One major shortcoming of the current "notice and consent" privacy framework is that the constraints for data usage stated in policies--be they stated privacy practices, regulation, or laws--cannot easily be compared against the technologies that they govern. To that end, we are developing a framework to automatically compare policy against practice. Broadly, this involves identifying the relevant data usage policies and practices in a given domain, then measuring the real-world exchanges of data restricted by those rules.