Article summary
GDPR and Cookies in B2B
This article summarizes my research on GDPR compliance and cookie policies. It does not replace legal counsel or current legislation but aims to provide an overview of legal obligations.
B2B websites are subject to the same GDPR and cookie rules as B2C websites, with a slightly more flexible provision for email prospecting (legitimate interest may apply), but not for trackers or user information requirements.
1. Legal framework to keep in mind
GDPR (EU 2016/679): governs all processing of personal data, including identifiable professional data (firstname.lastname@company email, work mobile, IP, etc.).
ePrivacy Directive + Article 82 of the French Data Protection Act (Loi Informatique & Libertes): governs cookies/trackers on devices (opt-in required except for technical exemptions).
Article L34-5 CPCE (French Postal and Electronic Communications Code): electronic prospecting rules (email, SMS) with a B2B/B2C distinction, but the same information + right-of-opposition logic applies in B2B.
2. GDPR obligations for a B2B website
For a B2B showcase site, blog, or SaaS, you must ensure proper information, legal basis, and rights.
Mandatory information (Art. 13/14 GDPR) wherever you collect data
Identity of the data controller (company, contact details, DPO if applicable).
Purposes (B2B prospecting, account management, support...), legal basis (often legitimate interest for B2B prospecting, contract for a trial, consent for newsletters).
Retention periods, recipients (CRM, email router, hosting provider), transfers outside the EU, rights (access, rectification, opposition, erasure, complaint to the supervisory authority, etc.).
Mandatory business site notices: full legal notices (publisher, hosting provider, registration number, contact).
Record of processing activities including at a minimum: B2B prospecting, client management, analytics, support.
Processing records to implement
Example template: https://www.cnil.fr/sites/cnil/files/atoms/files/registre-traitement-simplifie.ods
It is Reboot Conseil, as the data controller, that is responsible for the records... so in practice: the management, and possibly the DPO or GDPR officer if one is designated.
Who bears legal responsibility
-
The data controller (here Reboot Conseil, Lamalo, Madeline) must maintain a record of processing activities for all the data it processes: B2B prospecting, client/participant management, analytics, advertising, etc.
-
This obligation comes directly from Article 30 of the GDPR: "Each controller [...] shall maintain a record of processing activities under its responsibility."
Who manages it day-to-day in a small organization
-
The CNIL (French Data Protection Authority) states that the record may be maintained by the data controller itself or by a designated person internally (legal, IT, CISO, GDPR officer, etc.).
-
When a DPO exists (internal or external), they usually oversee the maintenance and updating of the record, but ultimate responsibility remains with the data controller (the company).
-
In a structure like Reboot Conseil, if you do not have a formal DPO, it would typically be:
-
the CEO,
-
or a designated "GDPR officer"
-
Contracts / DPAs with subcontractors (CRM, email router, CMP, analytics, chat, etc.) to govern data processing.
3. B2B prospecting: legal basis and forms
In B2B, you can rely heavily on legitimate interest, but forms need to be properly set up.
Prospecting emails to professionals
CNIL principle: clear information and a simple right of opposition are sufficient if the solicitation relates to the person's professional role (e.g., HR software marketed to HR directors).
You can therefore process on the basis of legitimate interest (Art. 6.1.f GDPR) if you document a balancing test and limit commercial pressure.
When to require explicit consent
Newsletter / purely marketing content not linked to an existing relationship.
Grey areas (fine-grained marketing profiling, partnerships, email retargeting + cookies). Consent must be freely given, specific, informed, and unambiguous, via a positive action (unchecked box, explicit button).
B2B form best practices
Complete GDPR notice under each form (contact, demo, whitepaper download...).
Separate opt-in checkbox for marketing communications if you choose "consent" as your legal basis.
Proof of consent or information (logs: date/time, source, consent text, IP or ID).
Minimal example of text under a B2B demo form (legitimate interest)
Reboot Conseil processes your data to respond to your request (contact, information, demo, registration) and to send you, where applicable, information about our offers and content related to your professional role. Legal basis: legitimate interest of Reboot Conseil in developing its B2B business relationships, while respecting your rights. You can object at any time to our emails by clicking the unsubscribe link or by writing to contactgdpr@reboot-conseil.com. To learn more about your rights and our commitments, see our privacy policy.
4. Cookies and trackers on a B2B website
When it comes to cookies, there is no lighter regime for B2B: the ePrivacy logic is the same.
Cookies exempt from consent (can be set immediately)
Strictly necessary cookies: cart, login, language, security, privacy preferences, very limited "strictly necessary" audience measurement.
Cookies requiring prior consent
Non-exempt analytics (standard GA4, Hotjar, session recording tools).
Advertising cookies, retargeting, programmatic.
Social media trackers (LinkedIn pixels, Meta, X), embedded widgets, etc.
Cookie banner requirements
Clear information about purposes (measurement, personalization, advertising, social media...).
Refusing must be as easy as accepting (no ultra-visible "Accept all" vs. hidden "Continue without accepting").
No non-essential cookies deposited BEFORE the user's choice.
Ability to change preferences (e.g., a "Manage my cookies" link in the footer).
Cookie / privacy policy
Detail cookie categories, purposes, lifespan, third parties involved, legal basis (consent/legitimate interest), and how to exercise rights.
Make the connection between marketing cookies and prospecting (e.g., retargeting based on site visits).
