How ConsentLens Compliance Scores Are Calculated

The 0–100 Score Architecture

The total compliance score is the sum of four sub-scores, each ranging from 0 to 25 points. The four dimensions are: cookie consent handling (0–25), tracking transparency (0–25), third-party script management (0–25), and consent option availability (0–25). Each dimension measures a distinct aspect of GDPR and ePrivacy compliance. A website that scores perfectly on two dimensions but fails two others will receive a total score in the 40–50 range — reflecting real, meaningful compliance gaps despite partial compliance.

This architecture was designed to prevent score inflation from partial compliance. A site that has a consent banner (gaining some points on consent option availability) but fires trackers before consent is given (losing points on tracking transparency and cookie consent) should not receive a high score. The four-dimension model ensures that each fundamental GDPR obligation is independently assessed rather than averaged into a single quality rating.

The score thresholds map to compliance levels: 80–100 is Compliant, 60–79 is Low Risk, 40–59 is Medium Risk, and 0–39 is High Risk. These levels are designed to reflect the realistic likelihood of regulatory attention, not to create a false binary of compliant vs non-compliant. A site scoring 75 is meaningfully better than one scoring 45, even though neither is fully compliant.

Sub-Score 1: Cookie Consent (0–25)

The cookie consent sub-score measures whether the cookies present in the browser after page load are consistent with what a valid consent mechanism should have permitted. A score of 25 is awarded only when no non-essential cookies are detected — the cleanest possible outcome. A score of 15 is awarded when a CMP is present but non-essential cookies are still set, reflecting that a consent mechanism exists but may not be correctly blocking all cookies until after consent is given.

A score of 0 is awarded when non-essential cookies are detected and no CMP is present at all. This is the most serious outcome on this dimension — it indicates the site is setting tracking cookies with no mechanism to obtain consent. The scoring accounts for the presence or absence of a consent management platform as a significant mitigating factor, because a CMP demonstrates intent to comply even when the technical implementation has gaps.

Non-essential cookies are identified by cross-referencing detected cookie names against a database of known third-party tracking cookies. Cookies set by known advertising and analytics platforms — Google Analytics _ga cookies, Meta fbp/fbc cookies, Hotjar _hjid cookies, LinkedIn li_at cookies, and equivalents — are classified as non-essential. First-party session and authentication cookies are excluded from this assessment.

Sub-Score 2: Tracking Transparency (0–25)

Tracking transparency measures whether tracker behaviour is consistent with the consent framework the site claims to have. The maximum score of 25 is awarded when no trackers are detected at all — a rare but achievable outcome for sites that use only first-party analytics without third-party integrations. A score of 20 is awarded when trackers were detected but none fired before consent, and a CMP is present — meaning the consent framework is operating correctly.

A score of 10 is awarded when trackers fired before consent was given but a CMP is present. This is a significant finding: it means the CMP is not correctly blocking trackers in the pre-consent period, which is one of the most common GDPR violations. The presence of a CMP provides some mitigation — it shows an attempt at compliance — but the pre-consent firing is a real violation that drops the score substantially.

A score of 0 is awarded when trackers fired before consent and no CMP was detected. This is the most serious tracking transparency outcome — the site has third-party tracking, those trackers fire immediately on page load with no consent gate, and no consent mechanism exists to justify this behaviour. This configuration is consistently flagged as a High-severity violation in the issue list.

Sub-Score 3: Third-Party Scripts (0–25)

The third-party scripts sub-score evaluates the presence and severity of advertising and tracking scripts relative to the site's consent infrastructure. A score of 25 is awarded when no third-party trackers are detected — the site loads no scripts from known advertising, analytics, or tracking domains. A score of 8 is awarded when advertising-category trackers (Google Ads, Meta Pixel, TikTok Pixel, and equivalents) are present alongside a CMP.

