Facebook's policy of holding on to subscribers' personal information, even after their accounts had been deactivated, was one area that breached Canada's privacy laws, she said.
The law requires organisations to retain such information only for as long as it necessary to meet appropriate purposes, she was quoted by the AFP news agency as saying.
The report said Facebook's information about privacy practices was "often confusing or incomplete", and urged the site to make its policies more transparent to users.
Facebook was also criticised for failing to adequately restrict access of users' personal details to some of the 950,000 developers in 180 countries who provide applications, such as games, for the site.
In response, Facebook Chief Privacy Officer Chris Kelly told AFP it was working with the commission to resolve the issues.
"Overall, we are looking for practical solutions that operate at scale and respect the fact that people come to share and not to hide," he said.
"We continue our dialogue and have every confidence that we will come to acceptable conclusions. I think the concerns are fully resolvable".
Ms Stoddart said she would review Facebook's progress in 30 days.
Under Canadian law, she can take the case to a federal court to have her recommendations enforced, the BBC's Lee Carter in Toronto says.