Spanish data protection regulator has issued a €1.2 M ($1.4M) fine against the social media giant for a series of violations regarding its data harvesting activities.
Spain’s AEPD said that an investigation into how Facebook collects, stores, and uses data for advertising purposes, found that it is doing so without obtaining adequate user consent.
It says it identified two serious infringements and one very serious infringement of data protection law — with the total sanction breaking down to €300,000 for each of the first breaches and €600,000 for the second.
The regulator found that Facebook collects data on ideology, sex, religious beliefs, personal tastes, and navigation — either directly, through users’ use of its services, or from third-party pages — without, in its judgment, “clearly informing the user about the use and purpose.”
Not obtaining the express consent of users to process sensitive personal data is classified as a very serious offense under local DP law.
Facebook’s use of web browsing cookies was also found in violation of privacy laws. Regardingly, the regulator provided its confirmation that users are not updated that their information will be processed through the use of cookies when they are browsing non-Facebook pages that contain Facebook’s ‘Like’ button social plug-in — noting that while some of the use of this data is declared as being for advertising, another use is “secret,” i.e., not disclosed by the company.
The regulator is also unhappy that Facebook does not delete harvested data once it has finished using it.
One of the spokespeople of Facebook told us that the company intends to appeal the decision while also noting that its European business is (currently) regulated under Irish data protection rules, where its EU HQ is sited.
