The social network breached laws designed to protect citizens’ information and privacy on three occasions, according to the Spanish authorities.
The regulator found Facebook had failed to inform users how their data would be used as it hoovered up the details of millions of people in Spain.
It said Facebook had failed to educate users on how their personal information – including ideology, sex, religious beliefs, personal interests and browsing habits – would be used for advertising. It added that Facebook had illegally tracked visitors to its pages who had not signed up to the social network using cookies.
Facebook also infringed citizens’ rights when it stored the details of deleted accounts for more than 17 months, according to the investigation.
The authority said Facebook had seriously breached laws in one instance, for which it was fined €600,000, and moderately so on a further two occasions, each netting a €300,000 fine.
It accused Facebook of using “generic” and “unclear” terms in its difficult to navigate privacy policy.
“Facebook’s privacy policy contains generic and unclear terms,” said the Spanish data protection authority. “The agency considers that Facebook does not adequately collect the consent of either its users or nonusers, which constitutes a serious infringement.”
It added that the average Facebook user is not aware of how the company collects, stores and uses their data.
Data watchdogs across Europe are investigating Facebook, which has faced challenges in Germany, Belgium, the Netherlands and France, which fined the firm €150,000 earlier this year.
This comes just months after it was hit with a similar fine by privacy regulators in France, and faces similar scrutiny from data protection bodies elsewhere across the EU-member area, which are primed to implement GDPR in a uniform manner from May 2018.
GDPR requires those collecting, storing and processing data on EU residents to obtain specific consent to do so by the region’s internet users, with those found to be falling foul of the rules in line for a €20m fine, or up to 4% of global revenues, which ever is greater.
News of the fine comes the same day as influential Wall Street analyst Brain Wieser of Pivotal Research issued a note to investors reminding of the potential negative impact GDPR can have on Facebook (which collects 25% of its revenue in the EU) and Google (which likewise collects 30% of its revenue there).
“Implementing GDPR-compliant ad products may impact revenue growth primarily because it may require more ad inventory to satisfy advertiser goals,” reads his note.
“Generally, consumer-facing properties owned by Facebook, Google, Twitter and Snap and others owned by major publishers which consumers are generally familiar with should be able to secure consent exchanging use of some personal data in advertising for access to the media property.
“By contrast, ad networks and programmatic platforms owned by these media owners may face challenges doing the same. For everyone there will be more limits on how data is used to drive targeting relative to how it is used at present.”