France's data protection authority, the Commission Nationale de l'Informatique et des Libert'es (CNIL), has issued a notice ordering Facebook to stop tracking non-Facebook users on the Web.
The order states the social network has three months to comply, or will face fines. CNIL said the notice was made public due to the seriousness of the violations and the number of individuals concerned - 30 million Internet users in France.
"This notice is not a sanction and the procedure will be publicly closed if the companies comply with the French data protection Act within the time limit," states the report.
However, Facebook said in a statement: "We're confident we comply with European data protection law."
Privacy violations
The CNIL found Facebook infringed several aspects of the Act. Firstly, the social network collects data on the browsing activity of Internet users who do not have an account.
"Indeed," the notice reads, "the company does not inform Internet users that it sets a cookie on their terminal when they visit a Facebook public page (eg, page of a public event or of a friend). This cookie transmits to Facebook information relating to third-party Web sites offering Facebook plug-ins (eg, Like button) that are visited by Internet users."
Secondly, the CNIL takes issue with Facebook collecting information concerning sexual orientation, religious and political views without the explicit consent from account-holders.
Thirdly, "the Web site also sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users". The CNIL says Facebook does not allow users to opt out of this, and should do so, as it violates "their right to respect for private life".
The data protection authority also said Facebook transfers personal data to the US on the basis of Safe Harbour, although the EU Court of Justice declared invalid such transfers in October last year.
This week, a cross-border data-sharing agreement, known as 'Privacy Shield', was reached between the EU and the US but is yet to come into force as it faces a lengthy approval process.
Previous trouble
This is not the first time the social network has been on the wrong side of European privacy law.
Late last year, Facebook appealed a similar court ruling ordering it to stop tracking the online activities of non-Facebook users in Belgium who visit Facebook pages, or face the same EUR250 000 (nearly R4.5 million) daily fine.
Belgium's data protection regulator took the social network to court mid last year, accusing it of tracking people without a Facebook account without their consent. The company argued at the time that since it has its European headquarters in Ireland, it should be regulated solely by the Irish Data Protection Commissioner.
The Brussels court only gave Facebook 48 hours to comply with the ruling and the company caved. "We're disappointed we were unable to reach an agreement and now people will be required to log in or register for an account to see publicly available content on Facebook," a spokesperson told the BBC at the time.
Spain, Germany and the Netherlands are also all reportedly working on similar rulings.
Cookie monster
Facebook uses the so-called 'datr' cookie, which it places on people's browsers when they visit a Facebook.com site or click a Facebook 'Like' button on other Web sites, allowing it to track the online activities of that browser.
"We've used the 'datr' cookie for more than five years to keep Facebook secure for 1.5 billion people around the world," a spokeswoman said at the time of the Belgium ruling.
Facebook says the cookie only identifies browsers, not people, and is used to prevent security attacks by illegitimate users. The 'datr' cookie can live in an Internet user's browser for two years.
Share