CertScore.ai
Open navigation menu
Finding reference

Policy/runtime alignment review

Retained report evidence connected a public policy or disclosure claim to concrete runtime behavior, showed runtime third-party vendors/domains not clearly reflected in retained disclosure evidence, or retained consent-governance disclosure context as a supporting alignment review signal. Review the evidence context, methodology, common causes, and reviewer questions for this CertScore finding.

Selected finding

Policy/runtime alignment review

HighReview Signal evidenceCorrelated observationConsumer protectionFormal top-finding density pending calibration

Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.

Observed

Retained report evidence connected a public policy or disclosure claim to concrete runtime behavior, showed runtime third-party vendors/domains not clearly reflected in retained disclosure evidence, or retained consent-governance disclosure context as a supporting alignment review signal.

Why this matters

This observation can help reviewers decide whether the site behavior deserves deeper privacy, accessibility, consent, or consumer-protection review in context.

Detection methodology

Runtime behavior and public disclosures should be reviewed together so teams can confirm the consent flow, implementation, public policy language, and preference-management explanations are aligned.

Confidence semantics: Good when retained policy/runtime evidence includes a policy or disclosure anchor, runtime anchor, and explicit bridge rationale; the runtime_vendor_not_disclosed subtype may support this parent when observed runtime third-party vendors or domains did not clearly match retained privacy, downstream-sharing, cookie, CMP, or privacy-choice disclosure surfaces. Stronger direct runtime findings should remain primary when they use the same vendor or domain evidence. Manual review is still needed for disclosure scope, vendor ownership, applicability, and remediation quality.

Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.

Minimum to surface

  • A retained policy/disclosure anchor plus concrete runtime behavior anchor and explicit bridge provenance, or retained runtime-vendor disclosure mismatch evidence under the alignment subtype.

High confidence requires

  • Policy source URL, policy snippet or reached disclosure surface, runtime request/storage/vendor anchor, and deterministic bridge rationale.
  • Consent governance disclosure gaps are supporting alignment context unless an existing policy/runtime finding passes its normal gates.

Top ranking requires

  • Pre-consent, post-reject, cookie, sharing, sensitive-surface, or promotion-grade runtime vendor/domain behavior with retained disclosure alignment evidence.

Demote or suppress when

  • Policy claim only.
  • Runtime behavior only.
  • Missing bridge provenance.
  • Generic contradiction copy without concrete anchors.
  • Same vendor/domain evidence already supports a stronger direct runtime finding.

These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.

Example evidence

Representative runtime context

provider ownership, policy variants, applicability, and legal review

Key counts

Runtime context entries
4

Runtime vendor disclosure alignment example

  • artifact=policy_runtime_001
  • role=finding_supporting_artifact
  • subtype=runtime_vendor_not_disclosed
  • url=https://example.com/
  • runtime_anchor=third_party_request
  • observed_runtime_vendor=Example Ads
  • observed_runtime_domain=ads.example
  • unmatched_runtime_domain=ads.example
  • policy_surface_type=privacy_policy
  • policy_surface_reached=true
  • privacy_policy_url=https://example.com/privacy
  • mismatch_rationale=observed runtime vendor/domain did not clearly match retained privacy disclosure evidence
  • coverage_status=usable
  • review_caveat=manual review should confirm disclosure scope, provider ownership, policy variants, applicability, and legal review

Disclosure surfaces searched

  • policy_surfaces_searched=[privacy_policy,cookie_policy,cmp_preference_center]
  • matched_vendor_disclosure_count=1
  • unmatched_vendor_disclosure_count=1
  • retained_evidence_ref=policy_enrichment_001
  • direct_vs_inferred=direct
  • manual_review_needed=true

When stronger runtime findings stay primary

  • same_vendor_domain_cluster=true
  • stronger_finding=rtb_cookie_sync_observed
  • runtime_vendor_not_disclosed=related_disclosure_review_signal
  • separate_top_card=false
  • supporting_detail_preserved=true
View redacted sample JSON
Redacted sample JSON
{
  "findingId": "policy_behavior_contradiction_detected",
  "label": "Policy/runtime alignment review",
  "category": "Consumer protection",
  "criticality": "high",
  "evidenceConfidence": "review_signal",
  "directVsInferred": "correlated_observation",
  "evidence": {
    "summary": "Retained report evidence connected a public policy or disclosure claim to concrete runtime behavior, showed runtime third-party vendors/domains not clearly reflected in retained disclosure evidence, or retained consent-governance disclosure context as a supporting alignment review signal.",
    "examples": [
      {
        "title": "Runtime vendor disclosure alignment example",
        "lines": [
          "artifact=policy_runtime_001",
          "role=finding_supporting_artifact",
          "subtype=runtime_vendor_not_disclosed",
          "url=https://example.com/",
          "runtime_anchor=third_party_request",
          "observed_runtime_vendor=Example Ads",
          "observed_runtime_domain=ads.example",
          "unmatched_runtime_domain=ads.example",
          "policy_surface_type=privacy_policy",
          "policy_surface_reached=true",
          "privacy_policy_url=https://example.com/privacy",
          "mismatch_rationale=observed runtime vendor/domain did not clearly match retained privacy disclosure evidence",
          "coverage_status=usable",
          "review_caveat=manual review should confirm disclosure scope, provider ownership, policy variants, applicability, and legal review"
        ]
      },
      {
        "title": "Disclosure surfaces searched",
        "lines": [
          "policy_surfaces_searched=[privacy_policy,cookie_policy,cmp_preference_center]",
          "matched_vendor_disclosure_count=1",
          "unmatched_vendor_disclosure_count=1",
          "retained_evidence_ref=policy_enrichment_001",
          "direct_vs_inferred=direct",
          "manual_review_needed=true"
        ]
      },
      {
        "title": "When stronger runtime findings stay primary",
        "lines": [
          "same_vendor_domain_cluster=true",
          "stronger_finding=rtb_cookie_sync_observed",
          "runtime_vendor_not_disclosed=related_disclosure_review_signal",
          "separate_top_card=false",
          "supporting_detail_preserved=true"
        ]
      }
    ],
    "counts": {
      "representativeVendorCount": 4
    },
    "representativeVendors": [
      "provider ownership",
      "policy variants",
      "applicability",
      "and legal review"
    ]
  }
}

