For most people, privacy policies are the boring fine print in a website you may visit. They're nearly always written in legalese, unintelligible to the average person, and on top of that many of them don't even say that much.

Overall, it's hard to imagine a group of documents that could be more sleep-inducing than online privacy policies. The rub is, they're actually important. In the absence of any federal online privacy laws, the policies are actually the only way for a user to find out what various services are doing with her information.

Privacy policies are also the only basis for enforcement from bodies like the Federal Trade Commission. Since the government can't actually sue a company for having sketchy privacy policies for adult users, it has to nab companies when they have violated their own stated privacy policies. That's what happened when the FTC managed to force both Facebook and Google into privacy-related settlements. The fact that privacy policies are key to enforcement actually creates a perverse incentive: the less a company says in its privacy policy, the better its protection from government scrutiny.

While indecipherable documents are currently users' only protection against a world of unlimited sharing of their data, Jim Brock, founder of PrivacyChoice, thinks he has at least part of the answer to that conundrum. His team at PrivacyChoice has scored the privacy policies of more than 4,000 websites; this week, he released data on 2,500 of them. What's been revealed so far is illuminating and a bit disturbing.

Your data on the move: 20 percent of sites may sell it, 60 percent won't delete it

The PrivacyChoice system comes up with scores based on two groups of policies. One is the policy of the site itself and the other part of the score comes from the privacy policies of the various third-party "tracking" companies that are on the site, usually in the form of advertisements.

For the actual site, the score is based on four factors that consumers are most concerned about, says Brock. The first and most important factor is whether the sites share personal data. Of the top 2,500 sites, 63 percent of them promise that they generally don't share data, another 10 percent don't share data for marketing purposes (apple.com falls into this category), and about 8 percent don't collect personal data at all. That leaves 20 percent of sites that make no promise about whether they sell personal data or not.

It's worth thinking twice about what's going on with your data at those 20 percent of sites, says Brock—especially if they ask to link up to your Facebook profile. (I'm looking at you, Pandora.)

"If they don't have a strong statement that they won't share personal data, you've got to think twice before you let them have your Facebook profile," says Brock. "That's the mother lode of data. People are not as conscious of that as you might expect."

The next most-important factor is whether a site will delete your data upon request. 60 percent of sites make no promises that they'll delete your data. Three percent of site policies "contemplate a data removal process, but reserve exceptions for purposes such as transaction auditing and backup storage," according to PrivacyChoice. Meanwhile, 38 percent either don't retain data or have a process for data removal.

As for the trackers, the score is weighted based on how much a particular ad network comes up on a site. The idea is to get a sense of what kind of policies occupy the mainstay of a site's pages, says Brock. "If you have one high-quality ad network on all your pages and one lousy ad network on two pages, you shouldn't be punished too much for that," he explains.

The tracking companies are assessed based on, first, whether they protect user anonymity: in other words, are they compiling a profile of user 64125's browsing habits, or a profile of Joe Mullin's browsing habits? (Most ad networks do maintain a commitment to anonymizing user data.) Other factors include how long they retain data, and whether they adhere to certain industry self-regulation standards.

One big site with an unexpectedly high ranking: Facebook

One thing that surprises many PrivacyChoice users is that Facebook, a company that has become synonymous with the unstable state of privacy online, actually has a very high score: 94 out of 100. That's because the site uses mostly in-house ads, and because the site's privacy policy is actually pretty good. But it's important to note that individual Facebook apps have their own scores, and those small app developers may get your Facebook data and then share it in ways that Facebook itself wouldn't.

With Facebook, protecting your privacy is mostly about being aware of one's own settings. "It's really hard to put into a score box," says Brock. "Facebook isn't on or off, it's a series of decisions you have to make." And users of PrivacyFix, the plug-in that shows these privacy scores, are made aware of many other Facebook issues, including FTC action against the site.

PrivacyChoice's next move is to create a kind of "privacy Wikipedia." The basis of PrivacyChoice's data has been compiled using a paid team of reviewers, but Brock says he's had good responses from people who want to help build out the project.

"We want to be able to get more companies rated, and we want those ratings to be available not just for our apps but for other people," says Brock. "The goal is to get to 10,000 [companies rated], and to get there with the crowd."

To that end, they've created a special browser extension that makes looking at policies easier. Brock explains in this week's blog post:

Analysts use a special Chrome browser extension with a review console to make policy evaluations efficient and accurate. In each review category — such as “Data Sharing” — keyword highlighting emphasizes the passages most likely to relate to the topic. It also captures and submits the classification and related text, which is then subject to peer review and algorithmic validation. Analysts can select any site policy they want to review, or can call for assignments through the extension. PrivacyChoice also monitors policy pages to tell when policies change, and automatically directs reviewers to update the analysis when necessary.