Facebook must work towards "simpler explanations of its privacy policies (and) ... easier accessibility and prominence of these policies," the Irish Data Protection Commissioner (DPC) said after a three-month audit.
It also called on Facebook, which has some 800 million users worldwide, to provide "an enhanced ability for users to make their own informed choices based on the available information."
The DPC conducted the enquiry, aimed at determining whether Facebook complied with Irish and by extension European Union law, because Facebook Ireland is the entity with which non-US and non-Canadian users have a contract, the DPC said.
It followed a string of complaints by Austrian student Max Schrems and his "Europe-versus-Facebook" pressure group, the Norwegian Consumer Council and other individuals.
Facebook said in an emailed statement in response to the report that the DPC had "highlighted several opportunities to strengthen our existing practices".
It added: "Facebook has committed to either implement, or to consider, other 'best practice' improvements recommended by the DPC, even in situations where our practices already comply with legal requirements."
The DPC said a formal review of progress would take place next July.
Explore further: Just whose Internet is it? New federal rules may answer that