Germany's competition authority has told Facebook it can only continue gathering so much data about users from beyond its app and website if it gets individuals' consent.
The watchdog has carried out a probe into the social network following concerns that members were unaware of the extent of the firm's activities.
It covered data gathered from third-party sources as well as via Facebook's other apps, including Instagram.
The US firm has said it will appeal.
Specifically, the FCO has ruled that:
Facebook's various services can continue to collect data, but they cannot combine it with the user's main Facebook account unless the member gives their voluntary consent
collecting data from third-party websites and assigning it to a Facebook user's account is likewise only allowed if that member has given the firm permission
The watchdog added that an "obligatory tick on the box" to agree to all the company's terms was not a sufficient basis for "such intensive data processing".
The ruling only applies to the firm's activities in Germany, but is likely to influence other regulators.
Facebook claims the Federal Cartel Office has overstepped the mark by pursuing a data privacy matter that Facebook says falls under the remit of another regulator.
It has one month to challenge the ruling before it becomes legally effective.
If the order is upheld, the company must develop technical solutions to ensure it complies within four months.
Data sharing
The FCO's justification for the case is that it believes Facebook abused its market dominance to gather the data.
"In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts," explained Andreas Mundt, the FCO's president.
"The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power."
The ruling could affect the firm's use of the Like and Share buttons on external sites, which lets Facebook track each visitor's internet protocol (IP) address, web browser name and version, and other details that can be used to identify them. This is true, even if users never click on the buttons.
Likewise, the Facebook Login, which lets users avoid having to type in a unique username and password for each service, shares similar device-identifying information.
In addition, the company runs a scheme called the Facebook Pixel, which adds code to a third-party site to let its owners track whether ads run on Facebook converted the people who saw them into buyers.
The FCO was also concerned by the fact that Facebook shares some of the data gathered by Instagram, WhatsApp and its other services with its namesake platform.
The firm recently announced plans to go further and integrate the technology behind the chat services of Instagram, WhatsApp and Facebook Messenger.
Facebook defends such practices on the grounds that:
they help it show more relevant ads to consumers
they help advertisers measure how successful their campaigns are
they make it easier for Facebook to identify fake accounts, combat terrorism and otherwise protect its users
In a blog, it added that the FCO had overlooked steps it had already taken to be compliant with the EU's General Data Protection Regulation, which came into force last year.
"The GDPR specifically empowers data protection regulators - not competition authorities - to determine whether companies have lived up to their responsibilities," it said.
"And data protection regulators certainly have the expertise to make those conclusions."
"The [FCO] order threatens to undermine this, providing different rights to people based on the size of the companies they do business with."
The German watchdog is also pursuing a separate probe into Amazon. It is exploring whether the retail giant has acted illegally in its relations with the third-party sellers who use its platform.
BBC
The watchdog has carried out a probe into the social network following concerns that members were unaware of the extent of the firm's activities.
It covered data gathered from third-party sources as well as via Facebook's other apps, including Instagram.
The US firm has said it will appeal.
Specifically, the FCO has ruled that:
Facebook's various services can continue to collect data, but they cannot combine it with the user's main Facebook account unless the member gives their voluntary consent
collecting data from third-party websites and assigning it to a Facebook user's account is likewise only allowed if that member has given the firm permission
The watchdog added that an "obligatory tick on the box" to agree to all the company's terms was not a sufficient basis for "such intensive data processing".
The ruling only applies to the firm's activities in Germany, but is likely to influence other regulators.
Facebook claims the Federal Cartel Office has overstepped the mark by pursuing a data privacy matter that Facebook says falls under the remit of another regulator.
It has one month to challenge the ruling before it becomes legally effective.
If the order is upheld, the company must develop technical solutions to ensure it complies within four months.
Data sharing
The FCO's justification for the case is that it believes Facebook abused its market dominance to gather the data.
"In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts," explained Andreas Mundt, the FCO's president.
"The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power."
The ruling could affect the firm's use of the Like and Share buttons on external sites, which lets Facebook track each visitor's internet protocol (IP) address, web browser name and version, and other details that can be used to identify them. This is true, even if users never click on the buttons.
Likewise, the Facebook Login, which lets users avoid having to type in a unique username and password for each service, shares similar device-identifying information.
In addition, the company runs a scheme called the Facebook Pixel, which adds code to a third-party site to let its owners track whether ads run on Facebook converted the people who saw them into buyers.
The FCO was also concerned by the fact that Facebook shares some of the data gathered by Instagram, WhatsApp and its other services with its namesake platform.
The firm recently announced plans to go further and integrate the technology behind the chat services of Instagram, WhatsApp and Facebook Messenger.
Facebook defends such practices on the grounds that:
they help it show more relevant ads to consumers
they help advertisers measure how successful their campaigns are
they make it easier for Facebook to identify fake accounts, combat terrorism and otherwise protect its users
In a blog, it added that the FCO had overlooked steps it had already taken to be compliant with the EU's General Data Protection Regulation, which came into force last year.
"The GDPR specifically empowers data protection regulators - not competition authorities - to determine whether companies have lived up to their responsibilities," it said.
"And data protection regulators certainly have the expertise to make those conclusions."
"The [FCO] order threatens to undermine this, providing different rights to people based on the size of the companies they do business with."
The German watchdog is also pursuing a separate probe into Amazon. It is exploring whether the retail giant has acted illegally in its relations with the third-party sellers who use its platform.
BBC