Last month, an Australian woman sunbathing topless in her back yard was accidentally captured in a photograph by a drone snapping pictures for a real estate listing. The picture was placed in online ads and billboards before the mistake was caught. With the U.S. working on regulations for commercial drones, you might think that cases like this would be part of the conversation. But so far, both Congress and the FAA have passed the buck on creating privacy protections for domestic drones. Some of the little work that has been done on privacy protections has fallen to the FAA’s six drone test sites across the country.

These test sites were authorized by the FAA in in December 2013 to research “certification and operational” requirements for bringing drones to American skies. The sites, in Alaska, Nevada, New York, North Dakota, Texas and Virginia, will test government and private uses for drones, from tracking caribou movements to monitoring beaches for law enforcement. And each must also create a privacy policy to address concerns about the data being collected at each site and how it is used.

The creation of the sites was ordered by Congress in the 2012 FAA Modernization and Reform Act (FMRA). Despite rising concern over the privacy implications of drones, the FMRA made no attempt to direct privacy protections. The FAA also balked at developing federal privacy standards. Contrary to the urgings of the ACLU and others, the FAA provided no baseline privacy standards for the sites. Aside from some very general guidelines, all specifics about data collection, use, or retention were left to each test site to decide.

With such wide latitude from the FAA, the privacy policies are as diverse as the states themselves— ranging from the comprehensive to the perfunctory.

The test sites in both Nevada and Virginia have policies that clearly address a number of privacy concerns involving drones. Nevada’s site, for example, will choose drone flight paths based on the type of data they will collect to minimize the potential for invasion of privacy. The policy also requires drone operators to log any potential privacy impacts that occur during flights. The policy at the Virginia site, while not as comprehensive, limits the storage of data to 14 days and requires notification of the public before a test flight begins.

The worst policies are those in Texas and New York. The Texas policy makes individual privacy violations almost impossible to remedy, and places the burden on the victim to show “demonstrable proof” that an image violating his or her privacy exists in order to compel the test site to destroy the image.

New York’s policy is even vaguer than Texas’s and offers only general assurances of privacy protection. It states that no data on individuals will be “intentionally” collected, but gives no specifics on how to mitigate unintentional collection. It goes on to say that unintentionally collected data will be destroyed, yet it offers no limits on how long data will be stored or how it will be determined if data collected violates a person’s privacy.

Somewhere in the middle are the policies in Alaska and North Dakota. The Alaska site’s policy has some good elements—it is the only policy to explicitly state that data collected during tests will not be turned over to law enforcement absent a court order. However, it lacks a data retention policy (it promises that the policy will be published separately). North Dakota is an unusual case in that it appears not to have any published policy, instead using a committee convened by the University of North Dakota to deal with privacy issues. The lack of details makes drawing any conclusions about the protection of privacy in that state impossible.

The purpose of these test sites is to chart the future course of drone use—including the privacy implications. But with each site taking a wildly different approach to privacy with little FAA oversight, whether or not this future will include protections for the fundamental rights of Americans remains to be seen.