Methodology

How the Cirv Cookie Index reads cookie/consent signals from EU e-commerce stores — and why it is a conservative floor.

What we scan

We fetch the public homepage of each store and read its HTML for three cookie/consent signals tied to GDPR + the ePrivacy Directive. We never load or click anything — it is static analysis only.

The checks

• Consent platform — is a recognised CMP (Cookiebot, OneTrust, Usercentrics, …) present?
• Cookie notice — is a cookie/consent banner present in the markup?
• Tracker gating — if third-party trackers are present, is there a consent platform to gate them?

The score

The score is the share of checks that pass, 0–100, graded A–F. A high score means no hardcoded red flags in the markup — NOT that the store is GDPR-compliant.

What we don't do

We respect robots.txt, rate-limit politely, identify ourselves honestly, and never bypass bot protection or execute page scripts. Sites that block automated access are listed as "couldn't scan" rather than worked around.

Limitations

Static scanning cannot see trackers injected by JavaScript (most large sites), so this index under-counts — it is a conservative floor that never falsely accuses. A clean score is not proof of compliance. Informational, not legal advice.

← Back to the index