France's privacy regulator has ordered Facebook to stop tracking non-users within three months.
In a 16-page ruling issued Monday, France's CNIL found fault with data collection by Facebook at its own site, and at the sites of outside publishers with "Like" buttons.
"While the purpose claimed by the company may seem legitimate (ensuring the security of its services), collecting data on browsing activity by non-account Facebook holders on third-party websites is carried out without their knowledge," the CNIL wrote.
The regulator also said that Facebook violates EU privacy law by placing cookies on the computers of visitors to Facebook.com without first obtaining their consent.
Last year, authorities in Belgium also ordered Facebook to stop tracking non-users. Several weeks later, Facebook began preventing non-account holders in Belgium from accessing Facebook.com. In the past, anyone in that country could access many Facebook pages found through search engines, including pages for small businesses, sports teams, celebrities and tourist attractions.
The CNIL also said in its Monday ruling that Facebook can't send data about EU citizens to U.S. servers, due to a ruling last October that invalidated an agreement that enabled the data transfers. While EU and U.S. authorities recently negotiated a new agreement, it has not yet been finalized.
A Facebook spokesperson said the company is "confident" that it complies with the European privacy law and looks forward "to engaging with the CNIL to respond to their concerns."