Spain's AEPD said an investigation into how Facebook collects, stores and uses data for advertising purposes found it is doing so without obtaining adequate user consent.
It says it identified two serious infringements and one very serious infringement of data protection law - with the total sanction breaking down to euro;300,000 for each of the first breaches and euro;600,000 for the second.
The regulator found Facebook collects data on ideology, sex, religious beliefs, personal tastes and navigation - either directly, through users' use of its services or from third party pages - without, in its judgement, "clearly informing the user about the use and purpose".
Not obtaining express consent of users to process sensitive personal data is classified as a very serious offense under local DP law.
The regulator is also unhappy that Facebook does not delete harvested data once it has finished using it - saying it had been able to verify Facebook does not delete web browsing habits data, but in fact "retains and reuses it later associated with the same user".