Privacy Policy or Terms Not Easily Discoverable

The FTC fined Avast $16.5M in 2024 for collecting and selling browsing data that contradicted their privacy policy promises (FTC enforcement action). Privacy policies and terms must be easily discoverable — not just present, but findable. Most legal frameworks (GDPR, CCPA, FTC Act) require clear, accessible disclosure. A footer link is the minimum standard.

Start here

Before You Fix It: What This Check Means

Policy disclosure checks whether users can actually find up-to-date privacy and cookie information. In plain terms, users should be able to quickly find clear privacy and cookie explanations. Scavo evaluates two controls.

Why this matters in practice: this signal influences reliability, trust, and diagnosability of your production setup.

How to use this result: treat this as directional evidence, not final truth. This result reflects what was observable at scan time and should be verified in your own production context. First, confirm the issue in live output: verify directly in live production output with browser/network tools Then ship one controlled change: Keep privacy/cookie links in shared footer/header partials. Finally, re-scan the same URL to confirm the result improves.

Background sources

TL;DR: Your privacy policy and terms of service aren't linked from the footer or main navigation, making them hard to find.

The FTC fined Avast $16.5M in 2024 for collecting and selling browsing data that contradicted their privacy policy promises (FTC enforcement action). Privacy policies and terms must be easily discoverable — not just present, but findable. Most legal frameworks (GDPR, CCPA, FTC Act) require clear, accessible disclosure. A footer link is the minimum standard.

What Scavo checks (plain English)

Scavo evaluates two controls:

  • LC-T4: is a privacy-policy/notice link discoverable?
  • LC-T5: when cookie/tracking indicators are observed, is a cookie disclosure link discoverable?

Current logic highlights:

  • missing privacy link is a fail signal
  • if tracking indicators are observed and cookie link is missing, this fails
  • if tracking indicators are not observed, cookie-link control can be not_applicable

Tracking indicators can include non-essential hosts, pre-consent cookies, and pre-consent storage keys.

How Scavo scores this check

Scavo assigns one result state for this check on the tested page:

  • Pass: baseline signals for this check were found.
  • Warning: partial coverage or risk signals were found and should be reviewed.
  • Fail: required signals were missing or risky behavior was confirmed.
  • Info: Scavo could not gather enough reliable evidence on this run to score pass/fail confidently.

In your scan report, this appears under What failed / What needs attention / What is working for legal_policy_disclosure, followed by Recommended next steps and Technical evidence (for developers) when needed.

  • Scan key: legal_policy_disclosure
  • Category: LEGAL_COMPLIANCE

Why fixing this matters

Users cannot make informed choices if they cannot find basic disclosure surfaces where data collection is happening.

For operations teams, broken disclosure links are a common regression during footer/nav redesigns and localization changes.

If you are not technical

  1. Check that privacy and cookie links are visible on key public pages.
  2. Click both links and confirm they are live and readable.
  3. If your site uses tracking, make sure cookie disclosure is easy to reach.
  4. Re-run Scavo and confirm this check improves.

Technical handoff message

Copy and share this with your developer.

Scavo flagged Legal policy disclosure (legal_policy_disclosure). Please restore visible privacy and cookie disclosure links on scanned page surfaces, especially where tracking indicators exist, and confirm link integrity across primary templates.

If you are technical

  1. Keep privacy/cookie links in shared footer/header partials.
  2. Ensure localized routes still expose equivalent disclosure surfaces.
  3. Add tests that fail builds when core legal links are missing or broken.
  4. Keep disclosure routing stable during redesigns and A/B experiments.
  5. Review cookie-link visibility where trackers are present.

How to verify

  • Confirm both links are present and clickable in production.
  • Confirm destination routes are indexable/public (not auth-walled by mistake).
  • Confirm tracking-heavy pages still expose disclosure surfaces.
  • Re-run Scavo and inspect LC-T4/LC-T5 outcomes.

What this scan cannot confirm

  • It is not a full legal sufficiency analysis of policy text.
  • It is page-scope automation and may not cover every deep route in one run.
  • It cannot guarantee disclosures are complete for every jurisdictional requirement.

Owner checklist

  • [ ] Assign one owner for disclosure-link integrity.
  • [ ] Keep legal-link checks in template QA.
  • [ ] Revalidate after navigation/footer and locale routing changes.
  • [ ] Maintain a small checklist for policy URL migrations.

FAQ

Not usually. If cookie/tracking indicators exist, a dedicated cookie disclosure surface is expected in this check.

Why can LC-T5 be not applicable?

Because this check may not observe tracking indicators on that specific page run.

Yes, if links are missing on scanned surfaces where runtime signals indicate they should be present.

What tends to break first?

Shared footer/nav refactors, locale-route mismatches, and CMS link edits.

Sources

This guide is operational guidance, not legal advice.

Related Guides

More checks in this area

Legal & Compliance legal_post_reject_tracking

Tracking Continues After Cookie Rejection — GDPR Non-Compliance

The EDPB Cookie Banner Taskforce confirmed that when users reject cookies, all third-party tracking must stop immediately (EDPB Report, 2023-2024). Sweden's data authority ruled in March 2025 that even making the "accept" button more visually prominent than "refuse" violates compliance rules. If your trackers persist after rejection, you're not just non-compliant — you're creating audit evidence against yourself.

Open guide
Legal & Compliance legal_preconsent_tracking

Tracking Fires Before Cookie Consent — GDPR Violation Risk

CNIL fined Google €150M in 2021 for making cookie rejection harder than acceptance, then escalated to a €325M fine in September 2025 for inserting ads without valid consent (CNIL enforcement records). These aren't just big-company problems — the EDPB's 2024 guidelines confirm that any storage or access to information on user devices (cookies, URL tracking, pixel tracking) requires prior consent. Every unconsented tracker impression is a violation.

Open guide
Legal & Compliance legal_sensitive_tracker_risk

High-Risk Trackers Active Without Explicit Consent

GDPR classifies browser fingerprinting as personal data processing requiring prior consent, and session replay tools that capture form data or personal information require explicit, informed consent (GDPR Article 4). Non-compliance carries fines up to €20M or 4% of global annual revenue, whichever is higher (GDPR Article 83). These are the highest-risk trackers regulators look for because they're inherently invasive.

Open guide

Raccoon Cookie Checkpoint

Can we use optional cookies?

Essentials always stay on. Optional cookies help with preferences, analytics, and smarter prompts.

Current setting: Decision needed