Facebook users should be asked for consent before data collected by the group's subsidiaries Whatsapp and Instagram and on third-party websites is combined with their social network account, Germany's competition authority said Thursday.
Neither should users who refuse permission for their data to be merged be shut out of Facebook services as a result, the Federal Competition Office (FCO) ruled.
"In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts," FCO chief Andreas Mundt said in a statement.
"If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources."
Officials have been looking into Facebook since mid-2016, charging that the Silicon Valley giant uses other networks -- like subsidiaries Instagram and Whatsapp, as well as Twitter and other websites -- to collect masses of information about users without their knowledge.
That data then provides the foundation for Facebook's advertising profits.
The FCO's requirement for specific consent to merge data with Facebook accounts stopped short of media rumours that the authority could ban familiar products, such as the "Like" or "Share" buttons strewn around many third-party websites which aid data collection.
Nor has the Californian giant been ordered to pay a swingeing fine like those imposed by Brussels on rival Google over competition misdeeds.
However, the FCO found that Facebook has a "dominant" position in social networking in Germany, with its 23 million daily active users representing 95 percent of the market -- meaning there is no viable alternative service for most people.
Rival services like Snapchat, YouTube or Twitter "only offer parts of the services of a social network" and are not directly comparable, the authority said.
That meant that a one-off choice between accepting all kinds of data collection and not using Facebook at all "represents above all a so-called exploitative abuse", the FCO argued.
"The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network," competition chief Mundt said.
He gave Facebook four months to present a "concept" for compliance and a year to implement it.
If not, the FCO can levy fines of up to 10 million euros ($11.3 million) per month.
In its own statement, Facebook said it would appeal the FCO's decision.
"The Bundeskartellamt's decision misapplies German competition law to set different rules that apply to only one company," the California firm said.
Rather than the FCO, the Irish Data Protection Commission should be overseeing Facebook's use of data as the company's European HQ is based in Dublin, the social network said.
But the EU's data protection supervisor Giovanni Buttarelli said in a blog post that "we have consistently supported competition authorities taking action to combat abuse of dominance".
"All companies in the digital information ecosystem that rely on tracking, profiling and targeting should be on notice," Buttarelli added.
Thursday's German decision prolongs Facebook's nightmarish 2018 into the new year.
In the past 12 months the firm has been battered by repeated scandals.
It was accused of offering a platform for manipulating voters and failing to protect user data.
As it celebrated its 15th birthday, the social network had to contend with the global Cambridge Analytica scandal of March 2018.
In that case, data belonging to tens of millions of Facebook users was harvested by the British company through an online personality quiz.
The same consultancy worked on both the Leave campaign in the UK's Brexit referendum of 2016 and on Donald Trump's election campaign in the same year.
The EU introduced its General Data Protection Regulation (GDPR) in May last year, intensifying regulators' focus on Facebook.
In January, Facebook founder Mark Zuckerberg said its advertising-based business model required collecting personal data.
"We don't sell people's data" to other firms, he insisted in an opinion piece published in the Wall Street Journal.