Privacy Policy Doesn't Match Actual Tracking Behaviour

The FTC fined Avast $16.5M in 2024 specifically because their privacy policy claimed data was "pseudonymised and anonymised" while they actually shared granular, non-aggregated browsing data with subsidiary Jumpshot (FTC, 2024). Regulators now routinely audit whether privacy policy claims match runtime behaviour. Scavo checks this by comparing your declared tracking practices against what actually loads on your pages.

Start here

Before You Fix It: What This Check Means

Disclosure reconciliation checks whether privacy claims match observed tracking behavior. In plain terms, what your policy says should match what your site actually does. Scavo evaluates two controls.

Why this matters in practice: this signal influences reliability, trust, and diagnosability of your production setup.

How to use this result: treat this as directional evidence, not final truth. This result reflects what was observable at scan time and should be verified in your own production context. First, confirm the issue in live output: verify directly in live production output with browser/network tools Then ship one controlled change: Build/refresh provider inventory from runtime evidence. Finally, re-scan the same URL to confirm the result improves.

Background sources

TL;DR: What your privacy policy claims and what your site actually does with trackers don't match — creating legal liability.

The FTC fined Avast $16.5M in 2024 specifically because their privacy policy claimed data was "pseudonymised and anonymised" while they actually shared granular, non-aggregated browsing data with subsidiary Jumpshot (FTC, 2024). Regulators now routinely audit whether privacy policy claims match runtime behaviour. Scavo checks this by comparing your declared tracking practices against what actually loads on your pages.

What Scavo checks (plain English)

Scavo evaluates two controls:

  • LC-T4: privacy disclosure alignment versus observed provider/runtime signals
  • LC-T5: cookie disclosure alignment versus observed provider/runtime signals

Failure patterns in current logic include:

  • provider/tracker signals are present but privacy/cookie disclosure links are missing
  • page text claims "no third-party" or "no tracking" while provider signals are observed

Warning pattern:

  • disclosure links exist, but provider names/signals are weakly reflected in page-level disclosure markers

How Scavo scores this check

Scavo assigns one result state for this check on the tested page:

  • Pass: baseline signals for this check were found.
  • Warning: partial coverage or risk signals were found and should be reviewed.
  • Fail: required signals were missing or risky behavior was confirmed.
  • Info: Scavo could not gather enough reliable evidence on this run to score pass/fail confidently.

In your scan report, this appears under What failed / What needs attention / What is working for legal_disclosure_reconciliation, followed by Recommended next steps and Technical evidence (for developers) when needed.

  • Scan key: legal_disclosure_reconciliation
  • Category: LEGAL_COMPLIANCE

Why fixing this matters

Trust breaks fastest when policy language and runtime behavior disagree. Users and buyers interpret mismatch as either poor governance or intentional opacity.

Internally, mismatch increases cross-team rework because legal copy, product implementation, and tag operations are not synchronized.

If you are not technical

  1. Compare policy claims with a real runtime tracker inventory from your team.
  2. Ask for one short table: provider name, purpose, consent category, where disclosed.
  3. Remove broad claims like "no third-party tracking" unless they are provably true.
  4. Re-run Scavo after updates and confirm mismatch signals clear.

Technical handoff message

Copy and share this with your developer.

Scavo flagged Legal disclosure reconciliation (legal_disclosure_reconciliation). Please reconcile policy claims and legal links with observed provider/runtime signals, remove contradictory claims, and provide evidence mapping providers to disclosure text.

If you are technical

  1. Build/refresh provider inventory from runtime evidence.
  2. Ensure privacy and cookie disclosures are linked from active page surfaces.
  3. Remove absolute claims that no longer match production behavior.
  4. Keep disclosure updates in the same change set as tag/provider changes.
  5. Add a release check for link presence and core claim integrity.

How to verify

  • Validate privacy/cookie links are visible and working.
  • Compare observed provider list with disclosed provider language.
  • Confirm no contradictory "no tracking" claims remain where trackers run.
  • Re-run Scavo and check LC-T4/LC-T5 outcomes.

What this scan cannot confirm

  • It is not a full legal-policy interpretation engine.
  • It does not deeply parse every linked policy page in every locale.
  • It cannot detect providers that are fully server-side and absent from observable page signals.

Owner checklist

  • [ ] Assign owner for disclosure/runtime reconciliation.
  • [ ] Maintain provider inventory as a living artifact.
  • [ ] Review claims after each tag/CMP/vendor change.
  • [ ] Keep legal and engineering sign-off coupled for high-risk edits.

FAQ

Can we pass with generic disclosure text only?

Possibly in low-signal scenarios, but specific provider-purpose clarity is safer and usually more durable.

Why does "no tracking" language cause hard failures?

Because strong contradictory language plus observed tracking is a high-confidence mismatch.

Do we need to list every vendor on every page?

Not necessarily, but users must be able to find accurate disclosure quickly from relevant surfaces.

How often should we reconcile disclosures?

At minimum after every tracking-vendor change, CMP change, or policy refresh.

Sources

This guide is operational guidance, not legal advice.

Related Guides

More checks in this area

Legal & Compliance legal_post_reject_tracking

Tracking Continues After Cookie Rejection — GDPR Non-Compliance

The EDPB Cookie Banner Taskforce confirmed that when users reject cookies, all third-party tracking must stop immediately (EDPB Report, 2023-2024). Sweden's data authority ruled in March 2025 that even making the "accept" button more visually prominent than "refuse" violates compliance rules. If your trackers persist after rejection, you're not just non-compliant — you're creating audit evidence against yourself.

Open guide
Legal & Compliance legal_preconsent_tracking

Tracking Fires Before Cookie Consent — GDPR Violation Risk

CNIL fined Google €150M in 2021 for making cookie rejection harder than acceptance, then escalated to a €325M fine in September 2025 for inserting ads without valid consent (CNIL enforcement records). These aren't just big-company problems — the EDPB's 2024 guidelines confirm that any storage or access to information on user devices (cookies, URL tracking, pixel tracking) requires prior consent. Every unconsented tracker impression is a violation.

Open guide
Legal & Compliance legal_sensitive_tracker_risk

High-Risk Trackers Active Without Explicit Consent

GDPR classifies browser fingerprinting as personal data processing requiring prior consent, and session replay tools that capture form data or personal information require explicit, informed consent (GDPR Article 4). Non-compliance carries fines up to €20M or 4% of global annual revenue, whichever is higher (GDPR Article 83). These are the highest-risk trackers regulators look for because they're inherently invasive.

Open guide

Raccoon Cookie Checkpoint

Can we use optional cookies?

Essentials always stay on. Optional cookies help with preferences, analytics, and smarter prompts.

Current setting: Decision needed