Facebook Group violates Dutch data protection law. That is the conclusion of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; hereinafter: DPA) after its investigation into the processing of personal data of 9.6 million Facebook users in the Netherlands. The company breaches Dutch data protection law including by giving users insufficient information about the use of their personal data. The Dutch DPA has also found that the Facebook Group uses sensitive personal data from users without their explicit consent. For example, data relating to sexual preferences were used to show targeted advertisements. The Facebook Group has made changes to end the use of this type of data for this latter purpose. The Dutch DPA currently assesses whether the other violations have stopped. If that is not the case, the Dutch DPA may decide to issue a sanction.