Making an HTML specification wouldn't work until it gets rendered on screen of browsers. All HTML can do is to help them by providing the logical details it needs to depict the icon - and then the browser actually has to draw it on the screen. As each browser has their own font color, size, styles preferences for various tags, here also we can expect some variation in privacy-icon-species - till it retains it's meaning for anyone above IQ-80. Simple enough so far, but that's not the reason I've opened a new section.
Nowadays, we are pretty used to with the browsers taking care of some of the underlying security risks (potentially harmful site, certificate mismatch, redirection loops etc.), this gives me an idea to ask them for another hand for help... yes, I hope they won't get offended.
If a general list of sites which abuse/misuse/cheat the privacy policies, can be maintained, the system can become even more transparent. If a general list is not possible, then each browser can have their own list of sites, from which it can check and warn the user - whether they really comply to the policy they say they do, or they differ. It's not a rigorously tough act to perform if you argue; maintaining a malware site-list is lot more tough in my opinion, for which nearly all modern browsers have implemented notification facility already.
So now that we have come this far, we actually need to consider about the mode of notification - i.e. how to let the user know if there's something fishy about the site they are visiting or putting details into.