Privacy Scores
A transparent, evidence-based methodology for measuring how companies handle personal data.
How It Works
Every company on PrivacyFetch receives a composite privacy score from 0 to 100, calculated from five independently scored dimensions. Each dimension evaluates a different aspect of a company's data practices, weighted by its relative impact on user privacy.
The overall score is calculated as:
overall = (data_collection × 0.20) + (data_sharing × 0.25) + (tracking × 0.20) + (transparency × 0.20) + (user_rights × 0.15)Scores reflect a point-in-time assessment based on publicly observable information. They are recalculated on every re-crawl and are not averaged over time. Higher scores indicate better privacy practices.
Dimension Breakdown
Each dimension starts at a baseline score and adjusts based on specific factors found during analysis. Dimensions with a baseline of 100 deduct points for concerning practices. Dimensions with a baseline of 50 require companies to earn points through positive disclosures.
Data Collection
Measures the breadth and sensitivity of personal data a company collects. Starts at 100 and deducts for each sensitive data type identified in the privacy policy.
Penalties
| Factor | Max Impact |
|---|---|
| Biometric data | -15 |
| Health data | -15 |
| Behavioral data | -10 |
| Browsing history | -10 |
| Location data | -10 |
| Financial data | -5 |
| Excess data types (>10): -5 per excess type, max 3 | -15 |
Data Sharing
Evaluates who a company shares data with and for what purposes. This is the most heavily weighted dimension because third-party sharing has the most direct impact on user privacy.
Penalties
| Factor | Max Impact |
|---|---|
| Sells personal data | -40 |
| Shares with data brokers | -25 |
| Shares with advertisers | -20 |
| More than 5 advertising partners | -10 |
| More than 20 data partners | -10 |
| 10–20 data partners | -5 |
| Shares with business partners | -5 |
| Shares with affiliates | -5 |
| Broad sharing stated in policy | -10 |
| Targeted advertising as a processing purpose | -10 |
| User profiling as a processing purpose | -5 |
| Remarketing as a processing purpose | -5 |
| Vendors but no subprocessor list published | -10 |
Tracking
Detects advertising trackers, analytics services, session recording tools, and cookies on the company website. Uses three fallback layers: live tracker detection, cookie analysis, and policy-stated tracking.
Penalties
| Factor | Max Impact |
|---|---|
| Advertising trackers: min(count × 5, 30) | -30 |
| Session recording | -15 |
| Ad networks / cross-device tracking | -15 |
| Analytics trackers >3: min((count − 3) × 5, 15) | -15 |
| Social trackers >2 | -5 |
Bonuses
| Factor | Impact |
|---|---|
| Supports Do Not Track (DNT) | +5 |
| Supports Global Privacy Control (GPC) | +5 |
Transparency
Rates how clearly and completely a company communicates its data practices. Starts at a neutral 50 because transparency must be earned through disclosure, not assumed.
Penalties
| Factor | Max Impact |
|---|---|
| Vague or missing retention policy | -10 |
| Policy contradictions: min(count × 5, 15) | -15 |
| Excessively long policy (>10,000 words) | -5 |
Bonuses
| Factor | Impact |
|---|---|
| Privacy policy published | +15 |
| Comprehensive sections (≥4) | +10 |
| Basic sections (≥2) | +5 |
| Specific data retention periods | +5 |
| Subprocessor list published | +5 |
| Data Processing Agreement published | +5 |
| Data processing purposes stated | +5 |
| Readable policy length (≤6,000 words) | +5 |
User Rights
Assesses the rights a company extends to users and how easy it is to exercise them. Starts at a neutral 50 and earns points for each recognized right and accessible request channel.
