Under German law, personal information can only be recorded and used by a company with explicit agreement from the individual.
But Berlin judges ruled Facebook leaves many settings switched on by default, failing to offer users a meaningful choice about how their data is used, plaintiffs the Federation of German Consumer Organisations (VZBV) said.
"Facebook hides default settings that are not privacy-friendly in its privacy centre and does not provide sufficient information about this when users register," VZBV legal expert Heiko Duenkel said.
Judges found five different default privacy settings were illegal, including sharing location data with chat partners or making profiles available to external search engines, allowing any internet user to stumble across them.
But it did not agree with the consumer advocates' claim that the firm's slogan "Facebook is free and always will be" was misleading.
The VZBV said users were already paying to use the site -- but with access to their data, rather than cash.
Facebook could face fines of up to 250,000 euros ($306,000) per infraction if it does not fix its conditions in Germany, but the company said it would appeal the ruling.
Germany is a major market for Facebook in Europe, with around 30 million of the country's 80-million strong population signed up and almost 23 million using the network every day.
Along with Austria, it is one of the only European Union nations to have translated continent-spanning rules known as the General Data Protection Regulation (GDPR) into national law ahead of a May 25 deadline.
Monday's judgement follows a December warning from Germany's competition watchdog that Facebook was abusing its dominant market position to "limitlessly" harvest data from outside websites and apps.
The social network uses its connections to third-party websites and subsidiaries WhatsApp and Instagram to collect data on its users to enable hyper-targeted advertising.