A German court has found Facebook is breaching data protection rules with privacy settings that over-share by default and by requiring users to give real names.
Under German law, personal information can only be recorded and used by a company with explicit agreement from the individual.
But Berlin judges ruled Facebook leaves many settings switched on by default, failing to offer users a meaningful choice about how their data is used, plaintiffs the Federation of German Consumer Organisations (VZBV) said.
"Facebook hides default settings that are not privacy-friendly in its privacy centre and does not provide sufficient information about this when users register," said VZBV legal expert Heiko Duenkel.
Judges found five different default privacy settings were illegal, including sharing location data with chat partners or making profiles available to external search engines, allowing any internet user to stumble across them.
But it did not agree with the consumer advocates claim that the firm slogan "Facebook is free and always will be" was misleading.
The VZBV said users were already paying to use the site but with access to their data, rather than cash.
Facebook could face fines of up to 250,000 euros (RM1.2mil) per infraction if it does not fix its conditions in Germany, but the company said it would appeal the ruling.