How ConsentMark Works
A transparent, evidence-based methodology that scans your site, evaluates governance across four dimensions, and produces a letter grade from A to F. No black boxes.
Three-Stage Scan
Every scan follows the same reproducible process - discover what is on the page, test consent behaviour, then score against compliance gates.
Discover
ConsentMark loads your site in a real browser and catalogues every tag, script, cookie, and network request. No agents to install, no code changes required - we see exactly what your visitors see.
Consent
We test behaviour before and after consent. Which tags fire before consent is given? What happens when a visitor rejects tracking? Does your Consent Management Platform actually enforce consent signals?
Score
Every finding is evaluated against compliance gates ordered by severity. The first gate your site fails determines your grade ceiling. The result is a transparent letter grade from A to F, backed by evidence.
Four Governance Dimensions
Each scan evaluates your site across four dimensions. Together they provide a complete picture of your analytics governance posture.
Consent Management
Is a Consent Management Platform present? Is Google Consent Mode v2 active? Are consent signals enforced before tags fire? This is the foundation of any compliant tracking setup.
Tag Governance
Is a tag management system in place, providing version control, approval workflows, and deployment governance? Unmanaged tags are a significant audit risk for regulated organisations.
Data Transfers
Where is your tracking data sent? Tags that transmit data to jurisdictions outside the EU, UK, or Data Privacy Framework countries increase transfer risk and may require additional safeguards under GDPR.
Third-Party Oversight
How many third-party tracking services are on your site? More third parties means more data processors, more DPAs to manage, and a larger attack surface for your organisation.
What the Grades Mean
Your grade is determined by a gate-based severity assessment. The first gate your site fails determines your grade ceiling - good behaviour elsewhere cannot offset a critical risk.
Strong governance
No tracking present, or consent is properly enforced with reject-all visible and respected.
Good with minor gaps
Tags use Consent Mode in restricted state, or minor engagement events fire pre-consent. Fundamentally sound.
Material gaps
Reject-all not visible, or data transfers to jurisdictions without adequate safeguards. Needs attention.
Incomplete implementation
CMP blocking technology is deployed but not fully enforced. The intent is there but the execution is not.
Critical risk
No CMP, consent not enforced, PII leaking, or reject ignored. Immediate remediation required.
Insufficient data
Scanner could not collect sufficient data to verify compliance. Manual review recommended.
Why This Matters for Regulated Organisations
Analytics governance is no longer a technical detail. It is a board-level compliance obligation.
Regulatory Scrutiny
The Data Protection Commission and EU regulators are actively investigating tracking practices. A governance grade gives you evidence of your compliance posture before they ask for it.
GDPR Accountability
Article 5(2) requires you to demonstrate compliance, not just claim it. ConsentMark provides the structured evidence and audit trail that accountability demands.
Board-Level Risk
Unmanaged analytics tracking is a data protection risk that belongs on the risk register. A clear grade makes it visible, measurable, and actionable for leadership.
Transparent and Reproducible
Every governance grade includes the evidence that produced it. Your report shows which tags were detected, what consent signals were observed, where data is being sent, and how each dimension was scored. The methodology is versioned - when scoring criteria change, the version number is updated so scores remain comparable over time.