Facebook has to explain better to users what happens to their personal data and give them more control, according to the data commissioner in Ireland, home to the website's international headquarters.
Facebook must work towards "simpler explanations of its privacy policies (and) ... easier accessibility and prominence of these policies," the Irish Data Protection Commissioner (DPC) said after an "audit" lasting three months.
It called on the US firm behind the popular website, which helps its some 800 million users worldwide keep in touch with friends and exchange information, to provide "an enhanced ability for users to make their own informed choices."
The DPC report, available at DPC report, also called on Facebook to allow users to delete old messages, friend requests, pokes, tags and posts.
The report also said that Facebook's implementation of its facial recognition feature, allowing users to identify or "tag" people in photos, should have been handled "in a more appropriate manner."
Facebook's indefinite retention of information of what adverts users had clicked on was also "unacceptable," it said. Facebook said in response it would "move immediately to a two-year retention period."
It said Facebook should provide within 40 days all information it holds on a particular user or non-user if requested to do so.
The DPC conducted the audit, aimed at determining whether Facebook complied with Irish and by extension European Union law, because Facebook Ireland is the entity with which non-US and non-Canadian users have a contract, the DPC said.
It followed a string of complaints by an Austrian student called Max Schrems who rose to prominence with his "Europe-versus-Facebook" pressure group, as well as the Norwegian Consumer Council and other individuals.
Schrems, 24, had launched his campaign after being shocked to receive from Facebook, in response to a demand for all the data it held on him, 1,222 pages of information, he told AFP earlier this year.
This included photos, messages and postings on his Facebook page dating back years, some of which he thought he had deleted, the times he had clicked "like" on an item, "pokes" of fellow users, and reams of other information.
"At first sight the report seems to be a first victory over Facebook's ignorance towards privacy laws," Europe-versus-Facebook said on its website www.europe-v-facebook.org/EN/en.html.
Co-founded by Mark Zuckerberg when he too was a student, Facebook said in response that the DPC had "highlighted several opportunities to strengthen our existing practices".
"Facebook has committed to either implement, or to consider, other 'best practice' improvements recommended by the DPC, even in situations where our practices already comply with legal requirements," it said in a statement available here.
Facebook has been under rising regulatory scrutiny as the Palo Alto, California-based firm has tried to turn the massive popularity site into a profitable business ahead of a possible US$100-billion stock market listing.
On November 30 it agreed with the US Federal Trade Commission to tighten its privacy policies after the FTC found it had deceived users by for example making personal data that it had vowed to keep private available to advertisers.
DPC deputy commissioner Gary Davis said that because Facebook Ireland was only given responsibility for international users in September 2010, it "should not come as a surprise... that there should be room for improvement."
"Facebook is constantly evolving and adapting in response to user needs and technical developments," the DPC said.
"Indeed the almost Darwinian nature of the site means that there will constantly be an absolute need to have in place robust mechanisms to keep pace with the innovation that is the source of the site's success."
The DPC said a formal review of progress would take place in July. In theory Facebook could be fined up to 100,000 euros ($130,520) if it refuses to comply with the body's recommendations.