This factor is part of Web
Quality — the weighted 0..100 score that sits above Web Standards.
Its weight depends on what kind of site is being measured. Web Standards
items take priority; this factor only enters the score once Web Standards
passes.
Base weight
0.6
applied to every site type unless overridden below
Why this weight
Cookie scan: actual cookies set on first load (vs declared in policy).
Per-site-type overrides
Site type
Weight
Δ vs base
E-commerce
0.8
+0.2
News / Publisher
0.9
+0.3
Personal site
0.2
-0.4
Media / Streaming
0.9
+0.3
Site types not listed inherit the base weight.
Same factor, two depths.
What this means for your business
Tools like Facebook Pixel and Google Ads quietly set tracking cookies the moment someone lands — often before they've agreed to anything. Under European and California law, that gap between landing and consent is what triggers fines.
Plain title: What your site actually drops on visitors' phones
What we measure
Many sites set tracking cookies before the visitor accepts the banner. That's a GDPR violation — under the law, no non-essential cookies can be set until the visitor opts in.
How to improve your score
Configure your CMP to block analytics, ad, and marketing cookies until consent is granted. Most CMPs offer this as a one-toggle setting.
Facts
Ticket
WEBQ-51
Category
Privacy & Compliance
Status
live
Weight
0.7%
Data source
—
Service cost
Free — headless browser visit
Scoring impl
implemented
Method version
v1.2.0
Implementation notes
Headless Chromium visit, log all `Set-Cookie` headers received before any user interaction.
Scoring
Scoring formulas are versioned with the methodology. The current method
(v1.2.0)
maps raw measurements to pass, warn,
fail. Factor weights determine how much each contributes to the
composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Australian Privacy Act + APPsPrivacyAUAustralia's federal privacy law, anchored on the 13 Australian Privacy Principles. The 2024 reforms added a statutory tort for serious privacy invasions and direct OAIC penalty powers.
CCPA / CPRAPrivacyUSCalifornia's privacy law. The visible signal is the 'Do Not Sell or Share My Personal Information' link in your footer.
Colorado Privacy ActPrivacyUSColorado's CCPA-shaped privacy law, with a hard requirement to honour Universal Opt-Out Mechanisms like Global Privacy Control as of July 2024.
Connecticut Data Privacy ActPrivacyUSConnecticut's CCPA-shaped privacy law. Like Colorado, recognises Global Privacy Control as a valid opt-out signal — and the AG has been actively issuing cure notices since 2023.
Cookie consent baselinePrivacyglobalIf you set non-essential cookies before the user explicitly opts in, you're failing the standard most regulators now enforce.
COPPAPrivacyUSIf your site is directed at U.S. children under 13 — or you knowingly collect from them — you need verifiable parental consent before any data collection. The 2025 amendments tightened this further around third-party advertising.
EU ePrivacy Regulation (withdrawn)PrivacyEUThe proposed regulation that would have replaced the 2002 ePrivacy Directive. After eight years stuck in negotiation, the European Commission formally withdrew the proposal in 2025 — so the old Directive (and the cookie-consent baseline it underpins) remains the operative law.
GDPRPrivacyEUIf a single EU resident can see your site, GDPR can apply. Cookie consent, a real privacy policy, and not silently tracking by default are the visible signs of compliance.
HIPAAPrivacyUSIf your site collects, displays, or transmits protected health information, HIPAA applies. A privacy policy plus an explicit Notice of Privacy Practices and a clear consent flow are the minimum visible signals.
LGPDPrivacyOTHERBrazil's GDPR analogue. If you serve Brazilian residents, treat it like GDPR-lite: lawful basis, consent for cookies, a real privacy policy, and ANPD-shaped data subject rights.
Oregon Consumer Privacy ActPrivacyUSOregon's CCPA-shaped privacy law. Distinctive for explicitly covering nonprofits (after a one-year delay) and for a specific right to know which third parties received your data.
PIPEDAPrivacyCACanada's federal privacy law for commercial activity. Built around 10 fair information principles — meaningful consent, accountability, and the right to access your data.
POPIAPrivacyOTHERSouth Africa's GDPR analogue. Eight conditions for lawful processing, a real privacy notice, and an Information Officer registered with the Regulator.
Quebec Law 25PrivacyCAQuebec's modernised privacy law — stricter than PIPEDA and the rest of Canada. Mandatory privacy officer, granular consent, data portability, and a right to algorithmic transparency.
Texas Data Privacy and Security ActPrivacyUSTexas's CCPA-shaped privacy law. Notable for ditching the consumer-count threshold — almost any business doing business in Texas is in scope, except small businesses as defined by the SBA.
Utah Consumer Privacy ActPrivacyUSUtah's CCPA-shaped privacy law, the most business-friendly of the bunch. Higher revenue threshold, no UOOM requirement (yet), and a permanent 30-day cure period.
Virginia CDPAPrivacyUSVirginia's CCPA-shaped privacy law. Applies if you process the data of 100K+ Virginia residents (or 25K+ if you derive 50%+ revenue from selling data). No private right of action — Virginia AG enforces.