Privacy guide

Do companies actually follow their own privacy policy?

How to compare a privacy policy with real website behavior, trackers, consent flows and disclosure gaps.

The simple answer

A privacy policy is a promise, but the website is the behavior. To check if a company follows its policy, compare what the policy says with what loads on the page.

If the policy says vendors are limited but the page loads many outside tools, the next question is whether those tools are named and explained.

What to check

1
Look for named vendors in the policy.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

2
Check browser developer tools or tracker blockers.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

3
Compare ad pixels and analytics tools with policy language.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

4
Watch for consent banners that bundle everything into one click.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

From our investigation

The gap is where the story lives.

Our investigation found that tracker observations and policy text need to be read together. The policy alone can sound safe. The network traffic shows what actually happens.

What to do next

1
Ask companies to name their processors and trackers.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

2
Document what you observed before making a complaint.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

3
Use the gap as a starting point, not a final legal conclusion.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

People also ask

Can a company break its own privacy policy?

It can create risk if actual data practices do not match what users were told.

How do I prove a mismatch?

Capture the policy text, date, page URL and observed tracker or data flow.

Does every undisclosed tracker mean wrongdoing?

Not automatically. It means the disclosure deserves review.

If you are a company
Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →
Your right under Indian law
Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →
Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the reportTry the experience