Skip to main content

How We Score Analytics Governance

Our methodology evaluates five dimensions of tracking compliance to produce a transparent, repeatable governance grade. Every score is evidence-based - no black boxes.

Methodology v2.0

Why a Scoring Methodology?

Regulated organisations need more than a list of tags. They need a structured assessment that maps tracking behaviour to compliance risk. The Obscurity Analytics Governance Methodology provides exactly that - a framework that evaluates how well your organisation governs its analytics and marketing tracking, producing a letter grade from A to F. The methodology is designed for transparency. Every score is derived from observable evidence collected during a scan or diagnostic. There are no subjective judgements and no hidden weightings. If you disagree with a score, you can trace it back to the specific evidence that produced it.

What we measure

Five Governance Dimensions

Technical Consent Controls

Evaluates whether a Consent Management Platform is present, whether Google Consent Mode v2 is active, and whether consent signals are being enforced before tags fire. This is the foundation of any compliant tracking setup.

Data Leaving the EU

Assesses where your tracking data is sent. Tags that transmit data to jurisdictions outside the EU, UK, or Data Privacy Framework countries increase transfer risk and may require additional safeguards under GDPR.

Pre-Consent Data Leakage

Identifies tags and cookies that fire before the user has given consent. Pre-consent data collection is one of the most common compliance gaps and a frequent area of regulatory attention.

Governance Controls

Checks whether a tag management system is in place, providing version control, approval workflows, and deployment governance. Unmanaged tags are a significant audit risk.

Third-Party Exposure

Measures the volume and risk surface of third-party tracking services on your site. More third parties means more data processors, more DPAs to manage, and a larger attack surface.

Grade Scale

Your overall governance grade is a weighted average of the five dimension scores, mapped to a letter grade: - **A (85-100)** - Strong governance. Controls are well-established and consent is properly enforced. - **B (70-84)** - Good foundations. Minor gaps exist but the overall framework is sound. - **C (50-69)** - Moderate risk. Structured remediation is recommended to address compliance gaps. - **D (30-49)** - Significant gaps. Prioritised action is needed to reduce regulatory exposure. - **F (0-29)** - Material risk. Immediate attention is required - this score typically indicates missing or ineffective consent controls. Each dimension is scored from 0 to 100 and weighted according to its regulatory significance. Technical Consent Controls and Pre-Consent Data Leakage carry the highest weights because they represent the most immediate compliance risks.

Critical Dimensions

Technical Consent Controls and Pre-Consent Data Leakage are designated as critical dimensions. If either scores below 30, the overall grade is capped at D regardless of how well other dimensions perform. This reflects the regulatory reality - strong tag management cannot compensate for absent consent controls. This capping mechanism ensures that the grade accurately represents compliance posture. A site with excellent governance controls but no consent management should not receive a passing grade.

Scan Tiers

Not every assessment covers all five dimensions: - **Free Governance Check** - Evaluates four dimensions: Technical Consent Controls, Pre-Consent Data Leakage, Governance Controls, and Third-Party Exposure. Provides a quick compliance snapshot. - **Managed Scan** - Full five-dimension assessment including Data Leaving the EU. Used for retained client governance reviews. - **Governance Diagnostic** - Comprehensive five-dimension assessment with detailed evidence, remediation recommendations, and executive reporting. The free scan excludes jurisdiction analysis because accurate jurisdiction assessment requires deeper inspection than an automated surface scan can reliably provide.

Transparency and Reproducibility

Every governance grade includes the evidence that produced it. Your report shows which tags were detected, what consent signals were observed, where data is being sent, and how each dimension was scored. The methodology is versioned. When scoring criteria change, the version number is updated and existing reports clearly indicate which version was used. This ensures that scores are comparable over time and that you can track genuine improvement rather than methodology drift.

Common questions about the methodology

Frequently Asked Questions

How often is the methodology updated?

The methodology is updated when regulatory requirements change or when we identify improvements to scoring accuracy. Each update increments the version number, and existing reports always indicate which version was used. We do not change scores retroactively.

Why does the free scan exclude jurisdiction analysis?

Accurate jurisdiction assessment requires analysing the actual network destinations of tracking requests, which needs deeper inspection than a surface-level automated scan can reliably provide. Including unreliable jurisdiction data would undermine the accuracy of the overall grade.

Can a site with no CMP still score well?

If a site has no tracking tags at all, it can score well because there is nothing to govern. However, if a site has tracking tags but no Consent Management Platform, the Technical Consent Controls dimension will score poorly, and the critical dimension cap will likely limit the overall grade to D or below.

How do you handle consent mode signals?

We check for Google Consent Mode v2 signals, which indicate that consent state is being communicated to tags. The presence of Consent Mode v2 contributes positively to the Technical Consent Controls score. However, Consent Mode alone is not sufficient - we also verify that a CMP is present and that tags respect consent state.

What evidence is included in the report?

Every report includes a complete tag inventory, consent signal analysis, jurisdiction mapping (for full scans), and per-dimension scoring with specific evidence. You can see exactly which tags were detected, what data they collect, and how each finding contributed to your score.

See your governance grade

Run a free governance check to see how your site scores across four dimensions, or book a full diagnostic for the complete five-dimension assessment.

Free Governance Check
Book a Diagnostic