What is the Say-Do Gap?
The "Say-Do Gap" is a term used by privacy regulators to describe the contradiction between what a company claims in its legal documents and what its technical infrastructure actually does.
Example:
Your Privacy Policy states: "We only use essential cookies and do not track you without explicit consent."
Meanwhile, your website fires a Facebook Pixel, Google Analytics, and a LinkedIn Insight Tag the moment a visitor lands on your homepage—before any consent is given.
This gap is not a technicality. It is classified as a deceptive business practice under GDPR Article 12 (Transparency) and can trigger automated fines.
Why Does This Happen?
It's rarely intentional. The Say-Do Gap typically emerges from organizational silos:
| Department | Action | Result |
|---|---|---|
| Legal/Compliance | Drafts a privacy policy from a template | Policy is static |
| Marketing | Installs new analytics to track conversions | New trackers added |
| Engineering | Updates a CMS plugin or library | Dependencies change |
The Problem: These teams rarely coordinate. The privacy policy is treated as a "set and forget" document, while the codebase evolves weekly.
The Regulatory Reality
Regulators treat the Say-Do Gap as worse than having no policy at all. Here's why:
- No Policy: Ignorance, potentially unintentional.
- Policy + Gap: You made a promise to users and broke it. This is seen as active deception.
In 2024, the Austrian DPA fined a small e-commerce site €8,000 specifically because their privacy policy mentioned "no third-party tracking," while their website contained 6 undisclosed trackers. The company's defense—"our marketing team didn't tell legal"—was dismissed.
How to Close the Gap
1. Treat Your Policy as a Living Document
Every time you add a new tool (email platform, analytics, chat widget), update your privacy policy. Make it part of your deployment checklist.
2. Run Technical Audits (Not Just Legal Reviews)
Don't ask "Is our policy legally compliant?" Ask "Does our website behavior match what our policy says?" These are two different questions.
3. Automate Monitoring
Manual checks are useful but don't scale. You need automated tools that alert you when a new tracker appears that isn't documented in your policy.
How SMB Compliance Check Helps
Our Deep Audit feature was specifically designed to detect Say-Do Gaps:
- Policy Extraction: We parse your
/privacyor/privacy-policypage and extract all claims you make about data collection. - Technical Scan: We simulate a real user visit and capture every network request, cookie, and local storage write.
- Gap Analysis: Our AI compares the two and highlights contradictions—with specific line references to both your policy and your code.
The Result: A clear report showing exactly where your words and actions don't match, so you can fix it before a regulator finds it.
Key Takeaways
- The Say-Do Gap is not a minor issue—it's treated as deception by regulators.
- Most gaps are accidental, caused by poor cross-team communication.
- Closing the gap requires technical auditing, not just legal review.
- Automated monitoring is essential for keeping up with a constantly changing codebase.
Ready to find your gaps? Run a free scan on your website →