Germany's competition regulator has told Facebook to substantially restrict how it collects and combines data about its users unless they give it explicit consent.
The watchdog has carried out a probe into the social network following concerns that members were unaware of the extent of the firm's activities.
It covered data gathered from third-party sources as well as via Facebook's other apps, including Instagram.
The US firm has said it will appeal.
Specifically, the FCO has ruled that:
The watchdog added that an "obligatory tick on the box" to agree to all the company's terms was not a sufficient basis for "such intensive data processing".
The ruling only applies to the firm's activities in Germany, but is likely to influence other regulators.
Facebook claims the Federal Cartel Office has overstepped the mark by pursuing a data privacy matter that Facebook says falls under the remit of another regulator.
It has one month to challenge the ruling before it becomes legally effective.
If the order is upheld, the company must develop technical solutions to ensure it complies within four months. If it refused to do so, it could in theory be fined up to 10% of its annual revenues.
The FCO's justification for the case is that it believes Facebook abused its market dominance to gather the data.
"In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts," explained Andreas Mundt, the FCO's president.
"The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power."
The ruling could affect the firm's use of the Like and Share buttons on external sites, which lets Facebook track each visitor's internet protocol (IP) address, web browser name and version, and other details that can be used to identify them. This is true, even if users never click on the buttons.
Likewise, the Facebook Login, which lets users avoid having to type in a unique username and password for each service, shares similar device-identifying information.
In addition, the company runs a scheme called the Facebook Pixel, which adds code to a third-party site to let its owners track whether ads run on Facebook converted the people who saw them into buyers.
The FCO was also concerned by the fact that Facebook shares some of the data gathered by Instagram, WhatsApp and its other services with its namesake platform.
The firm recently announced plans to go further and integrate the technology behind the chat services of Instagram, WhatsApp and Facebook Messenger.
Facebook defends such practices on the grounds that:
In a blog, it added that the FCO had overlooked steps it had already taken to be compliant with the EU's General Data Protection Regulation, which came into force last year.
"The GDPR specifically empowers data protection regulators - not competition authorities - to determine whether companies have lived up to their responsibilities," it said.
"And data protection regulators certainly have the expertise to make those conclusions."
"The [FCO] order threatens to undermine this, providing different rights to people based on the size of the companies they do business with."
But the UK-based campaign group Privacy International has said that if the German ruling holds, Facebook should extend the same rights to its other users.
"Privacy harms are directly caused by the business models of companies in dominant positions, which can impose excessive collection of data on people who have become 'captive users'," said the group's head of advocacy and policy Tomaso Falchetta.
"Facebook should unify its privacy protections for its operations globally."
The FCO is also pursuing a separate probe into Amazon. It is exploring whether the retail giant has acted illegally in its relations with the third-party sellers who use its platform.