Here’s Why Facebook Got a $1.4 Million Privacy Fine in Spain

On Monday, the Spanish data protection authority (AEPD) said Facebook had been breaking privacy rules on multiple counts over the way it uses people’s personal data for advertising purposes. The agency fined the social network €1.2 million ($1.44 million).

Specifically, the AEPD called out the way Facebook (FB) collects data on people’s ideologies and religious beliefs, sex and personal tastes—from its own services and those of third parties—without clearly telling its users what it will do with this information.

The watchdog said Facebook did not get properly informed consent from users before exploiting this information, and also noted that the company violated laws by not deleting data that was no longer useful for the reasons it was collected.

The consent issue qualified as a “very serious” infringement, meriting a €600,000 fine, while the other two qualified as “serious,” each garnering a €300,000 fine.

In a statement, Facebook claimed the Spanish data protection authority (DPA) was wrong to say it showed people advertising based on sensitive personal data. It said ad-targeting was instead based on the interest people express by “liking” certain content on the social network.

Under EU law, “personal data” means “any information relating to an identified or identifiable natural person,” so people’s “likes” would qualify as personal data.

Get Data Sheet, Fortune’s technology newsletter.

“We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision,” a spokesperson said. “As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.”

The Spanish regulator’s crackdown follows coordination with agencies in other countries, namely France (which fined Facebook €150,000 earlier this year), Belgium, the Netherlands and Germany. In recent years, European regulators have taken to ganging up on the likes of Facebook and Google (GOOGL), because individually they cannot levy fines that would make a serious dent in these giants’ wallets.

All that will change in May next year, when the EU’s new General Data Protection Regulation comes into effect. This privacy law will allow for fines of up to €20 million or 4% of a company’s annual global revenues, whichever is higher.