Cookie policy guides are overwhelmingly written for consumer websites. They focus on advertising cookies, retargeting pixels, and the complex consent requirements that come with tracking individual consumers across the web. If you’re running a B2B SaaS product, the tracking landscape looks very different, and your cookie disclosures should reflect that.
B2B SaaS companies typically operate two distinct web properties with two distinct tracking profiles: a marketing site and a product application. What you track on each, and what you need to disclose and consent to, varies significantly between the two. Getting this right means accurate disclosures without overengineering your compliance infrastructure.
Marketing Site vs. Product Application
The first step is understanding that your marketing site and your SaaS application have fundamentally different tracking profiles.
Your Marketing Site
Your marketing site is where most of your tracking lives. A typical B2B SaaS marketing site runs some combination of website analytics (Google Analytics, Plausible, Fathom), retargeting and advertising pixels (Google Ads, LinkedIn, Meta), marketing automation tracking (HubSpot, Marketo, Pardot), session recording and heatmaps (Hotjar, FullStory), and conversion tracking for paid campaigns.
Each of these tools drops cookies or uses similar tracking technologies on the visitor’s browser. Some are essential for site functionality (session cookies, load balancers). Most are not. The non-essential tracking, particularly advertising pixels and retargeting tools, is where consent requirements come into play.
Your Product Application
Your SaaS application typically has a much lighter tracking footprint. Common tracking within B2B SaaS products includes session cookies (essential for authentication and maintaining user state), product analytics (Mixpanel, Amplitude, Heap) tracking feature usage and user behavior within the app, and error monitoring (Sentry, Datadog) tracking application performance.
Most of this tracking serves functional or analytical purposes directly related to delivering the service. Session cookies are essential. Product analytics support service improvement. Error monitoring keeps the product running.
The distinction matters because the consent requirements and disclosure obligations differ based on the purpose of the tracking, not just the presence of cookies.
What Requires Consent
The consent landscape depends on which jurisdictions you serve and which regulations apply.
EU/UK (ePrivacy Directive + GDPR)
If you have EU or UK visitors on your marketing site or users in your product, the ePrivacy Directive (often called the “cookie law”) requires consent before placing non-essential cookies. This means prior, affirmative opt-in consent, not implied consent from continued browsing. Essential cookies (session management, security, load balancing) are exempt. Everything else, including analytics, advertising, and retargeting, requires consent before the cookie is set.
For your product application, if your users are accessing the service under a customer contract, the tracking that’s necessary to deliver the service (session cookies, authentication) doesn’t require separate consent. Product analytics fall into a grayer area. Strictly necessary analytics may be covered by the legitimate interest basis under GDPR, but more detailed behavioral tracking may require consent or at minimum clear disclosure.
United States
The US does not have a federal cookie consent law equivalent to the ePrivacy Directive. The CCPA/CPRA addresses tracking through the lens of “sale” and “sharing” of personal information rather than cookie consent specifically. If your marketing site uses cookies that share visitor data with third parties for advertising purposes, that may constitute “sharing” under the CCPA, triggering the “Do Not Sell or Share” opt-out requirement for California residents.
Beyond California, most US state privacy laws focus on broader data collection and sharing practices rather than cookie-specific consent. For a US-focused B2B SaaS company, accurate disclosure of your tracking practices in your privacy policy is the primary obligation. A full cookie consent management platform may or may not be necessary depending on your audience and the tracking you deploy.
The Practical Question
Whether you need a full cookie consent management platform (OneTrust, Cookiebot, CookieScript) depends on your audience. If your marketing site receives meaningful traffic from the EU/UK, you need consent management that blocks non-essential cookies until the visitor opts in. If your traffic is overwhelmingly US-based and you’re not running heavy advertising tracking, accurate disclosures in your privacy policy combined with a CCPA opt-out mechanism may be sufficient.
Evaluate this based on your actual traffic and tracking profile rather than defaulting to either extreme (no disclosures at all, or a full enterprise consent management platform for a site with minimal non-essential tracking).
Structuring Your Cookie Disclosures
Your cookie disclosures should be accurate, specific, and organized in a way that a reader can understand what tracking exists and why.
What to Include
For each cookie or tracking technology on your site and in your product, disclose the name or category of the cookie, the provider (first-party or the third-party service that sets it), the purpose (essential, analytics, advertising, functional), the duration (session or persistent, with expiration), and whether data is shared with third parties.
How to Organize It
The most readable approach is to group cookies by purpose rather than listing them alphabetically or by provider. Standard categories include: strictly necessary (session management, security, authentication), functional (user preferences, language settings), analytics and performance (website or product usage tracking), and advertising and targeting (retargeting pixels, ad conversion tracking).
For your product application, you may only have cookies in the first two categories. For your marketing site, you’ll likely have all four.
Where to Put It
Cookie disclosures can live in your privacy policy as a dedicated section, or as a separate cookie policy linked from your privacy policy. For most B2B SaaS companies, a dedicated section within the privacy policy is simpler and keeps everything in one document. A separate cookie policy makes sense if your cookie inventory is extensive or if you need to update it frequently without touching the privacy policy.
Common Mistakes
Disclosing cookies you don’t actually use. Templates often include references to advertising and social media cookies that the site doesn’t deploy. An inaccurate cookie disclosure is a compliance risk in both directions: failing to disclose cookies you use, and claiming to use cookies you don’t.
Ignoring the product application. Cookie disclosures focus on the marketing site and ignore tracking within the SaaS product itself. If your product uses analytics tools that set cookies on your users’ browsers, those need to be disclosed.
Cookie banners that don’t actually block cookies. A consent banner that appears on page load but doesn’t prevent non-essential cookies from firing until consent is given doesn’t satisfy EU/UK requirements. If you implement a consent management platform, make sure it actually controls cookie behavior, not just displays a notice.
Not updating disclosures when you change tools. Your marketing team adds a new analytics tool or ad pixel. Your cookie disclosure still lists last year’s stack. Treat changes to your tracking tools as a compliance event that requires a disclosure update.
The B2B Advantage
B2B SaaS companies generally have a simpler cookie compliance profile than consumer-facing businesses. Your product application uses primarily essential and functional cookies. Your marketing site may use analytics and some advertising tracking, but you’re not running the kind of pervasive cross-site tracking that consumer ad-tech companies deploy. Your users are business professionals accessing a service under a commercial contract, not individual consumers being tracked across the web.
This means your cookie disclosures can be straightforward, your consent mechanisms (if needed) can be proportionate to your actual tracking, and your compliance burden is manageable. The key is accuracy. Disclose what you actually track, not what a template assumes you track.
No Boiler provides self-service legal document generation and educational content. This material and our service is not a substitute for legal advice. Please have a qualified attorney review any documents before relying on them. No Boiler is not a law firm, and communications with us do not create an attorney-client relationship or carry any expectation of confidentiality. Use of our platform and content is governed by our Terms of Service and Privacy Policy.