The whole 'privacy policy' thing is a an fantasy that simply doesn't exist in international law. Its two words that provide the illusion of following some process of decency without any obligations whatsoever.
I'm not sure I'm following entirely. I agree that whoever wants to cheat can cheat and deceive their users about the fact that he/she is using personal data in a way that is contrary to privacy laws. That doesn't mean you should not inform users in a proper/legally compliant way, does it?
Most statements of 'privacy policy' ate usually statements of anti-privacy or retention and sharing policy. A true statement of privacy would demonstrate that no information is recorded in a durable manner and that no information is available for third party inspection. Privacy has a concrete meaning.