Policy vs reality: does your site do what your policy says?
IMY's Meta Pixel enforcement cluster fined two pharmacy retailers a combined SEK 45M for sharing health-related browsing data with Meta — despite having published privacy policies in place. What they lacked was behavior that matched the policy's promises. Vakteye's audit reads what your policy states — which third parties, which purposes, which legal basis — and then runs a live behavioral scan to check whether reality agrees.
Who it's for
- Legal and privacy teams who wrote a policy but haven't verified it against live site behavior
- Companies about to renew a DPA or vendor questionnaire that references their published policy
- Anyone who inherited a privacy policy from a previous team or agency and isn't sure it's still accurate
What Vakteye tests
- Whether the third parties named in the policy match the trackers and scripts actually observed on the site
- Whether the stated data-collection purposes match what forms, pixels, and analytics tools actually capture
- Whether the retention or cookie-lifetime claims in the policy match the cookies actually set
- Whether security claims ("we use industry-standard security measures") are backed by observable basics like TLS and security headers
Legal basis
GDPR Article 5
The transparency and fairness principle at stake when policy and reality diverge — regulators have repeatedly treated saying one thing and doing another as a breach of fair processing.
GDPR Article 13
The information-obligation article that requires the stated recipients and purposes of processing to be accurate, not aspirational.
GDPR Article 6(1)(a)
If the policy describes consent-based processing that doesn't match what actually happens, the stated legal basis itself becomes unreliable.
Example finding
Policy lists three third parties, site sends data to eight
What we observed
The privacy policy names three named recipients of visitor data. A behavioral scan of network traffic during a normal browsing session identifies five additional third-party domains receiving requests with identifying parameters.
Why it matters
This is the single most common finding category in policy-vs-reality audits — the policy was accurate when written but the marketing stack has grown since, with no one updating the disclosure.
FAQ
Ready to see what your website actually does?
Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.
Book a full audit