South Korea’s data protection authority has slapped Meta Platforms, the parent company of Facebook, with a fine of 21.62 billion won (approximately 15.67 million U.S. dollars) for unlawfully collecting and sharing sensitive personal data without user consent.

The Personal Information Protection Commission (PIPC) of South Korea investigated Meta and found that it had gathered data on nearly 980,000 Facebook users in the country. This data included highly sensitive information, such as users’ political views, religious beliefs, and sexual orientation, without securing explicit consent from the individuals involved. Meta then allegedly shared this data with around 4,000 advertisers, who used it to target ads based on these personal characteristics.

The PIPC emphasized that Meta’s actions violated South Korean privacy laws, particularly its failure to obtain informed consent for data collection and sharing. The company utilized user behaviour data, such as interactions with pages and advertisements, to create highly detailed user profiles. These profiles were categorized into sensitive groups, including labels such as “transgender,” “North Korean defector,” and various religious affiliations, according to the regulatory body.

Lee Eun Jung, a commission director overseeing the Meta investigation, stated that although Meta gathered and utilized this sensitive information for personalized services, their data policy provided only ambiguous references to such usage and did not obtain explicit consent.

Lee further stated that Meta jeopardized the privacy of Facebook users by neglecting to enforce fundamental security protocols, including removing or blocking inactive pages. Consequently, hackers exploited these dormant pages to create false identities and initiate password reset requests for the accounts of other Facebook users. According to Lee, Meta authorized these requests without adequate verification, leading to data breaches that impacted a minimum of 10 Facebook users in South Korea.