Customer.io

Overview

Customer.io is a behavioral messaging platform that enables product and growth teams to send automated email, push notifications, SMS, and in-app messages triggered by real-time user behavior. Unlike traditional email service providers, Customer.io's core value is behavioral precision: messages fire within seconds of a triggering action, personalized using live attributes from the user's profile. The platform is particularly popular with SaaS companies, mobile apps, and consumer subscription products for onboarding flows, trial conversion sequences, lifecycle campaigns, and transactional notifications.

What This Script Does

CustomerIO JavaScript snippet loads the tracking SDK, typically via a small async loader hosted on the site or delivered through a tag manager. The SDK initializes with a site ID and begins tracking immediately.

Page tracking: On each page load, the SDK fires an automatic page view event to track.customer.io (or cdp.customer.io for the newer Journeys CDP product), capturing the current URL, referrer, page title, and timestamp. In SPAs with history API routing, subsequent navigations also trigger page events.

Event tracking: Custom _cio.track() calls instrument business events throughout the user journey — signed_up (user ID, plan, source), trial_started, feature_used (feature name, context), subscription_upgraded (plan, MRR), order_placed (order ID, items, revenue). These events arrive in Customer.io within seconds and can trigger automated message sequences configured in the Campaign or Journeys builder.

User identification: The _cio.identify() call links an anonymous session to a known contact. The call passes identifiers (email, user ID) and profile attributes (name, plan, trial expiry date, custom traits). Once identified, all subsequent events are attributed to the contact's profile, and prior anonymous events within the same session are merged. A _cioid cookie (1-year expiry, first-party) persists the resolved user ID across sessions.

Anonymous visitor tracking: For pre-identification sessions, Customer.io sets a _cio_auid cookie (6-month expiry, first-party) to maintain anonymous visitor continuity. This enables attribution of pre-signup behavior (pages visited, features explored) to the contact after they sign up.

Segment and audience building: Accumulated event and attribute data builds dynamic segments in Customer.io (e.g., "trial users who haven't activated core feature within 3 days"). These segments power targeted campaigns and are updated in real time as behavior changes.

Consent & Compliance

Customer.io is classified under marketing and analytics consent categories. The marketing classification is primary because the platform's purpose is to drive behavioral triggers for marketing campaigns — the analytics component (event tracking, segmentation) is instrumental to that marketing function rather than an end in itself.

Under GDPR, Customer.io processes behavioral data and builds contact profiles containing personally identifiable information (email, user ID, behavioral history) for the purpose of sending marketing communications. This requires explicit consent under Article 6(1)(a). The _cio_auid and _cioid persistent cookies require consent under the ePrivacy Directive before being set. The profiling of users based on behavioral sequences for automated decision-making in campaign targeting engages GDPR Article 22 considerations.

Under CCPA/CPRA, behavioral data collected for marketing automation constitutes personal information. Sharing this data with Customer.io as a third-party processor for commercial messaging purposes must be disclosed, and California residents have the right to opt out of sale or sharing. Customer.io's use as a marketing automation tool means it is typically treated as a service provider (not a third-party data seller) under CCPA if the data is used solely for the business's own marketing — but the disclosure obligation still applies.

Customer.io is headquartered in Portland, Oregon. EU/EEA data is stored in Customer.io's EU data center (hosted on AWS eu-west-1/eu-central-1) when the EU data residency option is selected. Customer.io participates in the EU-US Data Privacy Framework and offers Standard Contractual Clauses in its DPA.

Should You Block This Without Consent?

Yes. Customer.io's tracking snippet sets persistent identification cookies and collects behavioral data for marketing automation immediately on load. It links anonymous browsing to identifiable contact profiles and triggers marketing campaigns based on that behavioral data. Block until the visitor grants marketing consent.