Privacy & Compliance Scoring Methodology
By Melurna
in Knowledgebase
(Version 1.1 – for external use)
1. Privacy-Policy Score
We evaluate each published privacy policy against eight disclosure criteria:
| # | Criterion | What we look for |
| 1 | PII collection | Does the policy specify which personal data is collected? |
| 2 | Sale of data | Does the company state whether it sells customer data? |
| 3 | Consent for third-party sharing | Is explicit permission required before data is shared? |
| 4 | Cross-border transfers | Are the destination countries or regions identified? |
| 5 | Right to delete | Can users erase their data on request? |
| 6 | Class-action rights | Does the policy preserve users’ collective redress options? |
| 7 | Opt-out choices | Are clear opt-out mechanisms offered (tracking, marketing, sale)? |
| 8 | Legal obligations | Does the policy acknowledge its statutory duties (e.g., GDPR, CCPA)? |
Score rating (0 – 100)
| Rating | Label | Interpretation |
| > 80 | Excellent | Best-in-class transparency & user rights |
| 70 – 80 | Good | Strong overall; minor gaps |
| 60 – 70 | Fair | Adequate but needs refinement |
| ≤ 60 | Needs Improvement | Significant shortcomings |
2. Compliance-Violation Risk Rating
For each relevant privacy-framework provision (GDPR, CCPA, HIPAA, etc.) we assign:
| Risk Level | Definition |
| High | Clear, documentable breach of the provision |
| Medium | Evidence of breach exists, but scope or interpretation may be debatable |
| Low | No definitive breach, or the issue involves lower-sensitivity data |
3. Approximate Settlement-Cost Model
Formula: Approx. Settlement Cost = C × P × N
| Symbol | Definition |
| C | Estimated volume of personal data points held, derived from company size & revenue |
| P | Weighted average cost per data point (updated from recent enforcement data)• High-risk violation ≈ $180• Medium-risk ≈ $170• Low-risk ≈ $150 |
| N | Count of distinct violations identified |
This model provides an upper-bound estimate of potential settlement exposure under the applicable privacy framework and is recalibrated as new case law emerges.
For questions on methodology or a tailored assessment, please contact [email protected].