Your Privacy Policy vs. Your Website: How to Find the Contradictions

Your privacy policy says one thing. Your website does another. A privacy policy compliance check would catch this, but most organizations never run one. The result: contradictions that regulators can verify in minutes using automated scanning tools.

This isn't a theoretical risk. The EDPB's 2026 coordinated enforcement targets transparency under Articles 12-14. That means every EU data protection authority, including IMY, will compare what you claim against what you actually do. The gap between policy and practice is the single most common compliance failure.

Five contradictions that get companies fined

These aren't edge cases. They appear on the majority of websites Vakteye scans.

1. "No third-party cookies" — but GA4 and Meta Pixel are active

The privacy policy states the site uses only essential cookies. Meanwhile, Google Analytics 4 sets _ga and _ga_* cookies, and the Meta Pixel sets _fbp, _fbc, and fr. These are third-party tracking cookies by definition. They enable cross-site identification and are controlled by Google and Meta respectively.

This violates GDPR Article 5(1)(a), the transparency principle, because the stated processing doesn't match the actual processing. It also violates Article 13, which requires accurate disclosure of recipients and purposes.

2. "EU-only processing" — but data goes to the US

The policy claims all data is processed within the EU. But the website loads scripts from US-hosted CDNs, sends analytics data to Google's US servers, and embeds Cloudflare resources that may route through US points of presence. Every HTTP request to a US server constitutes a data transfer under GDPR Article 44.

Post-Schrems II, transfers to the US require either EU-US Data Privacy Framework certification by the recipient or supplementary measures under Article 46. Claiming EU-only processing while transferring data to the US is a double violation: the transfer itself and the misleading policy.

3. "Minimal data collection" — but 47 cookies on page load

The policy describes a data-minimization approach. The website sets 47 cookies before the user clicks anything: analytics cookies, advertising identifiers, session replay tokens, A/B testing flags, and social media widgets. Data minimization under Article 5(1)(c) means collecting only what's necessary for the stated purpose. Forty-seven cookies is hard to reconcile with "minimal."

4. "No third-party sharing" — but 12 third-party scripts loaded

The policy states the organization doesn't share personal data with third parties. The website loads scripts from Google, Meta, LinkedIn, Twitter, HubSpot, Hotjar, and six other external domains, each of which receives the user's IP address, browser fingerprint, and browsing behavior at minimum. Loading a third-party script IS sharing data with that third party.

5. "Consent-based processing" — but cookies fire before the banner

The policy names consent as the legal basis for analytics and marketing. The website sets tracking cookies on page load, before the consent banner even appears. By the time the user sees the banner, their data has already been sent to three analytics providers and two advertising networks.

Under ePrivacy Article 5(3), consent must be obtained before placing non-essential cookies. Firing cookies before the banner renders the entire consent mechanism meaningless, what the EDPB calls "consent theater."

Why contradictions happen

Nobody writes a deliberately misleading privacy policy. Contradictions emerge from organizational gaps.

• The privacy policy was written by legal. The website was built by developers. They don't coordinate.
• Marketing adds tracking pixels through tag managers without notifying the DPO.
• The policy was accurate when written but the website has changed. New analytics, new widgets, new integrations.
• Third-party scripts load additional scripts dynamically. The original tag loads a tracker that loads another tracker. Nobody audits the full chain.
• Cookie consent platforms are configured once and never re-tested to verify they actually block what they claim to block.

The biggest transparency failures aren't intentional deception. They're policies that were accurate when written but never updated as the website changed.

How Vakteye detects contradictions

Vakteye was built for exactly this problem. The process has four stages.

1. Policy extraction: AI reads your privacy policy and extracts specific claims: which trackers you say you use, where you say data goes, what cookies you say you set, which third parties you disclose
2. Website scanning: Automated checks analyze your website's actual behavior: cookies set, scripts loaded, data transfers initiated, DNS records, consent banner behavior, fingerprinting, session replay
3. Comparison: Each extracted claim is compared against observed behavior. "No third-party cookies" is checked against the actual cookie inventory. "EU-only processing" is checked against observed data transfer destinations.
4. Evidence packaging: Every contradiction comes with forensic evidence: HAR files showing the network requests, browser session recordings showing the browser session, cookie diffs showing what was set and when

Each finding is mapped to the relevant GDPR articles. Cookie contradictions reference Article 5(1)(a) and ePrivacy Article 5(3). Transfer contradictions reference Articles 44-49. Information gaps reference Article 13.

EDPB 2026 transparency enforcement makes this urgent

The EDPB's 2026 coordinated enforcement framework means all 30 EEA data protection authorities audit transparency simultaneously. IMY participates with its own methodology plus the shared EDPB approach.

What the auditors check is straightforward: they read your privacy policy, scan your website, and verify whether the two match. Automated tools make this fast. Manual investigation follows for discrepancies.

Organizations found to have contradictions between their stated practices and actual behavior face enforcement under Article 83(5)(a), the higher fine tier: up to EUR 20 million or 4% of global turnover. The contradiction itself is the violation. You don't need to cause harm. The misleading information is enough.

A step-by-step self-audit

1. Read your privacy policy and list every factual claim: which cookies, which third parties, which countries, which legal bases, which retention periods
2. Open your website in an incognito window. Before interacting with the consent banner, check the Network tab and Application tab in DevTools. Are cookies already set? Are third-party requests firing?
3. Accept cookies and compare: which new cookies appear? Do they match what your policy discloses?
4. Deny cookies and compare: do tracking cookies persist? Are third-party scripts still loading?
5. Check your DNS records for CNAME entries pointing to external tracking services
6. Verify that every third-party script mentioned in your source code has a corresponding disclosure in your privacy policy

This manual process takes hours and misses dynamic behavior. Automated scanning catches what manual reviews cannot: delayed script loading, cookie syncing, CNAME-cloaked domains, and consent banner bypass behavior.

Fix the process, not just the policy

Updating your privacy policy fixes today's contradictions. Fixing the process prevents tomorrow's.

• Require DPO sign-off before adding any new tracking script or third-party integration
• Schedule automated scans after every website deployment
• Audit tag manager configurations monthly. They change without deployments
• Keep your privacy policy in version control alongside your website code
• Document each third-party service, its purpose, legal basis, and data transfer details in a processing register

Continuous monitoring catches drift. A privacy policy that was accurate on Monday can be wrong by Friday if someone adds a new marketing tag.