How signal coverage
is measured

The first thing any visitor, regulator, or browser should be able to find on your site is where you explain how you handle their data. This pillar checks whether that foundation exists, whether the policies are substantial (not stub pages), and whether they address the privacy laws relevant to where your visitors come from.

• Privacy Policy present & substantial

  Policy must be publicly linked and contain enough content to be meaningful. Stub pages under ~200 words count as partial credit only.
  −30 if missing
• Terms of Service present

  A publicly accessible Terms page establishes the rules of engagement for your service. Absence is a strong signal of incomplete legal setup.
  −20 if missing
• Policy last-updated date visible

  A visible effective or last-updated date signals that the policy is actively maintained, not a forgotten placeholder from the site's launch.
  Credit if present
• Regional compliance language (GDPR / CCPA)

  When a site shows signals of serving EU or California visitors, the policy is checked for corresponding regulatory language. Only applied when triggered.
  Conditional

A site can have a perfect Privacy Policy and still score poorly here. If tracking scripts are present — analytics, ad pixels, tag managers — visitors need to be told before data collection happens. This pillar checks whether disclosure mechanisms (cookie banners, consent notices) are in place to match what the scripts are doing.

• Tracking scripts present without a cookie notice

  If analytics, Meta Pixel, Google Tag Manager, TikTok Pixel, or similar scripts fire on page load with no visible consent mechanism, this is flagged as a significant gap.
  −20 if triggered
• Third-party scripts present without a Privacy Policy

  Any third-party script loading means data is potentially leaving the site. Without a Privacy Policy disclosing this, the site cannot claim informed consent.
  −10 if triggered

Contact forms, newsletter sign-ups, and login pages all collect personal data. This pillar checks whether sites that collect data through visible mechanisms have corresponding disclosures in place — not just for compliance, but as a basic signal of trustworthiness to the person filling the form.

• Contact form present, no Privacy Policy linked

  A form collects personal data (name, email, message). Without a Privacy Policy, the visitor has no way to know what happens to that information.
  −10 if triggered
• Third-party services used without policy disclosure

  Embedding third-party services (CRMs, live chat, payment processors) implies data sharing. The Privacy Policy should acknowledge this. Absence is flagged.
  −10 if triggered

A policy that exists but can't be reached is worse than no policy at all — it gives the appearance of compliance without the substance. This pillar checks whether policy links resolve correctly and whether search engines are being blocked from indexing the very pages that should be publicly visible.

• Broken policy links detected

  Policy links that return 4xx errors or redirect to unrelated pages are flagged. A link that appears to exist but leads nowhere is actively misleading.
  −15 if triggered
• robots.txt blocks policy pages from search engines

  Blocking crawlers from indexing /privacy or /terms undermines transparency. Legitimate legal pages should be publicly discoverable, not hidden from search.
  −10 if triggered