Spanish regulators issued a $1.4 million fine Monday against Facebook over the social networking company’s practices of collecting potentially sensitive personal information from users, the Hill reported.

The fine was handed down by the Spanish Data Protection Agency (AEPD) after the regulator conducted an investigation into how Facebook collects, stores and uses the data of its users for advertising purposes.

The investigation found Facebook had not obtained adequate consent from its users throughout the process.

AEPD’s ruling focused on three central infringements of data protection law committed by Facebook—two of which were considered “serious” and one that was identified as “very serious” by the regulatory body.

STRUCTURE SECURITY -- USE THIS ONE Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Photo: Newsweek Media Group

The regulator found the social network was collecting data on the ideologies, sex, religious beliefs and personal interests of individual users, as well as travel and navigation information. That data was collected directly in some cases and through third-party services also used by the user in others.

In either instance, the data collection was done by Facebook without “clearly informing the user about the use and purpose,” according to the AEPD.

Also at issue was Facebook’s use of web browsing cookies, which users were not informed of or made aware were collecting their information and activity while they were browsing non-Facebook websites that have a Facebook “Like” button on them.

Express consent is required to collect sensitive personal information under Spanish data protection law. As a result, Facebook was hit with two fines of about $360,000 for the serious violations and an additional $720,000 fine for the very serious violation.

Facebook for its part has rejected the agency’s findings and plans to appeal the fines.

“As we made clear to the [European Data Protection Agency], users choose which information they want to add to their profile and share with others, such as their religion,” a Facebook spokesperson said following the ruling. “However, we do not use this information to target advertisements to people.”

The fine from the Spanish regulator is not the first and likely won’t be the last out of the European Union to hit Facebook. Earlier this year, the social network took a $122.5 million fine from the European Commission for providing misleading information in its filing for its acquisition of messaging app WhatsApp in 2014.

In July, Germany announced plans to launch an investigation into Facebook for allegedly “extorting” its users by making them agree to terms and conditions they may not fully understand in order to use the popular service.

According to the AEPD, Belgium, France, Hamburg and the Netherlands have all conducted their own investigations into Facebook’s data collection practices as well, and additional fines may be on the way as a result of those examinations of the social networking company.