A common practice among companies with an online presence is to sign on to a "seal" programme in order to provide customers with a sense of security regarding the protection of their personal data. Companies must adhere to a set of rules, forming a privacy protection policy designed by the seal issuer in accordance to underlying laws, regulatory frameworks and related best practice. Some of the most widely used seal programmes are TRUSTe, BBOnline, WebTrust and BetterWeb. Using the functionality they offer a user can verify online that a specific organisation adheres to a published privacy policy. In this paper, we argue that the verifications means these programmes use are vulnerable to DNS spoofing attacks. Furthermore, we present a privacy policy verification ("seal") scheme, which is not vulnerable to the aforementioned attack. We also argue that there are disadvantages in operating seal schemes that attempt to publicly certify compliance levels with a self-regulatory privacy protection model. On the contrary, these disadvantages are softened when used in a regulatory model that has adopted comprehensive laws to ensure privacy protection.