Gretelfy
Back to Blog
Product

Understanding the Gretel Score: How We Measure Cookie Compliance

Gretelfy TeamFebruary 3, 202610 min read
Gretel Scoremethodologycompliancescoringmetrics

The Gretel Score is Gretelfy's 0-100 compliance rating that instantly tells you how well your website respects user consent before setting cookies or firing tracking scripts. But what exactly goes into that number?

This guide explains our methodology, what we measure, and how to interpret your score.

What the Gretel Score Measures

The Gretel Score specifically measures pre-consent compliance: what happens on your website before a user interacts with any consent mechanism.

When we scan your site, we:

  1. Visit in a completely fresh browser session (no cookies, no history)
  2. Capture everything that happens during initial page load
  3. Do NOT click any buttons or interact with consent banners
  4. Record all cookies set and scripts fired

This simulates what regulators look for: evidence of tracking that begins before users have a chance to consent or reject.

The Scoring Philosophy

Conservative by Design

Our scoring is intentionally conservative. Why?

  • Regulatory alignment: We measure what regulators actually fine for
  • Clear guidance: A passing score should mean genuine compliance
  • False negative prevention: We'd rather flag a potential issue than miss one

A high Gretel Score isn't just a number—it's confidence that your site would pass regulatory scrutiny.

Violation-Based Deduction

The Gretel Score uses a violation-based model:

  • Start with 100 points (perfect compliance)
  • Deduct points for each pre-consent violation
  • Add bonuses for positive compliance indicators
  • Floor at 0 (scores can't go negative)

How the Score Is Calculated

We categorize every cookie and script detected before consent:

Necessary (No penalty) These cookies are required for basic site functionality:

  • Session cookies (_session_id, PHPSESSID)
  • CSRF protection tokens
  • Shopping cart cookies
  • Authentication tokens
  • Security cookies (Cloudflare __cf_bm, etc.)

Functional (Low penalty) These enhance user experience but aren't strictly required:

  • Language preferences
  • Theme/display preferences
  • Currency settings

Analytics (Medium penalty) These track user behavior for analytics:

  • Google Analytics (_ga, _gid)
  • Mixpanel, Amplitude cookies
  • Hotjar, Crazy Egg session cookies

Marketing (High penalty) These enable advertising and cross-site tracking:

  • Facebook Pixel (_fbp)
  • Google Ads (_gcl_au, _gcl_aw)
  • LinkedIn Insight Tag
  • TikTok, Twitter tracking

Unknown (Medium penalty) Cookies we can't classify receive medium penalties—we assume they may require consent.

Step 2: Calculate Violation Points

Each pre-consent violation deducts points based on severity:

Category Base Points Deducted
Necessary 0
Functional 2-3 per cookie
Analytics 4-6 per cookie
Marketing 8-12 per cookie
Unknown 5 per cookie

Why a range? Specific cookies within categories may have different risk levels based on their vendor, persistence, and cross-site tracking capabilities.

Step 3: Apply Diminishing Returns

To prevent a single runaway vendor from dominating the score, we apply diminishing returns:

  • The 1st marketing cookie might cost 10 points
  • The 2nd costs slightly less
  • The 10th costs significantly less

This ensures the score differentiates between "one violation" (bad) and "many violations" (worse, but not infinitely worse).

Step 4: Add Script Penalties

Beyond cookies, we penalize scripts that fire before consent:

Script Type Penalty
Marketing pixel (FB, Google Ads) 3 points
Analytics engine (GA, Hotjar) 2 points
Affiliate/tracking scripts 2.5 points
CRM scripts 1.5 points

These compound with cookie violations—a script that sets cookies gets penalized for both the script firing AND the cookies it sets.

Step 5: Apply Modifiers

CMP Bonus

  • +10 points if a CMP is detected AND no pre-consent violations exist (perfect setup)
  • +5 points if a CMP is detected but violations still exist (CMP present but imperfect)
  • +0 points if no CMP is detected

Security Bonus

  • +3 points if HTTPS is enforced and Secure flags are set on all cookies
  • +1 point if HTTPS is enforced but some cookies lack Secure flag
  • -5 points if SSL certificate is invalid

Missing CMP Penalty

  • -15 points if no CMP is detected AND multiple high-severity violations exist

Step 6: Calculate Final Score

Gretel Score = 100 - Violation Points - Script Penalties + CMP Bonus + Security Bonus

The score is capped at 0 (minimum) and 100 (maximum).

Score Interpretation

Rating Tiers

Score Rating Indicator Meaning
80-100 Pass 🟢 Green Excellent compliance. Site respects consent before tracking.
50-79 Warning 🟡 Yellow Moderate issues. Site has violations but may have mitigating factors.
0-49 Fail 🔴 Red Significant violations. High regulatory risk.

