Most companies have a privacy policy. Far fewer have privacy practices that match what the policy says. The gap between the two — the policy-practice gap — is one of the most consistent factors in regulatory enforcement actions, FTC complaints, and privacy class action litigation. It is also one of the most preventable sources of privacy risk, and one of the least systematically measured.
Understanding why this gap exists, how it is detected by regulators and plaintiffs, and what it takes to close it is foundational to building a privacy program that actually reduces risk rather than just documenting compliance.
Privacy policies are typically written by legal teams at a specific point in time, often when a product launches or when regulatory requirements first appear on the compliance radar. They describe data practices as the legal team understands them at the time of drafting: what data is collected, why, how it is shared, and how long it is retained.
Technology practices evolve continuously and at a pace that legal and compliance processes rarely match. Marketing teams add third-party tracking pixels through tag management systems without privacy review. Engineering teams integrate new vendor SDKs that include data collection components the company doesn't fully understand. Product teams add features — social login, personalization, behavioral analytics — that create new data flows. Vendors update their own tools in ways that change the data they collect.
Each of these changes is small in isolation. Cumulatively, they create a technology stack that often looks quite different from the practices described in the privacy policy. The company believes its disclosures are accurate. The policy says so. But the actual observable behavior of the technology tells a different story to anyone who looks carefully.
The policy-practice gap is detectable from outside the company, and regulators and plaintiffs' counsel have become increasingly sophisticated at finding it.
The FTC's approach is well-documented through its enforcement actions. The agency examines the actual data flows from a company's digital properties — what data is transmitted to third parties, what identifiers are shared, what behavioral signals are captured — and compares these observations to what the privacy policy discloses. Where there is a meaningful discrepancy, the FTC has authority to bring enforcement actions under its unfair and deceptive practices authority. The Facebook consent decree, the Google enforcement actions, and dozens of smaller FTC actions all follow this basic pattern: actual practices diverged from stated policies, and the company knew or should have known.
State attorneys general use similar methodologies. California's CPPA has issued guidance on audit techniques that involve observing actual website behavior — using browser inspection tools to identify third-party data flows — and comparing those observations to privacy policy disclosures. Oregon, Colorado, and Texas have signaled similar approaches.
Plaintiffs' counsel has developed proprietary tools to scale this analysis. Law firms specializing in consumer privacy class actions have built scanning infrastructure that can assess thousands of websites, identify tracking deployments, compare them to privacy policy language, and flag potential claims — all before any contact with the company. VPPA and CIPA filings routinely cite specific technical observations about pixel deployments, JavaScript loading sequences, and network traffic that the filing firms obtained through outside-in technical analysis before the lawsuit was filed.
"We don't need a whistleblower or a breach notification to know what a company is doing with data. We just need to visit their website with the right tools." — Privacy class action attorney
Not all policy-practice gaps are created equal. The gaps that most consistently appear in enforcement actions and litigation follow recognizable patterns.
The most common gap is a straightforward one: companies transmit user data to third parties that aren't disclosed in the privacy policy, or that aren't disclosed in the specific context where the sharing occurs. The Meta Pixel transmits page views, purchase events, and behavioral signals to Facebook's servers. If the privacy policy doesn't specifically disclose this, and doesn't obtain consent where legally required, the gap is actionable.
Policies often describe special handling for sensitive data categories: health information, financial data, children's data, biometric identifiers. Where the actual technology handles these categories inconsistently with the stated policy — sharing health-adjacent signals with ad networks despite a policy that says health data won't be shared, for example — the gap is particularly serious.
Data retention commitments in privacy policies are frequently aspirational rather than operational. The policy says data is deleted after 12 months. The actual database contains records going back seven years. The technical systems don't implement the retention periods the legal team wrote. This gap is harder to observe from outside the company but appears consistently in regulatory investigations that obtain discovery.
Privacy policies describe opt-out mechanisms, consent withdrawal processes, and data deletion rights. Where the technical implementation of these mechanisms doesn't actually work as described — opt-out signals aren't processed, deletion requests don't cascade through the data ecosystem, consent preferences don't persist across sessions — the gap between policy and practice is directly actionable under state privacy laws with opt-out requirements.
The fundamental challenge with the policy-practice gap is that it is not a state to be assessed once and remediated. It is a condition that reforms continuously as technology evolves and privacy policies stay static. Closing it requires a different operational model than most privacy programs use.
The most effective approach is continuous outside-in monitoring of actual data practices, compared against stated policies. This means regularly assessing what data flows actually exist from the company's digital properties, what third parties receive data, what consent mechanisms actually do in practice, and how these observations compare to current policy language. When gaps emerge — and they will — there is a process for triaging them: which create litigation exposure, which create regulatory risk, which require immediate remediation versus policy update.
Companies that have closed the policy-practice gap don't do it by writing more accurate policies. They do it by building systems that keep practices observable and maintaining policies that honestly describe what those systems actually do. The policy follows the practice, not the other way around — and the practice is continuously monitored to ensure the policy remains accurate.
