PrivacyGrader is an automated scanner that inspects publicly accessible signals on any website URL. It does not log in, click through paywalls, or test internal workflows. The score reflects the site's observable compliance posture from the outside — the same view a regulator, journalist, or potential enterprise customer would have.
Scan modes
Browser scan (preferred): Uses a headless Chromium instance via Cloudflare Browser Rendering. Runs JavaScript, fires network requests, triggers consent banners, and runs the axe-core accessibility library. Provides the most accurate results. Dimensions that require a live browser (cookie behaviour, accessibility) are marked na in fetch-mode reports.
Fetch scan (fallback): Plain HTTP request used when the browser renderer is unavailable or times out. Analyses HTML, response headers, and policy text. Dimensions that require a browser receive partial credit.
Scoring dimensions
Ten dimensions totalling 100 points. Scores within each dimension are proportional (not binary) unless stated.
Pre-consent tracking
20 points
Measures
Number and category of network requests fired before any cookie banner interaction. Categories: Advertising, Analytics, Fingerprinting, Session Replay.
Pass
Zero trackers fired before consent
Partial
1–9 analytics-only trackers
Fail
Any advertising, fingerprinting, or session-replay tracker; or 10+ trackers of any type
Limitations
Only detects trackers present in the EasyList/EasyPrivacy-derived blocklist. First-party analytics or custom tracking solutions may not be detected.
Cookie banner quality
12 points
Measures
Presence of a Consent Management Platform (CMP), availability of a reject/decline path without clicking through multiple layers, and whether post-reject tracking count drops relative to pre-consent.
Pass
CMP detected + reject path available + post-reject tracking reduced
Partial
CMP detected but no clear reject path, or no reduction in post-reject tracking
Fail
No CMP detected (only scored if pre-consent tracking exists)
Limitations
CMP detection relies on known CMP scripts and cookie names. Custom CMPs may not be detected. Post-reject comparison requires a browser scan.
CCPA / CPRA
15 points
Measures
Presence of a Do Not Sell or Share link (or Your Privacy Choices link) in the main HTML. CCPA-related disclosure in the privacy policy text. Whether the site responds to the GPC (Global Privacy Control) signal via a Vary: Sec-GPC header.
Pass
All three present
Partial
Some present
Fail
None present
Limitations
GPC detection is limited to HTTP header inspection. Functional GPC handling (actually not setting cookies when GPC=1) is not tested. Applies only to sites that would qualify under CCPA thresholds; consumer apps not penalised for missing DPA.
Accessibility (WCAG 2.2)
15 points
Measures
Axe-core automated accessibility scan on the post-load DOM. Critical, serious, and moderate violation counts.
Pass
Zero critical or serious violations, zero or one moderate
Partial
Minor violations present
Fail
Any critical violation, or 3+ serious violations
Limitations
Axe-core detects roughly 30–40% of WCAG issues automatically. Manual testing (keyboard navigation, screen reader testing, colour contrast in all states) is required for full WCAG conformance. Not available in fetch-mode scans.
Security headers
8 points
Measures
Presence and correctness of four HTTP response headers: HSTS (min-age >= 31536000), Content-Security-Policy, X-Content-Type-Options: nosniff, and X-Frame-Options or CSP frame-ancestors.
Pass
All four present and correctly configured
Partial
Some present
Fail
None present
Limitations
CSP presence is checked but policy quality (e.g. unsafe-inline, wildcard sources) is not evaluated. Only checks the primary URL response, not sub-resources.
Privacy policy
8 points
Measures
Discoverability of a privacy policy link from the homepage, fetchability of its content, character length (proxy for substantiveness), and Last-Modified date.
Pass
Discoverable, fetchable, >= 1500 chars, and updated within 3 years
Partial
Discoverable and fetchable but short or outdated
Fail
Not found or not fetchable
Limitations
Length is a weak proxy for quality. A long but vague policy scores as well as a concise, complete one.
DPA and sub-processors
7 points
Measures
Presence of a Data Processing Addendum (DPA) link and a sub-processor list link discoverable from the site.
Pass
Both present
Partial
Neither present (not penalised — most consumer-facing sites do not need these)
Fail
n/a — this dimension defaults to partial for consumer apps
Limitations
Only checks for link discoverability. Does not verify DPA content or whether sub-processor list is current.
AI training disclosure
5 points
Measures
Whether the privacy policy text mentions AI, machine learning, or model training in the context of how user data is used.
Pass
Disclosure present
Partial
Not disclosed (partial credit — absence of disclosure is not necessarily a violation)
Fail
n/a
Limitations
Only checks for keyword presence in the fetched policy text. Does not assess whether the disclosure is accurate or complete.
Hosting region disclosure
5 points
Measures
Whether the privacy policy discloses where user data is stored or processed geographically.
Pass
Disclosure present
Partial
Not disclosed (partial credit)
Fail
n/a
Limitations
Keyword-based detection only.
COPPA check
5 points
Measures
Whether the site appears to collect data from children under 13 without a parental-consent mechanism. Detected from privacy policy language, age gates, and form fields.
Pass
No indicators found (full credit — most sites do not target children)
Partial
n/a
Fail
n/a
Limitations
Detection is conservative. A site targeting children that does not explicitly say so will pass this check and receive full points.
Grade thresholds
Grade
Score range
What it means
A+
95–100
Exceptional. Near-complete compliance signals across all dimensions.
A
88–94
Strong. Minor gaps that are unlikely to attract regulatory attention.
B
78–87
Good. Some areas need attention before an audit or enterprise deal.
C
65–77
Moderate. Multiple areas need work, especially if EU users are involved.
D
50–64
Weak. Significant gaps that increase regulatory and reputational risk.
F
0–49
Critical gaps. Likely violating regulations that apply to the site.
What we cannot measure
Internal workflows: Data retention policies, employee training, incident response plans, or how data is handled in the backend.
Contract compliance: Whether vendor contracts, DPAs, or SCCs are legally adequate.
Functional consent logic: Whether a site actually stops setting cookies when a user rejects (only the banner presence and post-reject network requests are checked).
HIPAA: HIPAA compliance depends on business relationships, contracts, and internal controls that cannot be observed from a public URL scan.
SOC 2 / ISO 27001: Security certification requires audit evidence that is not publicly observable.
Manual WCAG testing: Keyboard navigation, screen reader behaviour, and many colour contrast issues require human testing.
Authenticated areas: The scanner only sees public pages. Login-gated content, account settings, and data deletion flows are not tested.
Result freshness
Each scan is a fresh check at the time of submission. Reports are served from cache for up to 5 minutes for subsequent lookups of the same URL. Submitting a URL again will trigger a new scan once the cache expires. Historical reports remain accessible at their permalink indefinitely.
Corrections and feedback
If you believe a finding is a false positive or that the rubric is incorrect, please contact us with the report URL and a description of the issue. We review all substantiated correction requests and update the methodology documentation when the rubric changes.
Not legal advice. PrivacyGrader and this methodology document are for informational purposes only and do not constitute legal advice. Consult a qualified attorney or compliance professional for guidance specific to your situation.