The survey of 170 sites found, "There is a general level of awareness of privacy issues but only in as much as they might impact the interests of the business."
Yet even the best Web sites "were not 100% compliant", according to the report by the Manchester Institute of Science and Technology (UMIST).
Security and data were the key areas of weakness flagged up by the UMIST survey. It found, "There was generally a low level of company internal security. In addition there was a low-level of system security, with encryption rarely mentioned or used."
Less than half the companies surveyed hold an offsite back-up copy of the data they have collected, according to the report.
On data retention, UMIST found considerable confusion about the Data protection Act. At least a quarter of the sites surveyed had no retention policy and the survey cast doubts on many sites' technical ability to set retention periods for certain types of data.
Almost half the Web sites surveyed did not post any type of privacy information and of those that did, only 5% could be understood by the average reader, according to UMIST.
Large companies and companies within regulated industry sectors, not surprisingly, showed a higher level of compliance than small and medium-sized businesses (SMEs).
The survey highlighted a series of difficulties facing SMEs. Only 37% of small companies have any kind of data security policy and SMEs are often not aware of the danger of unintentional misuse of data. Many small companies also wrongly assume that they are protected through their Internet service provider.