Penalties
| Factor | Max Impact |
|---|---|
| Very difficult deletion (difficulty score ≥4) | -15 |
| Moderately difficult deletion (difficulty score 3) | -5 |
Bonuses
| Factor | Impact |
|---|---|
| Per recognized right: +5 each (max +40) | +40 |
| Data request form available | +10 |
| Privacy contact email available | +5 |
| Appeals process supported | +5 |
| Multiple request channels (≥3) | +5 |
Tracking Fallback Layers
The tracking dimension uses a tiered detection approach. When live tracker detection finds specific trackers, those are scored directly. When it does not, the system falls back to cookie-based and then policy-stated signals.
Cookie fallback
When no specific trackers are detected but cookies are present
| Factor | Impact |
|---|---|
| Marketing/advertising cookies | -25 |
| Third-party analytics cookies | -10 |
| Essential/first-party cookies only | -5 |
Policy-stated fallback
When no trackers or cookies are detected but the privacy policy mentions tracking
| Factor | Impact |
|---|---|
| Targeted advertising stated | -20 |
| Marketing cookies stated | -15 |
| Cross-device tracking stated | -15 |
| Third-party analytics stated | -10 |
Recognized User Rights
The User Rights dimension recognizes 8 specific rights. Each recognized right adds +5 to the dimension score, up to a maximum bonus of +40.
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Deletion | Request deletion of your personal data |
| Correction | Request corrections to inaccurate data |
| Portability | Receive your data in a machine-readable format |
| Opt Out of Tracking/Sale/Sharing | Opt out of tracking, data sales, or data sharing |
| Withdraw Consent | Withdraw previously given consent |
| Restrict Processing | Request limits on how data is processed |
| Object to Processing | Object to specific processing activities |
AI Risk Score
The AI risk score is a separate assessment that is not included in the main 0–100 privacy score. It evaluates how a company uses artificial intelligence and whether user data is involved in AI training. The AI risk score is composed of three weighted sub-components.
Usage Transparency
40%How clearly the company discloses its use of AI.
- Explicit disclosure: 95 points
- Partial disclosure: 60 points
- No disclosure: 30 points
- Hidden AI usage detected: -20
- Third-party AI disclosed: +10
- Third-party AI undisclosed: -10
Risk Level
30%The potential impact of AI usage on users.
- High user impact: 30 points
- Medium user impact: 60 points
- Low user impact: 90 points
- Automated decision-making risk: -15
Training Practices
30%Whether user data is used to train AI models.
- Trains on personal user data: -30
- Trains on user interactions: -15
- Trains on public content: -10
- Shares data for third-party AI: -20
- No opt-out available (when training occurs): -15
Red Flags
Red flags highlight the most concerning privacy practices found during analysis. They are ordered by severity, deduplicated, and limited to the top 5 most severe flags shown on company profiles. There are 11 possible red flags.
| # | Flag | Severity |
|---|---|---|
| 1 | Sells personal data | Critical |
| 2 | Shares with data brokers | Critical |
| 3 | Session recording | High |
| 4 | Ad networks / cross-device tracking | High |
| 5 | Excessive advertising trackers (>5) | High |
| 6 | Sensitive data collection (biometric/health) | High |
| 7 | Vague or missing data retention policy | Medium |
| 8 | Policy contradictions | Medium |
| 9 | Trains AI on user data | Medium |
| 10 | Recent data breach | Medium |
| 11 | Very difficult data deletion | Medium |
How Scores Update
Scores are recalculated on every re-crawl of a company. Each score represents a point-in-time assessment based on the latest analysis. Scores are not averaged over time or smoothed across analysis cycles.
When a score changes by 5 or more points, notifications are triggered for users tracking the company. Historical scores are preserved for trend analysis, but the displayed score always reflects the most recent assessment.
Limitations
Privacy scores are based on publicly available information and automated analysis. They do not constitute legal advice, regulatory compliance certification, or a complete audit of a company's internal data handling practices.
When no privacy policy is found, the Data Collection, Data Sharing, and Tracking dimensions are capped at 0 to avoid falsely high scores from missing data. The AI risk score is also zeroed in this case.