[ZoFreX]

> I can refuse to let you into my house if you won't show me your passport. If you don't have a passport, then I can just refuse to let you in no matter what. How does that change if I'm running a business? Or a web-site?

Well, you would presumably be keeping some kind of record of my ID. Perhaps you write down my name, date of birth, and passport number. As a business, in the UK you would have to (amongst other obligations):

* Not keep the data any longer than is necessary * Update any inaccuracies in the data upon request * Tell me what data you are keeping upon request

It's not about asking for data, it's about what you do after I give it to you. (NB to those wanting to know more about this, these particular obligations are due to the Data Protection Act)

[alextingle]

I'm not sure the DPA needs to come into it. If a nightclub bouncer checks your ID, then he's free to forget all about it once he lets you inside. If all FB do is set an "ID checked" flag (and discard data collected as part of the checking process) then I think they'd be in a similar position - I'm not sure whether you could successfully argue that an "ID checked" flag could count as additional personal data.

(Then again, I'm sure FB hold on to data like thieving magpies, so the idea that they would delete your passport number/image/whatever once they have it is, I agree, laughable.)

[ZoFreX]

I agree 100%, a simple "ID checked" flag would be OK. Where I think the DPA fits into it is that without the DPA, a lot more people would store those details just because. With the DPA in place I'm a lot more comfortable sharing information like that, knowing that either they just store a flag, or if they store more than that I am protected.

[aestetix]

Not necessarily. What happens if someone challenges Facebook on their flags? If you're a bouncer, you can hunt down the person who looks underage and re-check their ID. It's much harder to do that with something like Facebook.