Today, the Spanish data protection agency (AEPD) fined Facebook 1.2 million euros ($1.4 million USD) in connection with how the company collects personal data for advertising purposes. The AEPD said Facebook did not get properly informed consent from users before exploiting this data as well as kept this data longer than it’s useful purpose.

In a statement, Facebook claimed the AEPD was wrong to say it showed people advertising based on personal data. It said ad-targeting was instead based on the interest people express by “liking” certain content on the social network platform.

Interestingly, EU law defines personal data as “any information relating to an identified or identifiable natural person,” so people’s “likes” would qualify as personal data.

Regarding data retention, when a social network user has deleted his account and requests the deletion of the information, Facebook captures and treats information for more than 17 months through a deleted account cookie. Therefore, the AEPD considers that the personal data of the users are not canceled in full or when they are no longer useful for the purpose for which they were collected or when the user explicitly requests their removal, according to the requirements of the local data protection law, which represents a serious infringement.

Facebook intends to appeal the decision, so we’ll have to wait and see how this plays out.