However you have to be much more intrusive on developers if you are going to require semantic analysis of all data being sent to see if it was justified and whether it was mentioned in a (plain text, localized potentially into many languages) privacy policy.