Spanish data privacy regulator imposes $1.4 million on Facebook

Spanish data privacy regulator AEPD has imposed a fine of 1.2 million euros ($1.44 million) on Facebook for failing to protect the users’ data that is being accessed by advertisers. AEPD said that the personal data of users collected by Facebook “does not adequately collect the consent of either its users or nonusers, which constitutes a serious infringement.”

AEPD, an agency which enforces Organic Law on Data Protection (LOPD), said that the data collected by Facebook include political ideology, sex, religious beliefs, personal tastes, and browsing history, but the users remain unaware of the purpose of the data collected. Facebook is also accused of using cookies to track user activity on the Web, including non-Facebook sites. Additionally, the agency claims that the users’ site navigation information and personal data are retained by Facebook beyond the period of its stated purpose.

“When a social network user has deleted his account and requests the deletion of the information, Facebook still keeps the information for more than 17 months, through a deleted account cookie. Therefore, the personal data of the users is not canceled in full when it is no longer useful for the purpose for which it was collected, nor when the user explicitly requests its removal,” AEPD said.

AEPD further claims that the privacy policy of Facebook contains “generic and unclear expressions” which can be accessed by a user after many levels of navigation. Saying that Facebook should obtain “unequivocal, specific and informed consent” from the users, the enforcement agency found one “very serious” and two “serious” issues of LOPD. The regulatory body fined Facebook €600,000 for the first incident and €300,000 each for the second.

Earlier this year, Facebook was found guilty of not following data regulation norms on several occasions and was penalized by multiple regulatory bodies. European Commission imposed a fine of $122 million on the company for not providing correct information during the purchase of WhatsApp in 2014. The Italian authority and the French data protection regulators had also slapped a fine of €3 million and €150,000, respectively, for violating rules regarding consumer data. Moreover, an investigation into Facebook’s privacy practices is ongoing in Germany.