The US social network has been warned it has 48 hours to stop tracking data on people without a Facebook account, a Belgian court has ruled.
Facebook will be fined a staggering £180,000 each day it does not adhere to the ruling, the court said in an e-mail statement.
The Belgian court objected to the “cookie” technology used by Facebook to track a person’s device up to two years after they have used it to access a Facebook page — whether or not they even have an account.
President of the Belgian commission, Willem Debeuckelaere labelled the practice “disrespectful” of consumers.
“The judge ruled that this is personal data, which Facebook can only use if the internet user expressly gives their consent, as Belgian privacy law dictates,” the court added in a statement.
The Belgian court has given the US social network 48 hours to comply and remove the cookie, which Facebook has used on its website for the last five years.
If it fails to remove the cookie, the daily fine of £180,000 would go to the Belgian Privacy Commission, which brought the case.
But Facebook will appeal the ruling, the Californian company confirmed in a statement.
“We’ve used the Datr cookie for more than five years to keep Facebook secure for 1.5 billion people around the world,” said a spokesperson for Facebook.
“We will appeal this decision and are working to minimise any disruption to people’s access to Facebook in Belgium.”
The social network argues it is only subject to the privacy laws in Ireland – the location of its European headquarters.
Cookies are lightweight files used across the web to track whether a user has previously visited a website.
The small files can track a number of activities, including how long a person stayed on the website, the text they typed into a form, what they clicked, their location and any other preferences selected.
Facebook chief security officer Alex Stamos used the social network to post a response to news of the privacy lawsuit filed against the company in Belgium.
He wrote: “If the court blocks us from using the datr cookie in Belgium, we would lose one of our best signals to demonstrate that someone is coming to our site legitimately.
“In practice, that means we would have to treat any visit to our service from Belgium as an untrusted login and deploy a range of other verification methods for people to prove that they are the legitimate owners of their accounts.
“It would also make Belgian devices more attractive to spammers and others who traffic in compromised accounts on underground forums.
“The Belgian Privacy Commission initially argued an incorrect point that Facebook uses the datr cookie to target ads to people who aren’t Facebook users.
“We don’t – and the commission abandoned that argument. Now it is focused on the fact that we set the datr cookie when someone visits one of our sites, such as Facebook.com, or clicks a like button on a publisher’s website and interacts with the login page that appears. We do not set the datr cookie when someone simply loads a page with a like button.
“The datr cookie is only associated with browsers, not individual people. It doesn’t contain any information that identifies or is tied to a particular person.
“At a technical level, we use the datr cookie to collect statistical information on the behavior of a browser on sites with social plugins, such as the like button, to help us distinguish patterns that look like an attacker from patterns that look like a real person.”