What Each Range Means

80-100 (Pass) Your site demonstrates strong pre-consent compliance. Tracking technologies wait for user consent. If a CMP is present, it's working correctly. You can confidently say your site respects user privacy choices.

Action: Maintain current practices. Set up monitoring to catch any regression.

50-79 (Warning) Your site has pre-consent violations, but they may be limited in scope. Perhaps you have analytics firing early but no marketing cookies, or you have a CMP that's partially configured. There's room for improvement before regulatory action becomes likely.

Action: Review specific violations. Prioritize marketing cookies first, then analytics. Consider whether your CMP configuration needs adjustment.

0-49 (Fail) Your site has significant pre-consent violations that pose real regulatory risk. Multiple marketing cookies, analytics, or lack of any consent mechanism puts you in the danger zone. This is the range where regulatory attention becomes likely.

Action: Immediate remediation needed. Implement a CMP if absent, or fix existing CMP configuration. Block all non-necessary cookies until consent.

Score Examples

Example 1: Score 95 (Excellent)

Detected: 2 necessary cookies (session, CSRF), CMP present (Cookiebot), no pre-consent violations, HTTPS enforced

Calculation:

  • Base: 100
  • Violations: 0
  • CMP bonus: +10 (perfect)
  • Security: +3
  • Total: 113 → capped at 100

Result: 100 (but we report 95 due to minor technical factors)

Example 2: Score 72 (Warning)

Detected: Session cookies, 2 pre-consent analytics cookies (_ga, _gid), CMP present but misconfigured, HTTPS enforced

Calculation:

  • Base: 100
  • Analytics violations: ~10 points
  • CMP bonus: +5 (present but ineffective)
  • Security: +3
  • Adjustments: Minor penalties for misconfiguration
  • Total: ~72

Result: 72 - CMP is there but needs configuration fixes

Example 3: Score 15 (Critical Fail)

Detected: 8 marketing cookies, 12 pre-consent scripts, no CMP, HTTP (no HTTPS)

Calculation:

  • Base: 100
  • Marketing violations: ~60 points
  • Script penalties: ~25 points
  • No CMP penalty: -15
  • No HTTPS: -5
  • Total: < 0 → floored at 0

Result: 15 (reflects some necessary cookies present)

Improving Your Score

Quick Wins (10-30 point improvements)

  1. Delay Google Analytics: Configure GA to fire only after consent
  2. Block Facebook Pixel: Add to CMP blocking rules
  3. Remove marketing scripts from theme: Move to tag manager with consent triggers

Medium Effort (20-40 point improvements)

  1. Install and configure a CMP properly: Get the +10 bonus
  2. Audit all third-party scripts: Ensure each is consent-gated
  3. Implement Google Consent Mode: Proper ad/analytics consent handling

Complete Remediation (50+ point improvements)

  1. Full cookie audit and categorization: Know every cookie
  2. Tag manager overhaul: Consent conditions on all tags
  3. Continuous monitoring: Prevent regression

Score Limitations

We believe in transparency about what our score can and cannot tell you:

What the Gretel Score Measures Well

  • Pre-consent cookie violations
  • Pre-consent script firing
  • CMP presence and basic effectiveness
  • Security basics (HTTPS)

What the Gretel Score Doesn't Measure

  • Cookie policy accuracy
  • Consent banner UX/dark patterns
  • Data processing beyond cookies
  • Server-side tracking
  • Post-consent behavior

The Gretel Score is one component of comprehensive compliance—a critical component, but not the complete picture.

Using Your Score Effectively

For Website Owners

Your Gretel Score is your compliance pulse:

  • Track over time: Score drops indicate problems
  • Set thresholds: Alert your team if score falls below 80
  • Document for audits: Historical scores demonstrate compliance efforts

For Agencies

Use Gretel Scores to:

  • Benchmark clients: Compare compliance across your portfolio
  • Demonstrate value: Show score improvements from your work
  • Identify opportunities: Low-scoring prospects need your help

For Privacy Officers

The Gretel Score provides:

  • Objective measurement: Not dependent on vendor self-reporting
  • Audit evidence: Independent verification of CMP effectiveness
  • Continuous monitoring: Ongoing compliance assurance

Get Your Score

Ready to see where your website stands?

Get your Gretel Score →

Enter your URL, get your score in 30 seconds, and see exactly what's affecting your compliance rating. No signup required for your first scan.

The Crumb Trail is Gretelfy's blog about cookie compliance, privacy regulations, and building trust with your website visitors. Subscribe for weekly insights.

See how your website measures up

Run a free compliance scan and get your Gretel Score in seconds.