What is a Customer Journey Map and why is transparency important for marketing?

Customer Journey Map or CJM is a digital experience the user gets upon interacting with the product. A customer journey map might include the following interaction stages:

  • first time ad seeing;
  • first time coming to the web-site and first cookie banner;
  • first registration;
  • consent provision;
  • privacy FAQ;
  • communicating with support;
  • seeing customized ad;
  • getting the information about himself;
  • deleting information about himself. 

At each stage a user provides his or her personal data, and data processing is a subject to the privacy law, namely the GDPR. The better a company understands its customers’ privacy needs and can exceed them, the easier it is to promote goods and services.

What are the GDPR requirements in regard of CJM?

  1. First time ad seeing 

In general, advertising is allowed under the GDPR. However, if personal data is being processed for advertising (for example, promotional messages are being sent to specific e-mail addresses), then the GDPR requires a legal basis for such processing.

The GDPR has 6 legal bases for the processing of personal data in total, but in practice, a freely given, specific, informed and unambiguous consent is the most used one. It should be noted that customized advertising, made without previous consent, might be considered as a violation of the GDPR.


  1. The first time coming to the web-site and first cookie banner

Upon the first time coming to the web-site an automatic processing of certain user data (such as IP address or the type of device from which the user access the web-site) begins. Such processing is made by cookies.

The GDPR requires to obtain consent for the processing of cookies, which is usually provided by clicking on the so-called cookie banner, that informs users about the ways cookies are used on the web-site.

First of all, a cookie banner should be easily understandable for the user and should not distract from the content on the web-site. Alongside with the above provisions, there are a few tips that can be used to create a GDPR-compliant cookie banner, such as including:

  • highlighted headers in the cookie banner;
  • a description of the purposes for using cookies in the cookie banner;
  • more detailed information on the cookies policy at the request of the user (for example, by including a link that refers to a separate web-site page);
  • information on controllers that process user data through cookies;
  • the access to the cookie banner on a permanent basis (for example, through a separate icon on the web-site (as at https://ico.org.uk)).


  1. First registration and consent provision

In a registration process on the web-site a user shall agree with the privacy policy, which describes how the personal data is processed. In general, the above consent might be expressed by checking a box or through other ways that allow to establish the voluntary active consent of the user.

Besides providing a way to consent, it is also necessary to provide a link to the privacy policy itself in order for a user to be able to read its provisions.

If user clearly understands what types of personal data are being processed and how, he or she might actually voluntarily share more information on the web-site. More information will allow to provide a more accurate customized advertising and ultimately get more sales through promotion.


  1. Frequently Asked Questions (FAQ)

The GDPR does not require to create a FAQ on the web-site, yet such page would provide users with simple and understandable answers on the privacy policy.

A FAQ might contain answers to questions as who processes personal data and for what purposes, what data is being processed, how a user could delete his or her personal data etc.


  1. Privacy support service

As well as the FAQ, having a privacy support service is not a mandatory requirement under the GDPR.

At the same time, privacy specialists could help users to solve any problems, to clarify the FAQ, privacy policy or cookie policy (if needed), or to help to erase personal data from the web-site.


  1. Getting the information about himself

According to the Article 15 of the GDPR a user has a right to obtain a confirmation as to whether or not personal data concerning him or her is being processed, and access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from a rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

A user shall be able to obtain information about himself or herself through one or another way, such as by using a separate form on the website or a support service.


  1. Deleting information about himself

Beside the right to access to personal data, a user also has a right to request to delete a personal data. According to the Article 17 of the GDPR a user shall have the personal data concerning him or her erased without undue delay where one of the following grounds applies:

  • the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the user withdraws consent on which the processing is based, and where there is no other legal ground for the processing (such as legal interest);
  • the user objects to the processing of the personal data and there are no overriding legitimate grounds for the processing;
  • the personal data has been unlawfully processed;
  • the personal data has to be erased for compliance with a legal obligation in the European Union or its member state law;
  • the personal data has been collected in relation to the offer of information society services.

A user shall be able to delete information about himself or herself through one or another way, such as by using a separate form on the website or a support service.


What are the conclusions?

A transparent policy at all stages of interaction with the user on customer journey map – from the first time coming to the web-site to the deletion of personal data – is a necessary precondition for the successful promotion of goods and services.

In order to be competitive in the market it is important not only to comply with the GDPR requirements (such as obtaining a consent before proceeding personal data), but also to exceed the customers` expectations (i.e. by creating a FAQ or a support service).



    Your question to IT lawyers