GDPR Compliance for SaaS Websites
Marketing analytics, demo tracking, and product tours — the compliance stack every SaaS needs.
SaaS marketing sites typically run a sophisticated analytics and conversion stack: Google Analytics for traffic, Hotjar or Clarity for heatmaps, HubSpot or Intercom for lead capture, and advertising pixels for retargeting. Every one of these tools sets cookies that require GDPR consent — even for B2B products.
Common Cookies & Tools Used in SaaS
Common Cookies
_ga (Google Analytics)_hjid (Hotjar)hubspotutk (HubSpot)__hstc (HubSpot)_clck (Microsoft Clarity)intercom-* (Intercom)
Common Tools
- Google Analytics
- Hotjar / Microsoft Clarity
- HubSpot / Salesforce
- Intercom / Crisp
- Google Ads
- LinkedIn Insight Tag
Key GDPR Challenges for SaaS Websites
B2B misconception — GDPR still applies
Many SaaS companies assume GDPR doesn't apply because they serve business customers. GDPR applies to any individual in the EU, whether they're visiting in a personal or professional capacity. B2B SaaS sites need consent banners.
Session recording tools
Hotjar, FullStory, and Microsoft Clarity record user sessions and generate heatmaps. They set persistent identifiers and require analytics consent. They must be blocked until users opt in.
Live chat and support tools
Intercom, Crisp, and Drift set functional cookies. While their primary purpose is communication, they still set persistent user identifiers that require consent under GDPR.
LinkedIn Insight Tag
Heavily used by B2B SaaS for account-based advertising. Sets marketing cookies (li_sugr, bcookie, lidc) that require explicit consent. Often missed because it's added by marketing teams without informing compliance.
Compliance Checklist for SaaS Websites
- Hotjar / Clarity / FullStory blocked until analytics consent given
- Intercom / Crisp / Drift gated behind functional consent
- LinkedIn Insight Tag blocked until marketing consent given
- HubSpot tracking script blocked until analytics/marketing consent
- Product demo or trial flow doesn't set non-essential cookies before account creation
- Cookie policy updated to list every SaaS tool in your stack
- Session replay tools have data anonymization enabled where possible
- New marketing tools added by marketing team are reviewed for cookie requirements
Frequently Asked Questions
Does GDPR apply to our SaaS if we only sell to businesses?
Yes. GDPR protects individuals, not organizations. If a procurement manager from an EU company visits your website, they are an EU individual and GDPR applies. The B2B nature of your product doesn't exempt you.
We use HubSpot for our marketing site — what do we need to do?
HubSpot sets several cookies including hubspotutk (13 months) and __hstc (13 months). These require consent. Configure your CMP to block HubSpot's tracking script until analytics/marketing consent is given. HubSpot's own cookie policy must also be linked in your cookie policy.
Does Intercom need consent?
Intercom's chat widget sets persistent cookies (intercom-*) to identify returning users. These are classified as functional cookies and require consent under GDPR. You can configure Intercom to only load after functional consent is granted.
Check your saas website for free
Scan your website to get a full GDPR compliance report — every cookie, whether consent is working, and a step-by-step fix list.
Scan your website free →