Facebook’s weak privacy protections exposed the personal data of millions of users, a serious failing that the company has acknowledged but refused to fix, Canadian regulators said on Thursday.

An investigation by the privacy commissioner of Canada and the information and privacy commissioner for British Columbia found that Facebook violated national and local laws in allowing third parties access to private user information through “superficial and ineffective safeguards and consent mechanisms.”

But Facebook has disputed the watchdogs’ findings, even after its chief executive, Mark Zuckerberg, apologized last year for what he called a “major breach of trust” in the Cambridge Analytica data harvesting scandal, the regulators said. The company ignored recommendations, some issued a decade ago, for how to prevent future exposure, they said.

“There’s a significant gap between what they say and what they do,” said Daniel Therrien, who heads the federal privacy watchdog, at a news conference in Ottawa on Thursday.