Facebook has been accused of breaking European data-protection laws, in a report written for Belgium's privacy watchdog.
The social network placed "too much burden" on users to navigate its complex settings, said the report.
Also, it said, people were not told enough about how data Facebook gathered on them was used in adverts.
In response, Facebook said it was confident its policies and terms complied with relevant laws.
The report, written by academics from the University of Leuven, said the changes were not "drastic" but instead clarified what Facebook had been doing for some time.
The clarification led the report's authors to conclude that Facebook was "acting in violation of European law" governing:
- how data is gathered about people
- what is done with the information
- how people are informed about these practices
Facebook had a very complicated collection of settings which made it difficult for people to make an informed choice or be sure they were not surrendering data they wanted to keep private, said the report.
Users should get more information about which information was being shared with and which organisations saw it, added the report.
In response, Facebook said its updated terms and policies were much clearer and concise and helped "expand" the control people had over advertising.
It said its privacy policies and terms were overseen by the Irish data protection commissioner, which made sure they both complied with broader European laws on how data was gathered and used for advertising.
"We're confident the updates comply with applicable laws," it added.
The report comes as European law makers are grappling with a significant update to the region's data-protection regime. The updated laws are expected to be in force from 2017 onwards.