Methodology

How We Score Privacy Policies

Assessed across 10 dimensions · Independent · Open source

Australian Privacy Score analyses publicly available privacy policy documents and scores them across 10 dimensions drawn from the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Each dimension is weighted by its impact on consumer outcomes and combined into an overall score from 0 to 100.

Scoring is performed by our open-source engine using large language model claim extraction. Scores reflect only what is publicly stated in the policy — not actual data practices.

The 10 Dimensions

Dimension	Weight	What we look for
Transparency & Clarity	15%	Clear, plain-language policy with accessible structure and readable format.
Data Collection Disclosure	15%	Specific disclosure of what personal data is collected and through what means.
Third-Party Sharing & Disclosure	15%	Named disclosure of third parties who receive personal data and for what purpose.
Purpose Limitation & Use	10%	Data is collected only for stated purposes and not re-used without consent.
Consumer Rights & Control	10%	Rights to access, correct, delete, and port personal data are explained.
Data Security	10%	Security measures protecting personal data are described (encryption, access controls).
Automated Decision-Making	10%	Automated profiling or decision-making affecting consumers is disclosed.
Children's Data	5%	Special handling of children's data under 18 is addressed or explicitly excluded.
Cross-Border Data Flows	5%	Named disclosure of overseas countries or regions where data is transferred.
Policy Maintenance & Accountability	5%	Policy is dated, version-controlled, and outlines how consumers are notified of changes.

Weights sum to 100%. Each dimension is scored 0–10 by the engine, then scaled to 0–100.

Grade Thresholds

Grade	Score range	Label
A	80–100	Excellent transparency
B	65–79	Good with minor gaps
C	50–64	Room for improvement
D	35–49	Significant gaps
F	0–34	Major deficiencies

Limitations

Each score is produced by a single large language model pass over the policy text. There is no human ground-truth audit and no inter-rater reliability measurement — re-scanning the same policy may shift a dimension by a few points.

Scores measure the quality of what a policy discloses, not an organisation's actual data practices. A clearly written policy can outscore a more privacy-protective but poorly written one, and letter grades close to a threshold should be read as approximate.

Open-Source Scoring Engine

The full extraction and scoring logic is publicly available for audit and contribution.

View on GitHub →

When We Can't Assess a Policy

The scanner handles most JavaScript-rendered policies by falling back to a headless browser and a reader proxy, so JS rendering alone is rarely a blocker. A policy is marked unassessable only when the following remain true after those fallbacks. Common reasons:

No privacy policy page can be found for the organisation.
The policy is published only as a PDF whose text cannot be extracted.
The page can be reached but does not contain a recognisable privacy policy — for example a stub, summary, or error page.
An automated bot-protection system blocks the scan, including after headless-browser and reader-proxy fallbacks (this also covers HTTP 403 challenges).
The page returns a non-recoverable error (404, 410, or a persistent 5xx).

We show an “Unable to Assess” badge rather than a score so that incomplete data is never presented as a grade.

Partial Policy Detection

Some privacy policy URLs lead to a short summary page (under 4 000 characters) that links out to a fuller document. When this is detected, the score is flagged as potentially incomplete. A warning is shown on the profile — the score is not suppressed, but users should be aware it may not reflect the full policy.

The 10 Dimensions

Dimension	Weight	What we look for
Transparency & Clarity	15%	Clear, plain-language policy with accessible structure and readable format.
Data Collection Disclosure	15%	Specific disclosure of what personal data is collected and through what means.
Third-Party Sharing & Disclosure	15%	Named disclosure of third parties who receive personal data and for what purpose.
Purpose Limitation & Use	10%	Data is collected only for stated purposes and not re-used without consent.
Consumer Rights & Control	10%	Rights to access, correct, delete, and port personal data are explained.
Data Security	10%	Security measures protecting personal data are described (encryption, access controls).
Automated Decision-Making	10%	Automated profiling or decision-making affecting consumers is disclosed.
Children's Data	5%	Special handling of children's data under 18 is addressed or explicitly excluded.
Cross-Border Data Flows	5%	Named disclosure of overseas countries or regions where data is transferred.
Policy Maintenance & Accountability	5%	Policy is dated, version-controlled, and outlines how consumers are notified of changes.

Weights sum to 100%. Each dimension is scored 0–10 by the engine, then scaled to 0–100.

Grade

Score range

Label

80–100

Excellent transparency

65–79

Good with minor gaps

50–64

Room for improvement

35–49

Significant gaps

0–34

Major deficiencies

Limitations

When We Can't Assess a Policy

No privacy policy page can be found for the organisation.

The policy is published only as a PDF whose text cannot be extracted.

The page can be reached but does not contain a recognisable privacy policy — for example a stub, summary, or error page.

An automated bot-protection system blocks the scan, including after headless-browser and reader-proxy fallbacks (this also covers HTTP 403 challenges).

The page returns a non-recoverable error (404, 410, or a persistent 5xx).

We show an “Unable to Assess” badge rather than a score so that incomplete data is never presented as a grade.

Partial Policy Detection