5. Practical checklist for your B2B website
For a "typical" B2B website (showcase + blog + forms + LinkedIn Ads / Google Ads + CRM / automation):
Information & legal pages
Up-to-date legal notices (publisher, hosting provider, registration number, contact).
Structured privacy policy (B2B prospecting, CRM, analytics, partners, transfers outside the EU).
Cookie policy or dedicated section, linked to the banner.
Forms & emails
Clear GDPR notices for each purpose (simple contact, demo, whitepaper download, webinar registration).
Clear choice between legitimate interest (B2B prospecting related to the person's role) or explicit consent (newsletter, content not directly related).
Proof of information/consent in your tools (CRM, ActiveCampaign, etc.).
Systematic unsubscribe link, simple right-of-opposition management.
Cookies / trackers
Map all scripts present: analytics, chat, A/B testing, ad pixels, etc.
Reliable CMP (Axeptio, Didomi, OneTrust...) configured to block non-essential trackers by default until consent is given.
"Manage my cookies" link in the footer allowing users to change their consent at any time.
Governance & proof
Documented processing record for B2B prospecting, CRM, analytics.
Balancing test analysis for legitimate interest in B2B prospecting (professional context, reasonable frequency, relevant targeting).
Internal process for handling GDPR requests (access, opposition, deletion).
6. Cookie management tool used by Reboot Conseil websites
The affected websites are Madeline, Reboot Conseil, Reboost Academy, and RebootIA.
The tool is CookieYes. The people with access to the tool are: Anael, developer, and Valerie. The privacy policy should be updated and the cookie management modules should be regularly checked for proper functioning.
All the information for using CookieYes properly is available here.
7. Risks
Legal ceilings (GDPR)
-
The GDPR provides for two levels of administrative fines: up to 10 million euros or 2% of annual worldwide turnover for certain violations (documentation, security, etc.).
-
For the most serious violations (legal bases, consent, respect for rights, transfers...), the fine can reach up to 20 million euros or 4% of annual worldwide turnover, whichever is higher.
In practice, a small organization will not immediately face these maximum amounts, but the CNIL still considers turnover, severity, and repetition of violations when calibrating the penalty.
Non-compliant cookies / trackers
-
Non-compliance with cookie rules (absence of a compliant banner, cookies set before consent, refusal being harder than acceptance...) falls under Article 82 of the French Data Protection Act.
-
Recent example: NS Cards France was fined 15,000 euros solely for cookie violations (Google Analytics and reCAPTCHA without consent), in addition to 90,000 euros for other GDPR violations.
-
For larger organizations, amounts go much higher: the CNIL has imposed fines of several hundred million euros for non-compliance with cookie rules and the French Data Protection Act.
So a landing page like yours, if it sets non-essential cookies without consent, exposes the publisher to a dedicated penalty on that front.
Email prospecting without consent / incomplete notices
-
Sending marketing emails to individuals without prior consent is prohibited by Article L34-5 of the French Postal and Electronic Communications Code, in addition to the GDPR (legal basis and information).
-
Example: the company Nestor was fined 20,000 euros for sending over 650,000 prospecting emails without consent and for failing to meet information obligations.
-
The CNIL can combine violations: consent failure, incomplete information in forms, excessive retention periods, insufficient security, etc., which increases the overall amount.
Other non-financial consequences
-
Public formal notice or published decision on the CNIL website and sometimes on Legifrance, with reputational impact (sanction publicized for several years).
-
Obligation to achieve compliance within a deadline, with potential daily financial penalties for non-compliance.
This information is the result of my research; however, the authoritative body to consult is the CNIL for France.
Valérie Glaentzlin
Chief Marketing Officer (CMO)
Valérie orchestre la stratégie marketing de Reboot Conseil avec plus de 5 ans d'expérience en marketing digital B2B pour la tech. SEO, content marketing, automation, analytics : la visibilité se transforme en leads qualifiés et les campagnes multicanales deviennent un vrai levier de croissance.
LinkedInSimilar articles
Newsletter
Get our best articles every month.
Go further
Article
N8N, c'est quoi ce truc ?
Père Castor, raconte-moi N8N N8N (prononcez « n-huit-n » ou « nodemation » si vous voulez faire classe). C'est un outil qui permet de connecter vos...
ArticleComment l'IA révolutionne le marketing (sans vous remplacer)
L'intelligence artificielle s'est invitée dans le quotidien des marketeurs à une vitesse record. En quelques mois, des outils comme ChatGPT,...
ArticleGrille d'évaluation des besoins de formation IA : Le guide pour DRH et Managers
Le risque ? Créer une \"illusion de compétence\" tout en laissant les véritables lacunes stratégiques se creuser. La solution est pourtant simple et...
ArticleLa France a-t-elle déjà perdu la bataille de l'IA ?
À lire avec la voix de Stallone : « plus de puces, plus de data, plus de milliards, le maître du monde ». Je viens de regarder le dernier numéro du...
ArticleL'IA : l'Impératif de Gouvernance Ultime
Soyons clairs : si vous dirigez une organisation de taille significative aujourd'hui, la complexité des données—leur volume, leur vitesse de...
ArticleVision 2026 : L'IA est un Mandat de Leadership, Pas un Ticket IT
On parle ici d'une transformation fondamentale, un changement de paradigme comparable à l'arrivée d'Internet ou de l'électricité dans l'industrie....