Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Comscore is a US-based audience measurement provider used by publishers, broadcasters, advertisers, and agencies to measure the size and behaviour of digital audiences. The Comscore Direct Tag (a JavaScript snippet loading from sb.scorecardresearch.com) collects beacon events from each page view. In several European markets, Comscore operates joint industry currencies (MMX, Video Metrix) and accreditation arrangements with national measurement bodies.
Comscore is a US-based audience measurement company founded in 1999, headquartered in Reston, Virginia. It serves publishers, broadcasters, advertisers, and agencies with currencies that quantify the size and composition of digital and cross-media audiences. The Comscore Direct Tag, deployed on publisher pages, collects per-page-view beacons. The data is combined with panel data and (where available) telco data to compute audience metrics published as JIC currencies in many European countries.
The Direct Tag fires a beacon to scorecardresearch.com on each page view, including the page URL, referrer, visitor identifier (UID cookie set on the scorecardresearch.com domain), user agent, device class, and publisher-provided custom dimensions (content category, section, demographic flags). Comscore stitches the data into visitor and household profiles using its panel, then publishes audience metrics on its planning platforms.
The UID cookie is a third-party persistent identifier. It is non-essential under ePrivacy and TTDSG and requires consent before being set. The data processing also requires Art. 6(1)(a) consent because of the cross-site profiling potential. National DPAs (notably the CNIL in France) have signalled that audience measurement may be exempt from consent only if it is strictly anonymous and limited to the publisher (no cross-site reconciliation), which the standard Comscore product is not.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Beacon hits are centralised in the United States for processing. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on Comscore Inc.'s EU-US Data Privacy Framework certification. In specific JIC arrangements (Médiamétrie/Comscore in France, agof in Germany), the local measurement body may operate intermediate processing in the EU, but the underlying Comscore systems remain US-based.
Sign the Comscore DPA, gate the Direct Tag behind your CMP, list Comscore in your cookie policy with the UID cookie details, document the SCCs and the DPF certification in the privacy notice, document a DPIA covering the cross-site profiling aspect, and check whether the local JIC has additional measurement-specific guidance (Médiamétrie, agof, IAB Tech Lab TCF).
Websites using comScore must obtain user consent under GDPR regulations.
DPIA considerations
Comscore Direct Tag collects per-page-view beacons including a persistent visitor identifier (UID cookie on scorecardresearch.com), referrer, URL, device class, and (in some configurations) custom dimensions provided by the publisher. Key DPIA considerations: (1) the UID cookie is a third-party persistent identifier with cross-site tracking potential; (2) the data is centralised in the US for analysis, requiring SCCs and DPF; (3) Comscore combines measurement data with panel data and other publisher signals, which raises the privacy stakes; (4) in some EU markets (notably France with Médiamétrie/Comscore, Germany with agof) the measurement is operated under industry agreements that may include sectoral safeguards; (5) audience measurement is generally considered subject to consent, although some EU DPAs accept anonymous configurations as exempt.
Sample consent text
We use Comscore, a US-based audience measurement service, to measure the size and demographics of our website audience. Comscore sets a third-party cookie (UID on scorecardresearch.com) to count unique visitors and combines this data with panel data in the United States. Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. You can decline Comscore measurement via the cookie banner.
Third-party domains contacted
comscore.comwww.comscore.comscorecardresearch.comsb.scorecardresearch.comb.scorecardresearch.comc.scorecardresearch.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| UID | Marketing / Audience measurement | ~2 years | Third-party persistent identifier set on the scorecardresearch.com domain. Used by Comscore to recognise the same browser across all sites measured by the Comscore Direct Tag and compute audience reach metrics. |
| XCLGFbrowser | Marketing / Audience measurement | 1 year | Browser identifier used by some Comscore Mobile Metrix and Multi-Platform measurement products to detect mobile vs desktop visitors and prevent double-counting. |
| sb-id (first-party mode) | Marketing / Audience measurement | 13 months | First-party cookie set when the publisher deploys the Comscore First-Party Mode to avoid third-party cookie restrictions in modern browsers. Same measurement purpose as the UID third-party cookie. |
comScore collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Comscore sets the UID cookie on scorecardresearch.com (third-party domain), with a persistence of about 2 years. Additional first-party cookies (sb-id or similar) may be set via Comscore First-Party Mode. The UID identifies the visitor across all sites measured by Comscore.
Yes. Comscore is third-party audience measurement that combines the UID across sites. Under ePrivacy and TTDSG it qualifies as non-essential and requires consent. Some EU DPAs (CNIL) reject the consent exemption for audience measurement as soon as data is shared with a third party.
Consent (Art. 6(1)(a) GDPR) for both the cookies and the underlying personal data processing.
Yes. Beacon hits are processed by Comscore Inc. in the United States. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on the EU-US Data Privacy Framework certification.
Yes for sites with significant traffic. The cross-site profiling and the US transfers are significant DPIA factors. Document the necessity (industry currency), the consent mechanism, the SCCs, and the DPF.
Sign the Comscore DPA, gate the Direct Tag behind your CMP, integrate with TCF if you participate in the IAB framework, list Comscore in the cookie policy, document the SCCs/DPF, and align with national JIC requirements (Médiamétrie, agof).
Other audience measurement providers include Nielsen Digital Ad Ratings (US), Kantar (UK), GfK (Germany), Médiamétrie (France, in some markets directly), Mediametrie/Net Ratings, Adsquare, and emerging EU-led measurement alliances.
List the UID cookie on scorecardresearch.com (third-party, ~2 years, audience measurement purpose). Specify the controller (Comscore Inc., US), the SCCs and DPF for the US transfer, and the CMP toggle that allows visitors to refuse Comscore measurement.