The most important legal distinction for anyone using visitor intelligence is the difference between company-level data (identifying that Acme Corp visited your site) and personal-level data (identifying that Jane Smith at Acme Corp visited). The regulatory treatment of these two categories is fundamentally different.
When Kopimore identifies that "TechCorp Inc, a 200-person B2B software company in Austin, TX" visited your pricing page, this is firmographic data about a legal entity — not personal data about an individual. Under GDPR, personal data is information relating to an identified or identifiable natural person. A company is not a natural person.
This means: company name, domain, industry, employee count, company location, and company technology stack are generally not personal data under GDPR or CCPA.
Personal data starts when identification reaches the individual level: an individual's name, their work email address, their IP address if linkable to them personally, and their specific browsing behavior if associated with them individually.
Important nuance: an IP address can be personal data under GDPR if it can be reasonably linked to an identifiable individual. However, IP addresses used purely for company-level identification (mapping an IP to a company's network block) are generally treated differently than IPs retained and linked to individual user behavior.
When you use enrichment to append individual contact information (John Smith, VP Sales, john.smith@techcorp.com) to a company record, you've entered the realm of personal data. This is where GDPR legitimate interests assessment, CCPA data categories, and direct marketing regulations become directly relevant.