South Korea’s data privacy regulator announced Tuesday that it has fined Meta 21.6 billion won ($15.6 million) for allegedly providing 980,000 Facebook users’ sensitive information to advertisers without their consent.

The country’s Personal Information Protection Commission (PIPC) said the social media giant compiled “advertising topics” based on individual users’ Facebook activity and profiles, and offered them to advertisers. About 4,000 used the data, according to the agency. 

Because the compiled data included topics deemed sensitive by the PIPC  — such as religious affiliations, same-sex marital status and whether a user is a North Korean defector, for example — Meta’s conduct allegedly violated the country’s Personal Information Protection Act (PIPA), according to a Korean government press release.

Meta did not immediately respond to a request for comment.

Under the PIPA, information on “thoughts, beliefs, political views, sexual life, etc. is sensitive information that must be strictly protected,” the PIPC said. 

The regulator said that under South Korean law, processing sensitive information is allowed only in “exceptional cases” such as when users have affirmatively consented to having their information collected and analyzed. 

It held up the fine as an important warning to foreign companies operating in South Korea that they must adhere to the country’s data privacy laws.

Meta allegedly “only vaguely stated” its data collection and processing practices in its data policy and did not obtain “separate consent and did not take any additional protective measures,” the press release said.

Once the investigation began, Meta voluntarily stopped collecting sensitive information from users and erased advertising profiles it had built with the data, the PIPC said.

Meta users also have complained that the company denied them access to the collected information, and in some cases said it was accessed by hackers, according to the press release. 

The alleged hacking occurred because Meta did not remove unused account recovery pages, allowing hackers to use fake IDs to request password resets for other people's accounts, the PIPC said. 

Ten users' personal information was leaked as a result of the hacks, the PIPC said.

Meta has been accused of similar conduct by South Korean authorities before. In 2022, the PIPC fined Meta 30.8 billion won ($22 million) for allegedly failing to clearly inform users it was collecting and analyzing their behavioral information to target advertising.