You just scanned your website. The results came back:

PolicyGen Compliance Index: 73/100
PCI-B • Medium Risk

Okay... but what does that actually mean? Is 73 good? Bad? Should you panic? Drop everything and fix it right now?

Let's break down what PCI scores tell you, what they don't, and what to actually do with them.

What Is the PolicyGen Compliance Index?

The PolicyGen Compliance Index (PCI) is a 0-100 rating that measures how well your website meets baseline privacy and legal disclosure requirements.

Think of it like a credit score for your website's compliance documentation. It doesn't tell you everything, but it's a reliable indicator of where you stand.

What PCI measures:

  • Presence of core policies (Privacy Policy, Terms of Service, Cookie Notice)
  • Accessibility and functionality (no broken links, policies load correctly)
  • Coverage of key regulations (GDPR, CCPA mentions)
  • Quality signals (last-updated dates, contact information)

What PCI doesn't measure:

  • Whether your policies are legally accurate (we're not lawyers)
  • Whether you actually follow what your policies say
  • Your internal security practices or data handling
  • Compliance with industry-specific regulations (HIPAA, PCI-DSS, etc.)
PCI is a starting point, not a guarantee

A high score means you have the documentation foundations in place. A low score means gaps that need fixing. Neither replaces legal review or proper data handling practices.

Understanding Score Ranges

PCI scores come with letter grades (A through F) and risk ratings. Here's what each range means:

Score Range Grade What It Means
90-100 PCI-A Excellent. All policies present, accessible, comprehensive coverage.
80-89 PCI-B Very Good. Strong foundation with minor optional items missing.
70-79 PCI-C Good. Core policies in place, some gaps to address.
60-69 PCI-D Fair. Missing key policies or have significant gaps.
Below 60 PCI-F Poor. Critical compliance gaps requiring immediate attention.

PCI-A (90-100): Ready for Enterprise

You've got everything: Privacy Policy, Terms of Service, Cookie Notice, GDPR/CCPA disclosures, contact information, updated dates. No broken links, policies load correctly.

What you can do with this score:

  • Pass vendor security questionnaires
  • Close enterprise deals with confidence
  • Handle compliance audits without scrambling
  • Demonstrate diligence to investors or acquirers

Next steps: Maintain it. Set calendar reminders to review policies annually. Monitor for regressions (site redesigns can break links).

PCI-B (80-89): Strong Foundation

You have all the essentials. What you're missing is likely optional or industry-specific: maybe you don't have a dedicated cookie policy page, or your Privacy Policy doesn't explicitly mention California residents.

Common gaps at this level:

  • Missing cookie consent banner (not required in all cases)
  • No explicit CCPA opt-out link (only matters if you have California users)
  • Policies don't have last-updated dates
  • Contact form exists but not explicitly labeled for privacy requests

Next steps: Review your scan report. If the missing items apply to your business, add them. If not, you're fine.

PCI-C (70-79): You're Covered, But...

You have Privacy Policy and Terms published, but there are noticeable gaps. Maybe your Privacy Policy doesn't mention GDPR. Maybe you're missing a Cookie Notice entirely.

Real-world impact:

  • B2C sales: Probably fine for now
  • Enterprise sales: Might get flagged during vendor review
  • Regulatory audits: Would pass basic checks, but examiners would note gaps

Next steps: Spend an afternoon filling gaps. Update your Privacy Policy to mention data subject rights. Add a simple cookie banner if you use analytics.

PCI-D (60-69): Action Required

You're missing at least one critical policy, or your existing policies have major problems (broken links, severely outdated, generic template text not customized).

Example scenarios:

  • Privacy Policy present, but Terms of Service returns 404
  • Policies exist but haven't been updated since 2018 (pre-GDPR)
  • Footer links point to /privacy but that URL doesn't work

Risk level: Medium. You could face issues during enterprise sales, customer audits, or if a user files a complaint.

Next steps: Fix within 1-2 weeks. Publish missing policies, repair broken links, update outdated text.

PCI-F (Below 60): Red Alert

Critical gaps. No Privacy Policy, or both Privacy and Terms missing, or all policy links broken.

Why this is high risk:

  • GDPR fines can reach 4% of global revenue for missing privacy disclosures
  • CCPA violations start at $2,500 per incident
  • Enterprise customers won't sign contracts without seeing policies
  • Payment processors (Stripe, PayPal) can freeze accounts for policy violations

Next steps: Drop everything and fix this. Generate a Privacy Policy today. Publish it. Add footer links. Run another scan to confirm it worked.

If you're below 70, don't ignore it

Compliance gaps aren't theoretical. Real businesses lose enterprise deals, get audited, face fines, or have payment accounts frozen because of missing policies. Fix it before it costs you.

