Facebook has been called on the carpet for how it has failed to protect the personal data of its users. But lost in the drama of congressional hearings is an understanding of the extent to which Facebook meticulously scrutinizes the minutiae of those users’ online lives.

Facebook’s tracking stretches far beyond the company’s well-known targeted advertisements. And details that people often readily volunteer — age, employer, relationship status, likes and location — are just the start.

The social media giant also tracks users on other sites and apps. It also collects so-called biometric facial data without users’ explicit “opt-in” consent, and helps video game companies target “high-value players” who are likely to spend on in-app purchases.

The sifting of users gets into personal — even confidential — matters. The company has allowed marketers to target users who may have an interest in various health issues, like the 110,000 Facebook users who were listed under the category “diagnosis with HIV or AIDS,” the 51,000 people listed under erectile dysfunction, and 460,000 users listed under “binge-eating disorder awareness,” said 2015 data submitted as an exhibit in a lawsuit. Facebook said it has since removed those “targeting options” and does not create targeted ad audiences involving users’ medical conditions.

“Facebook can learn almost anything about you by using artificial intelligence to analyze your behavior,” said Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation, a digital rights nonprofit. “That knowledge turns out be perfect both for advertising and propaganda. Will Facebook ever prevent itself from learning people’s political views, or other sensitive facts about them?”

Consumer data mining is the engine that fuels advertising-supported free online services. If Facebook is being singled out for the practice, it is partly because it is the market leader and trendsetter.

“There are common parts of people’s experience on the internet,” said Matt Steinfeld, a Facebook spokesman. “But of course we can do more to help people understand how Facebook works and the choices they have.”

Still, privacy advocates want U.S. lawmakers and regulators to have a more pointed discussion about the stockpiling of personal data that remains the core of Facebook’s $40.6 billion annual business.

While actions by European judges and regulators are trying to limit some of the powerful targeting mechanisms that Facebook employs, U.S. federal officials have done little to constrain them, to the consternation of American privacy advocates.

Other companies, including news organizations like the New York Times, mine information about users for marketing purposes. But privacy advocates say Facebook continues to test the boundaries of what is permissible. Some fault the Federal Trade Commission for failing to enforce a 2011 agreement that barred Facebook from deceptive privacy practices.

Facebook is quick to note that when users sign up, they must agree to the company’s data policy. It plainly states that its data collection “includes information about the websites and apps you visit, your use of our services on those websites and apps, your use of our services, as well as information the developer or publisher of the app or website provides to you or us.”

In Europe, however, some regulators contend that Facebook has not obtained users’ active and informed consent.