My website got a score of 72 with a grade C. I want to understand how the score is calculated and what I need to fix to improve it. What are the 9 criteria?
1 Answers
The compliance score is calculated across 9 weighted criteria totaling 100 points. Here's the full breakdown:
Scoring Categories
| Category | Weight | What It Checks |
|---|---|---|
| No tracking before consent | 20 pts | No analytics/advertising requests fire before the user interacts with the consent banner |
| Consent banner exists | 15 pts | A cookie consent banner is detected on the page |
| Consent Mode implemented | 15 pts | Google Consent Mode v2 consent default command is present before GTM/GA4 loads |
| Consent banner functional | 10 pts | The accept button actually works and triggers the expected consent update |
| Reject option available | 10 pts | A reject/decline option is visible and accessible (not hidden behind a settings panel) |
| Consent Mode correct states | 10 pts | After accept/reject, the consent state values (ad_storage, analytics_storage) match the user's choice |
| No tracking cookies before consent | 10 pts | No tracking cookies (_ga, _fbp, _ttp, etc.) are set before consent is established |
| Consent persists correctly | 5 pts | After page reload, the consent state is restored from cookies |
| No tracking after reject | 5 pts | No new tracking cookies or requests are created after the user rejects consent |
Grade Scale
| Grade | Score Range |
|---|---|
| A | 90 - 100 |
| B | 75 - 89 |
| C | 60 - 74 |
| D | 40 - 59 |
| F | 0 - 39 |
Violation Severity
Each violation has a severity level:
- Critical — Direct GDPR violation (e.g., tracking cookies after reject, consent state mismatch)
- High — Significant compliance gap (e.g., missing consent default, tracking before consent)
- Medium — Implementation issue (e.g., GCS parameter mismatch, consent not persisting)
Common Ways to Improve Your Score
- Add
gtag('consent', 'default', {...})before loading GTM — This alone is worth 15 points (Consent Mode implemented). - Ensure no tracking fires before consent — Make sure GA4, Meta Pixel, etc. use Advanced Consent Mode or don't load at all before consent. Worth 20 points.
- Make the reject button visible — Don't hide it behind a "Manage settings" panel. Worth 10 points.
- Verify consent update fires on accept/reject — The CMP must call
gtag('consent', 'update', {...})with correct values. Worth 10 points.
Note: If your site doesn't use any Google vendors (GA4, GTM, Google Ads), the Google Consent Mode criteria are automatically excluded and won't penalize your score.