically loads: Google Analytics (analytics), Google Tag Manager (which may load further tags), LinkedIn Insight Tag (marketing), HubSpot or Intercom (CRM/chat), and possibly Google Ads conversion tracking. Every one of these requires consent before loading.

The practical implementation:

1. Block all non-strictly-necessary tags from loading until consent is given. Use a Consent Management Platform (CMP) or configure Google Tag Manager's consent integration to enforce this.
2. Implement Google Consent Mode v2 in default-deny mode. See Can I use Google Analytics in the EU in 2026? for the setup.
3. Present Accept All and Reject All with equal prominence on the first banner layer.
4. Allow users to withdraw consent from the footer or a persistent cookie settings link.
5. Store consent records with timestamp and version of consent text.

The enforcement picture

Cookie consent enforcement has been active across multiple EU DPAs since 2021. The French CNIL has issued several large fines for cookie consent failures, including against Google (90 million euros), Facebook (60 million euros), and Microsoft (60 million euros). The Spanish AEPD, Italian Garante, and Belgian APD have issued decisions and fines for cookie consent failures from organisations of all sizes.

The enforcement pattern does not distinguish between B2B and B2C websites. The common thread in enforcement cases is: analytics or advertising cookies loading without consent, pre-ticked consent boxes, rejection being harder than acceptance, or cookie consent banners that do not actually prevent the scripts from loading.

For a complete GDPR compliance review, see the GDPR compliance checklist.

FAQ

Does GDPR apply to B2B websites that only sell to companies, not consumers?

GDPR applies to personal data of natural persons. Your website visitors are individuals even in B2B contexts. IP addresses and cookie identifiers of individual visitors constitute personal data. The business nature of your sales does not exempt you from GDPR or the ePrivacy Directive.

Are Google Analytics cookies strictly necessary?

No. Google Analytics cookies are analytics cookies that require prior consent. Using them without consent requires a consent mechanism regardless of how you categorise their importance to your business.

What is a strictly necessary cookie?

Strictly necessary cookies are those required for the basic functioning of the website: session cookies maintaining a logged-in state, shopping cart cookies, load balancing cookies, and cookies storing consent preferences. Analytics, advertising, personalisation, and A/B testing cookies are not strictly necessary.

Does a cookie banner need a Reject All button?

Yes, under EDPB guidance and most EU DPA enforcement positions. Consent must be as easy to refuse as to give. A banner where accepting requires one click but rejecting requires navigating settings does not meet this standard.