Did you know that by signing up to Facebook, you’re allowing it to track your browsing habits across the web, and giving it consent to collect what’s arguably personal and sensitive data? I didn’t.

Apparently though, you are. The reasoning goes something like this: by signing up to Facebook and accepting its privacy policy you’re giving it your consent to track your browsing on partner websites.

The problem is that we don’t think agreeing to a lengthy privacy policy is providing “explicit” consent for the collection of what may well be personal sensitive information. Unless you’ve been specifically asked whether you’re happy for your browsing habits to be tracked, we don’t think you’ve given any such consent.

And explicit consent is important here because, without it, no company can process (or use) an individual’s personal sensitive data without being in breach of the Data Protection Act (DPA).

Facebook’s privacy policy

I’ve read and re-read the paragraphs in Facebook’s privacy policy that are meant to say I’ve consented to the company collecting personal data on the websites I visit (you can too under the section ‘Information We Receive‘) but I can’t see any such mention. Plus, a privacy policy couldn’t really constitute explicit consent even if it wanted to.

Which brings me to my point. Last week a story broke about the health website NHS Choices letting Facebook track the browsing behaviour of its users, along with their Facebook IDs, via its ‘Like’ button embedded on some webpages. And according to Garlik, the firm that made the discovery, Facebook users are tracked even if these buttons aren’t actually clicked.

Now, why the NHS would allow a third party website to track its visitors in this way is beyond me. But the real point here is that these webpages contain health and lifestyle advice that could be personal to the browsing individual. Do you want Facebook to know that you’ve looked at a page about a particular disease or condition?

Has your online privacy been breached?

And now we come back to the Data Protection Act. Here at Which? we think that Facebook could be in breach of the DPA if it’s proved that sensitive and personal data has actually been collected without explicit consent. Plus, surely NHS Choices has a duty to prevent sensitive user data from being collected in this manner?

Both Facebook and NHS Choices, of course, deny that any breaches have taken place. So it’s now up to the Information Commissioners Office to investigate. South Korea’s Communications regulator has already taken action, accusing Facebook of violating the country’s data privacy laws and arguing that it needs to do a better job at getting user consent.

I think that Britain’s regulator should also take a good look at Facebook’s privacy policies. Does the company actually ask for explicit consent to track and gather information on what sites we look at? And if you knew that it did, would you still want to keep your Facebook account?