Gretelfy
Back to Blog
Product

Understanding the Gretel Score: How We Measure Cookie Compliance

Gretelfy TeamFebruary 11, 202610 min read
Gretel Scoremethodologycompliancescoringmetrics

The Gretel Score is Gretelfy's 0-100 compliance rating that tells you how well your website respects user consent. But what exactly goes into that number?

This guide explains our methodology, what we measure across five scoring categories, and how to interpret your score.

What the Gretel Score Measures

The Gretel Score measures your website's overall consent compliance across five categories. When we scan your site, we simulate a real visitor experience—arriving in a completely fresh browser session with no cookies, no history, and no prior interactions.

We then analyze what happens at multiple stages: before consent, during banner interaction, after rejection, and across the data flows your site creates. This gives a comprehensive picture of how well your site respects user choices, going far beyond just checking which cookies fire on page load.

The 5 Scoring Categories

1. Pre-Consent Compliance

This is the foundation of the Gretel Score and carries the highest weight. It measures what happens on your website before a user interacts with any consent mechanism.

What we check:

  • Cookies set before consent — categorized by type. Marketing cookies like Facebook Pixel or Google Ads carry high impact. Analytics cookies like Google Analytics carry medium impact. Functional and unknown cookies carry lower impact.
  • Scripts firing before consent — tracking pixels, analytics engines, and advertising scripts that activate before the user makes a choice.
  • CMP detection — whether a consent banner is present and loading correctly.
  • Storage trackers — localStorage, sessionStorage, and IndexedDB usage for tracking purposes before consent.
  • Fingerprinting signals — canvas fingerprinting, WebGL probing, and other browser fingerprinting techniques.
  • Multi-page consistency — whether consent behavior is consistent across different pages of your site.

For a detailed breakdown of the most common violations in this category, see our guide to pre-consent cookie tracking and the top 10 pre-consent violations.

2. Banner UX

A consent banner that technically exists but uses dark patterns to steer users toward acceptance doesn't provide valid consent under GDPR. We evaluate banner design and interaction patterns, each carrying moderate impact:

  • Reject button presence — users must have a clear way to decline non-essential cookies.
  • Equal prominence — the reject option should be as visible and accessible as the accept option. No hiding "Reject" in gray text while "Accept All" is a bright green button.
  • Granular consent — users should be able to choose which cookie categories to accept, not just "all or nothing."
  • Pre-ticked checkboxes — consent categories must not be pre-selected. Users must actively opt in.
  • Consent withdrawal — users must be able to change their mind and revoke consent as easily as they gave it.
  • Cookie policy link — the banner should link to a detailed cookie policy.
  • Legitimate interest abuse — using "legitimate interest" as a legal basis for marketing or analytics tracking, which regulators consistently reject.
  • Language mismatch — serving a consent banner in a language that doesn't match the user's locale.

3. Post-Rejection Behavior

What happens after a user clicks "Reject All" is just as important as what happens before consent. This category carries high impact because it directly measures whether your site respects user choices:

  • Data transfers continuing after rejection — if a user rejects cookies but tracking scripts continue to fire or send data, that's a clear violation.
  • Cookies set after rejection — non-essential cookies appearing despite explicit rejection.
  • Network requests to tracking domains — requests to advertising or analytics endpoints that persist after the user says no.

4. Consent Mode Validation

For sites running Google services, we validate whether Google Consent Mode signals match actual behavior. This carries moderate impact:

  • Default consent state — whether the site properly defaults to "denied" for ad and analytics storage before consent.
  • Signal accuracy — whether the consent signals sent to Google match what's actually happening with cookies and scripts.
  • All v2 signals present — whether the newer ad_user_data and ad_personalization signals are properly configured alongside the original ad_storage and analytics_storage.

5. Data Flow Intelligence

This category examines the broader data ecosystem your website creates. Impact varies based on the severity of each finding:

  • PII exposure — detecting personally identifiable information (email addresses, phone numbers, names) being transmitted to third parties in URLs, request bodies, or cookie values before consent.
  • Schrems II cross-border transfers — identifying data flows to countries without EU adequacy decisions, particularly the United States, which requires additional safeguards under GDPR.
  • 4th-party tracking chains — when a third-party script loads additional scripts from other domains, creating tracking chains the site owner may not be aware of.
  • Deep dependency chains — mapping how many levels deep your site's script dependencies go, since each level adds potential tracking exposure.

