France’s data protection authority has ordered Facebook to stop tracking Web users who aren’t members on the social network within the next three months or face fines.

In an order published on January 26 (PDF), the Commission Nationale de l’Informatique et des Libertés (CNIL) said that the company tracks browsing activity after people visit a publicly viewable page from the site even if they don’t have a Facebook account, and sets cookies that relay more information when these users visit other sites that use Facebook plugins like buttons for liking and sharing content.

CNIL also took issue with the social network storing details about users’ sexual orientation as well as religious and political views without their explicit consent. The agency also stated that Facebook violated users’ right to privacy by compiling information on their habits for targeted advertising without giving them a way to prevent data collection.

It also alleged that Facebook transfers personal data to the United States on the basis of the now-defunct Safe Harbor pact which allowed American firms to store data from users in Europe in the US until last October.

A new agreement between the EU and the US known as Privacy Shield was reached last week, but it is yet to come into force.

According to CNIL, Facebook has more than 30 million users in France. The authority publicly published its notice to the company “due to the seriousness of the violations and the number of individuals concerned by the Facebook service.”

Sally Aldous, a spokeswoman for Facebook, told Bloomberg, “Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European Data Protection law and look forward to engaging with the CNIL to respond to their concerns.”

The company previously ran into trouble in Belgium last year on similar grounds — a court in the country issued Facebook an ultimatum to stop tracking users who aren’t signed in or risk a fine of €250,000 (nearly $270,000) for every day that it violated the order.

➤ The French data protection authority publicly issues formal notice to FACEBOOK to comply with the French Data Protection Act within three months [CNIL]

Read next: Kickstarter backers have funded an Oscar-winning film and 15 Grammy-nominated projects in 7 years