What Is a Customer Journey Map and Why Is a Transparent Privacy Policy Important for Marketing?

A Customer Journey Map or CJM is a visualization of a user’s interaction with a brand, its product, or service. A customer journey map may include the following main stages of interaction:

• first advertisement display;
• first “click” on the website and the first cookie banner;
• registration and granting permission to process information;
• obtaining information on frequently asked questions in the field of privacy (FAQ);
• contact with the support service;
• viewing customized advertising;
• receiving information about the user;
• deletion of information about the user.

At each stage the user provides their personal data, and its receipt and processing are subject to the requirements of privacy legislation, in particular the GDPR. The better a company understands the privacy needs of its clients and can exceed them, the easier it is to promote its goods or services.

What Are the GDPR Requirements for the Main Stages of Interaction on the Customer Journey Map?

First Advertisement Display

In general, advertising as such is not prohibited by the GDPR. However, if personal data is processed for advertising purposes (for example, email addresses are used to send advertising emails), the requirements of the GDPR provide for the existence of a legal basis for such processing.

The GDPR contains 6 legal bases for the processing of personal data in total, but in practice the most commonly applied one is the personal voluntary consent of the user. Therefore, without consent, the display of personalized advertising may be considered a violation of GDPR requirements.

First “Click” on the Website and the Cookie Banner

Already upon the first visit to a website, automatic processing of such user data as their IP address, device type (phone, laptop), operating system, and so on begins. Such data transmission is carried out using cookies.

The GDPR requires obtaining consent to the processing of cookie data, which is generally provided by clicking on the so-called cookie banner, which informs users about how cookie files are used on the website.

First of all, the cookie banner must be understandable to the user and must not distract from the website content. In addition, a number of tips can be applied when creating a cookie banner that complies with GDPR requirements, providing for:

• the presence of highlighted headings in the cookie banner;
• a description of the purposes of cookie use in the cookie banner;
• the possibility of obtaining more detailed information about the cookie policy at the user’s request (for example, by means of a link to a separate page of the website);
• information about the controllers that process user data using cookie files;
• the possibility of accessing the cookie banner on a permanent basis (for example, through a separate icon on the website (such as at https://ico.org.uk)).

Registration on the Website and Granting Permission to Process Information

During registration on a website, the user must agree to the privacy policy regarding the processing of information about themselves. As a rule, such consent must be expressed by clicking on an icon confirming consent, or by any other means that makes it possible to establish the user’s voluntary active consent with certainty.

At the same time, when providing an icon for consent or using any other method, it is also necessary to provide a link to the privacy policy itself, so that the user can familiarize themselves with its provisions in detail.

If the user understands from a transparent website policy what personal data they are consenting to have processed and how they can control access to it, they may share a greater amount of information. Such information will provide the ability to develop more accurate personalized advertising and ultimately achieve a greater number of sales.

Answers to Frequently Asked Questions on Privacy (FAQ)

Developing answers to frequently asked questions (FAQ) is not one of the requirements of the GDPR, but it does provide users with the ability to obtain simple and understandable information about the website’s privacy policy.

Such an FAQ may contain answers to questions about who processes personal data, what data is processed, how one can delete their personal data, or obtain information about oneself.

Privacy Support Service

Like the FAQ, the existence of a privacy support service is not a mandatory requirement of the GDPR.

At the same time, specialists can assist in resolving any user questions, including clarifying the terms of the FAQ, the privacy policy, or the cookie policy, or helping to change or delete personal information about oneself.

Receiving Information About Oneself

Pursuant to Article 15 of the GDPR, a user has the right to know whether their personal data is being processed, as well as to access it and information that includes:

• the purpose(s) of personal data processing;
• the categories of personal data concerned;
• the recipients to whom personal data have been or will be disclosed (including in third countries or international organizations);
• the period for which the personal data is envisaged to be stored (if this is not possible — the criteria for determining such a period);
• the right to submit a request for rectification or erasure of personal data, or restriction of or objection to its processing;
• the right to lodge a complaint with a supervisory authority in the event of a violation of GDPR requirements regarding the processing of personal data;
• any information regarding the sources of personal data, if personal data is not obtained from the data subject (for example, if personal data is obtained from other resources such as Twitter or Facebook);
• the existence of automated decision-making, including profiling, and meaningful information about the logic, significance, and envisaged consequences of such processing for the data subject.

The user must have the ability to obtain information about themselves, which can be implemented through a separate form on the website or through the support service.

Deletion of Information About the User

In addition to the right to receive information about oneself, the GDPR also provides in Article 17 for the right to be forgotten (the right to deletion of one’s personal data).

The user has such a right to deletion in several cases, in particular if:

• there is no longer a need for the personal data for the purposes for which it was collected or otherwise processed;
• the user withdraws their consent to the processing of personal data in the absence of another legal basis for their processing (for example, legitimate interest);
• the user objects to the processing and there are no overriding legitimate grounds for processing;
• the personal data has been processed unlawfully;
• the personal data must be erased for compliance with a legal obligation established in the legislation of the European Union or a member state applicable to the controller (in the context of the user and the website, the controller is the website);
• the personal data was collected in connection with the offer of information society services.

Like the right to receive information about oneself, the right to deletion of personal data can be exercised through a separate form on the website or through the support service.

What Are the Conclusions?

A transparent policy at all stages of interaction with the user and touchpoints on the customer journey map — from the first visit to the website to the correction or deletion of information about oneself — is a necessary prerequisite for the successful promotion of goods and services.

In order to be competitive in the market, it is now important not only to simply comply with GDPR requirements (which, for example, concern obtaining the right to process information or delete it), but also to exceed users’ needs (by creating an FAQ or a support service).