A fifth of the most popular websites do not disclose their data protection policies or how they use a visitor's personal information. REUTERS

A new audit conducted as part of “Internet Sweep Day” in May revealed that more than 20 percent of the 2,180 sites reviewed had no information about data protection despite collecting personal data. The websites that were audited were among the most visited sites from around the world.

Commission nationale de l'informatique et des libertés (CNIL), France’s data protection agency, is one of 19 members that work together as part of the Global Privacy Enforcement Network (GPEN). Other members of GPEN include the United States’ Federal Trade Commission; the United Kingdom’s Information Commissioner’s Office; Israel’s Law, Information and Technology Authority; and the European Union’s European Data Protection Supervisor.

In May, GPEN audited 2,180 of the world's most visited websites that are based in the group's member countries. The audit was used to determine what data was being collected by websites; whether that data was being disclosed to a third party; if users could prevent their data from going to a third party; and what type of information on data protection was available to visitors.

Based on their findings, GPEN determined that more than 20 percent of websites, and 50 percent of mobile applications, do not provide any information to visitors about data protection, Agence France-Presse reported. CNIL analyzed 250 of France’s most popular sites and determined that 99 percent collected personal data.

And although some websites and mobile applications do provide privacy information, in general, they don't make it easy for visitors to find it. According to CNIL, more than 50 percent of sites buried the information while 33 percent of the sites had information that was difficult to understand. Accordng to the AFP, each GPEN member reported that most websites did not disclose their data collection policy, why it was collecting the data, how the data was used, or if it was accessible by a third party.