ConsentMark
Free Scan
Analytics Governance

We Scanned 654 Regulated Websites - Here Is What We Found

4 min read

We pointed our governance scanner at 654 regulated Irish websites - insurance, fintech, energy, and travel - and let it run. Each site was scanned for consent compliance, tag governance, data flows, and overall measurement control.

Most regulated organisations have reasonable governance. But 1 in 15 have critical gaps that would not survive regulatory scrutiny.

The headline numbers

Of 654 regulated websites scanned:

  • 338 (52%) scored A - strong governance controls in place
  • 202 (31%) scored B - good governance with minor gaps
  • 71 (11%) scored C - material governance gaps requiring attention
  • 3 (0.5%) scored D - significant governance failures
  • 40 (6%) scored F - critical governance failures

Governance scores across 654 regulated Irish websites - donut chart showing grade distribution

The median score was 90 out of 100. The majority of regulated organisations have invested in consent management, tag governance, and measurement controls that work.

The concerning finding is at the bottom. Forty sites - 1 in 15 - scored below 60. The lowest score was 3 out of 100. Several scored in the teens and twenties. At that level, governance is not weak. It is functionally absent.

What separates A from F

The scanner evaluates four governance dimensions: consent compliance, tag inventory control, data flow documentation, and measurement infrastructure. Sites that score well get all four right. Sites that score poorly fail across multiple dimensions simultaneously.

A-grade sites (52%) share common characteristics. Consent Mode v2 is implemented correctly. Tags respect consent signals in practice, not just in configuration. The tag inventory is controlled - no rogue pixels, no undocumented third-party data flows. GTM containers are structured with clear naming conventions and trigger hygiene.

F-grade sites (6%) show compounding failures. Tags fire before consent is granted. Consent management platforms are misconfigured or entirely absent. Undocumented tracking pixels send data to third parties that do not appear in privacy notices. Multiple tag management systems operate independently with no central oversight. In some cases, legacy tags from previous agency relationships are still active years after the engagement ended.

The distribution is bimodal. Sites are either governed or they are not. A clear cluster above 80, a cluster of critically ungoverned sites below 40, and very little in between.

Grade distribution bar chart showing the bimodal pattern - a cliff between governed and ungoverned sites

The consent gap

The most consistent finding across lower-scoring sites was consent drift - the divergence between what the consent management platform is configured to do and what actually happens in the browser.

A consent banner can be live and correctly configured on the day it is deployed. Six months later, new tags have been added, existing tags have been modified, and agency deployments have changed trigger conditions. Unless someone is independently validating consent behaviour - not just consent configuration - the drift is invisible.

Our scanner tests consent by observing actual network requests across consent states. What fires when consent is granted. What fires when consent is denied. What fires before the consent interaction happens at all.

In the F-grade cluster, pre-consent tag firing was the single most common failure. Tags were sending data to third-party servers before any consent interaction had occurred. In a GDPR context, that is not a governance gap. It is a compliance violation.

Two questions worth answering

Are you in the 82% or the 18% - and how confident are you without having checked?

If a regulator asked for evidence that your consent implementation works in practice, not just in configuration, could you provide it today?

Scan your own site

The same scanner is available as a free governance check. Enter your URL and get your score in under 30 seconds. No signup required. No sales call.

If you score well, you have evidence to support that. If you do not, you know where to focus.

For deeper analysis - tag-level findings, consent compliance testing across all consent states, and a prioritised remediation roadmap - our Executive Briefing is a 30-minute conversation about what the data shows and what it means for your regulatory context.