Facebook has been given three months to stop tracking non-members of its social network without their consent in France.
Last year, it made changes to the way the site is viewed in Belgium following a similar order from the Belgian Privacy Commissioner.
The French data protection body also demanded stronger password complexity, requiring at least eight characters rather than the existing six.
Facebook said privacy was its priority.
“Protecting the privacy of the people who use Facebook is at the heart of everything we do. We… look forward to engaging with the CNIL [French data protection authority – Commission Nationale de l’Informatique et des Libertes] to respond to their concerns,” a spokeswoman said.
The social network tracks everyone who visits the site, regardless of whether they are members, by installing cookies – small text files which gather information about web activity.
The type used by Facebook, known as datr, can last for two years.
In Belgium, visitors to the site must now log on before they can view any pages.
The CNIL also told the firm to cease the transfer of some personal data to the US, as the Safe Harbour agreement has ended. Facebook has repeatedly stated that it uses other legal contracts to transfer data to the US.
The agreement, which enabled the transfer of data between the EU and US, was ruled invalid in October 2015, and while a new pact has been drawn up, it is not yet operational.
If Facebook fails to comply with the French privacy body within the three-month time frame it may face a fine, Reuters reported.