Score Calculation Philosophy

The Gretel Score starts at 100 and deducts points for each violation found. The key principles:

  • Severity-weighted deductions — marketing violations cost more than analytics violations, which cost more than functional violations. The impact reflects regulatory risk.
  • Diminishing returns — to prevent a single vendor with many cookies from completely dominating the score, repeated violations of the same type have progressively smaller deductions. The first marketing cookie has more impact than the tenth.
  • CMP bonus — sites with a properly functioning consent banner that successfully blocks non-essential cookies before consent receive a bonus. A CMP that's present but not working correctly receives a smaller bonus.
  • Category caps — no single category can reduce your score beyond a certain threshold, ensuring the score reflects overall compliance rather than one catastrophic area.
  • Floor at zero — scores cannot go negative.

Score Interpretation

Rating Tiers

Score Rating Indicator Meaning
80-100 Pass Green Strong compliance across categories. Your site respects consent before tracking.
50-79 Warning Yellow Moderate issues found. Violations exist but may be limited in scope.
0-49 Fail Red Significant violations. High regulatory risk requiring immediate attention.

What Each Range Means

80-100 (Pass) Your site demonstrates strong compliance. If violations exist, they are minor (such as a functional cookie or unknown cookie with low tracking risk). A CMP is present and working effectively. This score means you can be confident your site would hold up under regulatory scrutiny.

Important: A passing score with violations is labeled "Minor Issues Found," not "Compliant." Only a clean scan with zero violations says "No pre-consent violations detected."

Action: Maintain current practices. Set up monitoring to catch regression.

50-79 (Warning) Your site has meaningful violations, but they may be limited in scope. Perhaps analytics fires early but marketing cookies are properly blocked, or you have a CMP that's partially configured. There's meaningful room for improvement before regulatory action becomes likely.

Action: Review specific violations. Prioritize marketing cookies first, then analytics. Check whether your CMP configuration needs adjustment. Follow our audit guide for a systematic approach.

0-49 (Fail) Your site has significant violations across multiple categories. Marketing cookies, analytics, and potentially tracking scripts are firing without consent. This range represents real regulatory risk and should trigger immediate remediation.

Action: Immediate remediation needed. Implement a CMP if absent, or fix existing configuration. Block all non-essential cookies until consent. Consider a complete cookie compliance audit.

Improving Your Score

Pre-Consent Compliance (Biggest Impact)

  1. Delay marketing scripts — ensure Facebook Pixel, Google Ads, LinkedIn, and TikTok only fire after explicit marketing consent.
  2. Gate analytics behind consent — configure Google Analytics, Hotjar, and similar tools to wait for user approval.
  3. Audit hardcoded scripts — move tracking scripts from theme files to your tag manager with consent conditions.
  4. Classify unknown cookies — identify the source of every cookie and assign it to the correct consent category.

Banner UX

  1. Add a visible reject button — make it as prominent as the accept button.
  2. Remove pre-ticked checkboxes — all consent categories should default to unchecked.
  3. Enable granular consent — let users choose specific categories, not just "all or nothing."
  4. Add consent withdrawal — provide a way for users to change their preferences after their initial choice.

Post-Rejection Behavior

  1. Verify rejection works — after rejecting consent, scan your site again to confirm no tracking persists.
  2. Test all consent scenarios — accept all, reject all, partial consent, and withdrawal.

Consent Mode & Data Flows

  1. Implement Google Consent Mode v2 — ensure all four signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) default to "denied."
  2. Review third-party data flows — understand where your site sends data and whether those transfers comply with Schrems II requirements.

Score Limitations

We believe in transparency about what our score can and cannot measure:

What the Gretel Score Covers Well

  • Pre-consent cookie and script behavior
  • Consent banner presence and UX patterns
  • Post-rejection compliance
  • Google Consent Mode signal validation
  • Cross-border data flow analysis
  • Third and fourth-party tracking chains

What the Gretel Score Does Not Cover

  • Server-side tracking — tracking that happens entirely on the server without client-side signals is not visible to our scanner.
  • Cookie policy accuracy — we detect whether a policy link exists, but don't evaluate whether the policy content is accurate or complete.
  • Legitimate interest assessments — while we flag potential misuse of legitimate interest for marketing, the legal validity of legitimate interest claims requires legal analysis.
  • Mobile app behavior — the score applies to web properties only.

The Gretel Score is one component of comprehensive compliance—a critical, measurable component, but not the complete legal picture. For privacy officers looking to integrate the Gretel Score into their compliance workflows, see our DPO's guide to cookie compliance monitoring.

Get Your Score

Ready to see your score? Enter your URL and get your Gretel Score in seconds.

Scan your website now →

See how your website measures up

Run a free compliance scan and get your Gretel Score in seconds.

https://