How PCI Scores Are Calculated

PCI scores are built from dozens of automated checks across several categories:

Policy Presence (40 points)

  • Privacy Policy exists and loads: 20 points
  • Terms of Service exists and loads: 15 points
  • Cookie Notice or consent mechanism: 5 points

Regulatory Coverage (30 points)

  • GDPR disclosures (data subject rights, legal basis): 15 points
  • CCPA disclosures (California rights, opt-out): 10 points
  • International users addressed (if applicable): 5 points

Technical Quality (20 points)

  • No broken links to policies: 10 points
  • Policies indexed by search engines (robots.txt check): 5 points
  • Contact method for privacy requests: 5 points

Maintenance Signals (10 points)

  • Last-updated dates present: 5 points
  • Policies updated within past 2 years: 3 points
  • Company contact information included: 2 points

The exact weighting varies based on your website's industry, region, and detected technologies (e.g., if you use Google Analytics, cookie disclosures weigh more heavily).

How to Improve Your PCI Score

Quick Wins (Same Day)

These changes can boost your score 20-30 points in an afternoon:

  1. Publish missing policies - If you don't have a Privacy Policy, generate one and publish it. That's 20 points right there.
  2. Fix broken links - Update your footer to point to working URLs. Instant 10 points.
  3. Add a last-updated date - Put "Last Updated: December 2024" at the top of each policy. Easy 5 points.

Medium-Term Improvements (1-2 Weeks)

  1. Add GDPR/CCPA sections - Update your Privacy Policy to include a "Your Rights" section mentioning data subject rights.
  2. Install a cookie banner - If you use Google Analytics or Facebook Pixel, add a simple consent banner.
  3. Add contact info - Include an email address or contact form specifically for privacy requests.

Ongoing Maintenance

  1. Review annually - Set a calendar reminder to review policies every 12 months.
  2. Monitor continuously - Set up recurring scans (monthly or quarterly) to catch regressions early.
  3. Track trends - If your score drops from 85 to 65, something broke. Investigate immediately.

What Score Should You Target?

Depends on your business:

Your Business Target Score
Side project, no users yet 70+ (get the basics up before launch)
Small SaaS, B2C customers 80+ (strong foundation, no obvious gaps)
Growing SaaS, enterprise prospects 85+ (ready for vendor questionnaires)
Regulated industry (healthcare, finance) 90+ (auditors expect comprehensive documentation)
High-volume ecommerce 85+ (payment processors and regulators scrutinize)
Don't chase perfection

Getting from 85 to 95 requires exponentially more effort than getting from 60 to 85. Focus on closing critical gaps first. Diminishing returns kick in hard above 90.

Tracking Score Changes Over Time

Your PCI score isn't static. Websites change. Policies age. Regulations evolve. Tracking your score over time helps you catch problems early.

What Score Trends Tell You

Score increasing (70 → 82): You're fixing gaps. Keep it up.

Score stable (81 → 80 → 82): Normal fluctuation. Your maintenance is working.

Score decreasing (85 → 72): Something broke. Investigate immediately. Common causes:

  • Site redesign broke footer links to policies
  • Policies haven't been updated in 2+ years (aging penalty)
  • New regulation your policies don't address (e.g., CPRA updates)
  • Server issues causing policy pages to 404

Set up monthly or quarterly scans to catch regressions before they become problems. A sudden drop from 85 to 60 usually means a technical issue, not a compliance change.

Common Questions

Does a high PCI score guarantee legal compliance?

No. PCI measures documentation presence and quality, not legal accuracy. A perfect 100 score with a completely wrong Privacy Policy is still a legal problem.

Think of PCI like spell-check: it catches obvious errors, but it doesn't guarantee your writing is good.

Can I get to 100?

Yes, but it requires comprehensive documentation: Privacy Policy, Terms, Cookie Notice, GDPR disclosures, CCPA disclosures, contact form, updated dates, no broken links, and proper robots.txt configuration.

For most businesses, 85-90 is the practical sweet spot.

My score dropped but I didn't change anything. Why?

Three possibilities:

  1. Aging penalty: Policies over 2 years old without updates lose points
  2. New regulations: Scoring criteria updated to reflect new laws
  3. Technical issue: Server problems, broken links, DNS changes

Check your detailed scan report to see which specific checks failed.

Do I need a lawyer to improve my score?

Not necessarily. Many score improvements are technical fixes: publishing missing policies, repairing broken links, adding last-updated dates.

But if you're writing or significantly updating policies, legal review is smart—especially for regulated industries or businesses handling sensitive data.

The Bottom Line

Your PCI score is a diagnostic tool, not a compliance endpoint.

Use it to:

  • Identify gaps in your website's legal documentation
  • Prioritize what to fix first
  • Track improvements over time
  • Demonstrate diligence to customers, auditors, or investors

Don't use it as:

  • A substitute for legal review
  • A guarantee of regulatory compliance
  • The only measure of your data handling practices

If you're below 70, fix it. If you're above 80, maintain it. If you're in between, close the gaps your scan report identifies.

And remember: a website with a PCI score of 85 and good data practices beats a website with a score of 100 and terrible data handling every time. Documentation matters, but what you actually do matters more.