A score of 0 is awarded when advertising-category trackers are present and no CMP exists. Advertising trackers are weighted more heavily than analytics trackers in this sub-score because they typically involve cross-site data sharing with ad networks, process data for profiling purposes, and carry a higher risk profile under GDPR's assessment of legitimate interests balancing tests. A site with analytics but no advertising trackers scores better than one with advertising trackers even at equivalent CMP presence levels.

This sub-score specifically targets trackers in the advertising, remarketing, and cross-site tracking categories: Google Ads (doubleclick.net), Meta Pixel (connect.facebook.net), TikTok Pixel (analytics.tiktok.com), LinkedIn Insight (snap.licdn.com), Microsoft Ads (bat.bing.com), and similar. Pure analytics tools such as Segment or Hotjar are categorised differently and their presence is reflected primarily in the cookie consent and tracking transparency sub-scores.

Sub-Score 4: Consent Options (0–25)

The consent options sub-score evaluates whether the site's consent mechanism provides users with genuine, meaningful choices. A score of 25 is awarded when no tracking is present — the site does not need a consent mechanism because it processes no non-essential data. A score of 25 is also awarded when tracking is present alongside a CMP that provides both accept and reject options at the first interaction layer.

A score of 18 is awarded when a banner is detected primarily through script globals or indirect detection patterns, rather than a confirmed CMP — indicating that a consent mechanism of some kind exists but its configuration cannot be fully assessed. A score of 10 is awarded when a banner is detected but only an accept option is present, with no mechanism for users to decline. This is an explicit violation of the EU/UK DPA guidance that reject must be as easy as accept.

A score of 0 is awarded when tracking or cookie activity is present and no banner of any kind is detected. This is the 'no consent mechanism' finding — the most fundamental consent failure, where a site is processing personal data through cookies and trackers without any mechanism to obtain or record user consent. In conjunction with a low tracking transparency score, this configuration produces the lowest overall compliance scores.

Compliance Levels: What Your Score Means

A score of 80–100 (Compliant) indicates that no significant GDPR or ePrivacy issues were detected across any of the four dimensions. In practice, this means: no pre-consent trackers, a functioning CMP with both accept and reject options, and no undisclosed third-party cookies. Sites in this range are at low regulatory risk. Note that Compliant means 'no issues detected by the scanner' — not 'certified GDPR compliant'. Manual legal review remains important for complete compliance.

A score of 60–79 (Low Risk) indicates minor issues that are unlikely to attract regulatory attention on their own but represent real compliance gaps. Common Low Risk profiles include sites with a functioning consent mechanism but some cookies set before the banner renders, or sites with analytics tracking but no advertising trackers. These sites would benefit from remediation but face lower priority regulatory risk than Medium and High Risk sites.

A score of 0–39 (High Risk) indicates active violations — most commonly pre-consent tracker firing, absence of a consent mechanism, or advertising trackers with no valid consent infrastructure. Sites in this range are the primary focus of DPA complaint-based investigations. Regulators consistently find that the violations that attract complaints are exactly the ones this score range represents: visible tracking without meaningful choice.

Why a Numerical Score Instead of Pass/Fail

GDPR compliance is not binary. A site can be partially compliant — correctly blocking advertising trackers but still loading analytics before consent — in ways that a simple pass/fail verdict cannot capture. A numerical score enables prioritisation: a site scoring 55 can identify that its lowest-scoring dimension is tracking transparency and focus remediation efforts there, rather than treating all compliance as an undifferentiated problem.

The numerical score also enables comparison and trending. Organisations that scan their sites after implementing fixes can measure whether their score improved and by how much. Industry benchmarks from the ConsentLens statistics page show average scores by sector, allowing organisations to understand their compliance posture relative to peers. A finance sector site scoring 60 is performing at the sector average; one scoring 40 is performing significantly below it.

The score is designed to correlate with regulatory risk, not to predict specific enforcement outcomes. Regulators consider factors that a scanner cannot assess — the duration of violations, the scale of data subjects affected, the intent behind non-compliance, and the organisation's response when violations are identified. The score is an input to a compliance programme, not a substitute for legal advice.

Frequently Asked Questions

Related guides