This ambiguity surrounding “consent” becomes disconcerting when one considers what one is “consenting” to, namely widespread data collection by third party companies.

* * *

Here's the thing: It’s not just Facebook and Twitter that are keeping tabs on your activity. Many of the most popular sites enlist “third parties” to gather your data for them. Privacy policies may lack clear descriptions of data collection practices, but almost all mention third parties. When you visit a website like huffingtonpost.com, not only does The Huffington Post collect your data, but 33 other companies do as well, according to the Disconnect app. By law, websites only need to tell you that they interact with these other companies, not what these companies do with your information. Sites don’t even need to tell you which companies they hire. According to their privacy policies, 48 of the top 50 websites in America use third parties. Only nine say which ones.

Marcus Moretti & Michael Naughton

Oppenheim says that the most popular websites partner with ad and analytics companies to grab data and personalize ads so they don’t have to themselves. “Those companies are tracking you on their site, and they’re tracking you via your IP or your device information, which they log on their own servers, and make sure they know how you behave on the most popular sites across the web,” he said. “And the only thing ESPN has to say in its privacy statement is that they allow other people to look at their aggregate information.”

* * *

A few privacy policies stood out to us for the right reasons. The privacy policy at Xvideos—a porn site—is seven sentences long and, like the videos it hosts, lays it all out there. Wikipedia and StackOverflow—since they’re entirely community-supported—don’t need to sell your data or serve you personalized ads. These two sites were also the only ones to acknowledge that your IP address can personally identify you—something the E.U. has recognized since 2008. In the U.S., IP addresses are still not legally considered to be personally identifying information—which means companies can record your computer’s address without it being considered “personal information.”

Taken together, the way America’s most popular websites write their privacy policies makes it almost impossible in practice for people to be fully informed about their Internet use and how their data is collected. “The modern privacy policy is a compliance document,” says Gautam Hans, a fellow at the Center for Democracy & Technology in Washington, D.C. “They’re how companies make sure they comply with the law and don’t run afoul of FTC rules. That’s mostly it.”

It’s not just the quality of these documents; it’s the quantity as well. A 2008 Carnegie Mellon study found that it would take the average Internet user between 181 and 304 hours to read all the privacy policies for the websites she visits each year. Note that you would have to repeat this exercise every year, because most companies update their policies annually.