If the ruling is upheld, Facebook will be required to allow users to specifically approve data collected from other Facebook-owned sources and third-party websites assigned to their accounts. "The combination of data sources", the cartel authority said, "substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power".
Facebook said the cartel office failed to recognize the extent of competition it faced from Google's YouTube or Twitter for users' attention, and also said the regulator was encroaching into areas that should be handled by data protection watchdogs.
The regulator's decision is not final, and Facebook has one month to file an appeal.
The FCO has ordered Facebook to terminate its current practices and only collect and combine data gathered from outside Facebook if German-based users have given their "voluntary consent".
The ruling could not only limit the value the company extracts from its own users' information but also restrict its ability to track people without a Facebook account, who now have no way of consenting to data collection.
Rather than the FCO, the Irish Data Protection Commission should be overseeing Facebook's use of data as the company's European HQ is based in Dublin, the social network said.
The lifeblood of social networks is data, which led the FCO to take the view that Facebook's terms and conditions affect not only data protection but also competition.
Facebook said the German regulator had confused the company's "popularity" with the concept of being "dominant" in the market for the purposes of competition law.
Facebook has 32 million monthly active users in Germany, which gives it a market share of more than 80 percent.
According to the New York Times, Facebook allowed Spotify, Netflix, and RBC the ability to "read, write and delete users' private messages, and to see all participants on a thread - privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show". That investigation, initiated in March previous year, is looking into Facebook's compliance with Canada's federal private sector privacy law.
The Bundeskartellamt also described Facebook's current level of data use being carried out without account-holder consent as "abusive". It also claimed the regulator was "trying to "implement an unconventional standard for a single company".
"We disagree with their conclusions and intend to appeal so that people in Germany continue to benefit fully from all our services", Facebook said in a blog post.
Privacy attorney Scott Vernick said he expects the integration plans to draw regulatory scrutiny, particularly in Europe. Users must agree to the terms or be excluded from the social network, a hard situation that can not be considered voluntary consent, as required under the law.
The issue stems back to a payments feature Royal Bank developed and offered customers between 2013 and 2015, allowing them to transfer money through Facebook's messaging system.