The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act).

In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further below.

Processing sensitive personal data for advertising purposes without consent

The AEPD held that Facebook did not obtain its users’ consent for the collection of their sensitive personal data in accordance with the requirements of the Act, since the consent obtained was not valid, express and in writing.

It was noted that Facebook uses the preferences of its users to profile them based on their sensitive personal data, and offer content in relation to that profile. However, Facebook did not establish a separate procedure for the treatment of sensitive personal data, as prior consent was not requested, and all personal data was used for profiling for advertising purposes by default. For example, when configuring a user’s profile, the “Basic and Contact Information” section includes options to “add your religious beliefs” and “add your political ideology”. However, no express consent is requested from Facebook regarding the use of this information for advertising purposes, nor is the user informed at any stage that their data will be used for that purpose.

Failure to provide clear and transparent notice of how Facebook collects and uses personal data on the Facebook platform and third-party websites

The AEPD noted other examples where Facebook has failed to collect consent from data subjects (including non-Facebook users) in accordance with the requirements of the Act. One example is where Facebook uses a cookie to identify a user’s browser, which is installed on the user’s first visit to the Facebook platform, even if they do not log in or register as a user. Facebook accesses that cookie, and the URL of the page visited, when a user lands on a third-party site containing Facebook’s “Like” button. Even where Internet users are not registered with Facebook, their data is collected through these cookies when a user visits a page within Facebook’s domain. For registered Facebook users, their data is collected when they visit or use third-party websites or applications that use Facebook services, even if they are not logged into Facebook. This use of cookies on third-party sites is not made clear to users within Facebook’s developer section or its “Frequently Asked Questions”.

The AEPD criticised Facebook’s Privacy Policy as being generic and unclear with too many links to other sections. When informing users about the collection of their personal data, Facebook only provides examples and does not actually list what data is collected. So a Facebook user with an average knowledge of new technologies will not be aware of the collection, storage and subsequent processing of their data, or the purposes for which the data will be used. Further, non-Facebook users will not even be aware that their data is being collected.

The AEPD was also highly critical of Facebook’s registration procedure which in its view did not meet the standards for valid consent under the Act. When completing the registration process, the relevant button is labelled “Finished”, as opposed to “I accept” as in other applications. Moreover, users did not have to accept the conditions of Facebook’s privacy policy before completing their registration.

Further, the AEPD criticised that users aged 13 can register with Facebook without any requirement to obtain the consent of the user’s parents or guardian.

Retention of user data following requests for removal of accounts and to delete information

The AEPD held that the personal data of Facebook users is not deleted when it is no longer required for the purpose for which it was originally collected, or when the user explicitly requests the deletion of their data. For example, the information relating to a deleted account cookie is stored by Facebook for more than 17 months and is subsequently associated with a new user where an account is set up using the same email address. Moreover, Facebook continues to collect and process data relating to the deleted account during this 17-month period. The AEPD also criticised Facebook for retaining the IP addresses from which a user’s Facebook account was accessed for at least 11 months without anonymising this information.


Facebook is also being investigated by the relevant authorities in Belgium, France, Germany (Hamburg) and the Netherlands, so it will be interesting to note the decisions in these cases and any subsequent fines that may be awarded.

Businesses should already be looking at their privacy notices and consent mechanisms (where seeking to rely on this as a legal ground for processing personal data) in preparation for the General Data Protection Regulation (GDPR). However, this case is a useful reminder that transparency is key when dealing with users, and privacy policies need to be clear and user-friendly to enable users to understand exactly what happens with their data, especially as the AEPD imposed the fine on the basis of the current data protection law, whereas the relevant requirements will be more stringent under the GDPR. In particular, when dealing with sensitive personal data, it is essential to check that consents obtained from users meet GDPR standards (or that any of the other Article 9 exceptions have been correctly applied). Finally, businesses should be thinking about data retention policies and how to explain these to users so that it is clear how long their data will be held by an organisation. There may, of course, be other legitimate reasons for holding on to some of the data, but where a user requests that their account is deleted, it should be made clear to them what data will or will not be deleted, and why.