The Hamburg data protection authority on Tuesday ruled that Facebook’s facial recognition feature, which attempts to identify people in photos uploaded to the site, violates German privacy laws.

Johannes Caspar, the head of the authority, said Facebook should not be collecting users’ biometric data – such as their face shape and the distance between their eyes – without getting their explicit consent. He has demanded that the social networking site change or disable the feature. All data collected so far should be deleted.

Mr Caspar has given Facebook two weeks to respond. If the company is unable to make changes, Mr Caspar said the Hamburg authority would consider bringing legal action against it. The German courts can impose fines of up to €300,000 ($426,397) for privacy breaches.