Regulatory review context

Policy/runtime transparency and alignment review

Retained public policy, cookie, privacy, or downstream-sharing disclosure evidence was compared with concrete runtime behavior, vendor activity, consent flow, or disclosure-search evidence. This may be relevant to transparency, privacy claims, consent, sale/share, opt-out, retention, and vendor-governance review depending on jurisdiction, policy scope, user region, and manual review.

GDPR transparency, fairness, and purpose-limitation reviewePrivacy cookie/tracker disclosure alignment reviewFTC privacy claim and material disclosure reviewCCPA/CPRA disclosure, sale/share, and opt-out alignment reviewEU GDPR/ePrivacy policy/runtime alignment reviewU.S. consumer protection and privacy-claim review
View applicability notes

Legal and regulatory frameworks

  • GDPR transparency, fairness, and purpose-limitation reviewPublic privacy disclosures, runtime vendors, cookies, identifiers, profiling, or downstream sharing may involve personal data depending on purpose, linkage, and user region.
  • ePrivacy cookie/tracker disclosure alignment reviewRuntime cookies, storage, or terminal-equipment access are compared with cookie or consent disclosures.
  • FTC privacy claim and material disclosure reviewRuntime behavior, consent flow, vendor activity, or disclosure-search evidence may need comparison against public privacy representations or material consumer-facing statements.

Jurisdictional contexts

  • CCPA/CPRA disclosure, sale/share, and opt-out alignment reviewCalifornia users and runtime advertising, analytics, identifiers, vendor activity, or privacy-choice context may be relevant to disclosure, sale/share, opt-out, or retention review.
  • EU GDPR/ePrivacy policy/runtime alignment reviewEU/EEA users and runtime cookies, tracking, identifiers, consent claims, or vendor disclosures may be in scope depending on purpose, consent state, and manual review.
  • U.S. consumer protection and privacy-claim reviewPublic privacy statements, consent representations, or consumer-facing disclosures may need alignment review against observed implementation behavior.

This finding does not determine deception, unfairness, legal status, disclosure adequacy, sale/share status, or compliance status. Review retained policy anchors, runtime anchors, bridge rationale, provider ownership, policy versions, regional variants, and scan coverage limitations.

Common causes

  • Unexpected runtime configuration
  • Third-party tag behavior changed
  • Public surface differed from expected implementation

Recommended review questions

  • What signal was retained?
  • Which public surface or runtime event supports it?
  • What implementation owner can confirm the behavior?

Limitations and cautions

  • Automated findings may contain errors and should be reviewed with the retained evidence.
  • Not detected means not observed in the scan scope; it is not proof of absence.
  • Findings are runtime evidence and public-surface observations for review, not legal conclusions.

Related reading

Tracking before consentCookie consent enforcementCookie banner requirements

Reference notes

  • CertScore uses findings, evidence, signals, and observations consistently: signals are raw runtime or page-surface events, evidence is retained support, observations are interpreted evidence context, and findings are promoted review items.
  • Findings are runtime evidence and public-surface observations for review. Observed signals may surface possible concerns, but review is recommended before operational or legal reliance.
  • Finding reference content is reviewed periodically and updated when material guidance changes. CertScore monitors guidance families such as EDPB consent and ePrivacy materials, ICO cookie guidance, CNIL tracker recommendations, FTC privacy and dark-pattern materials, and relevant accessibility guidance where applicable.
  • EDPB consent guidance is relevant to consent quality and affirmative indication where consent is relied upon.
  • EU ePrivacy cookie/tracker principles are relevant to storing information or gaining access to information on user terminal equipment.
  • ICO cookie and similar technologies guidance is relevant to active consent, clear explanation, and essential-cookie exceptions.
  • CNIL cookie/tracker and analytics guidance is relevant to tracker consent and limited analytics exemptions.
  • FTC dark-pattern and commercial-surveillance materials may be relevant to hidden tracking or unclear user-choice review, but this finding does not determine deception, unfairness, or legal status.
  • Prevalence labels use the Tranco top 1-2500 calibration set, an approximately 2,505-scan directional calibration set.