It follows the firm’s decision in March to consolidate 60 separate privacy policies into a single agreement.
The move allowed it to pool data from across its products, including use of its video site YouTube, social network Google+ and smartphone system Android – potentially helping it target adverts.
French data privacy regulator CNIL – which led the inquiry – said the US company had “months” to make changes.
Google has been told it should give clearer information about what data is being collected and for what purpose. It has also been told to give users more control over how the information is combined.
It has been warned that if it took no action, CNIL would “enter a phase of litigation”.
Google said it needed more time to provide a detailed response.
“We have received the report and are reviewing it now,” said Peter Fleischer, its global privacy counsel.
Google had a lot riding on the decision from the EU data protection watchdogs.
Now CNIL has issued a critical report on the policy, and called for changes, with a warning that there could be litigation if Google does not respond.
But the search giant has gone into spin mode, pointing out that that its policy has not been ruled illegal and it hasn’t been asked to roll it back.
A spokesman was also eager to point out that Microsoft had unveiled a similar privacy code this week.
But Google – like Microsoft before it – is now firmly in the sights of the world’s regulators, with an EU competition ruling the next hurdle to clear.
The search firm insists that everything it does is in the interest of its users – its problem is that the world is no longer quite so inclined to see it as a big friendly giant.
Although Google has not been directly accused of acting illegally, it has been accused of providing “incomplete and approximate” details raising “deep concerns about data protection and the respect of the European law”.
CNIL carried out the investigation into Google on behalf of the 27 members of the European Union. Although Greece, Romania and Lithuania have yet to sign up to the findings, non-EU states Croatia and Liechtenstein have done so.
After studying Google’s revised policy in depth, the agency said it believed Google had failed to place any limit on the “scope of collection and the potential uses of the personal data”, meaning it might be in breach of several of the bloc’s data protection principles.
Specifically, CNIL said it was unhappy that users were unable to determine or control what kinds of data were being processed and for what use.
Furthermore it highlighted the wide range of potential uses Google might have for the data including product development, security, advertising and academic research.
It said that EU data protection laws place limits on such activities and proposed the following changes:
- Google must “reinforce users’ consent”. It suggests this could be done by allowing its members to choose under what circumstances data about them was combined by asking them to click on dedicated buttons.
- The firm should offer a centralised opt-out tool and allow users to decide which of Google’s services provided data about them.
- Google should adapt its own tools so that it could limit data use to authorised purposes. For example, it should be able to use a person’s collated data to improve security efforts but not to target advertising.
CNIL’s president Isabelle Falque-Pierrotin said the company had “three or four months” to make the revisions, otherwise “authorities in several countries can take action against Google”.
UK-based privacy campaign group Big Brother Watch welcomed the news.
“It’s absolutely right that European regulators focus on ensuring people know what data is being collected and how it is being used,” said the organisation’s director, Nick Pickles.
“Unless people are aware just how much of their behaviour is being monitored and recorded it is impossible to make an informed choice about using services.
“This ruling is an important step to putting consumers in control of their personal information and ensuring that companies like Google are not able to easily disregard people’s privacy in pursuit of more information and greater profits.”
The news coincides with Google’s test of a new unified search tool that works across several of its products.
Users involved in the trial are able to check through the contents of their Gmail, Google Calendar and Drive cloud storage services through the main search tool on the site’s Google.com homepage.
The pilot is being limited to participants in the US at this time.
Google still faces the results of a separate investigation by the EU into whether it has abused its position as the most popular internet search tool by directing users to its own services by placing them high in its results.
News site Search Engine Land has also reported that the US Federal Trade Commission (FTC) is “strongly considering” its own investigation into whether Google and others have complied with guidelines for the disclosure of information about how paid advertisements appear in search results and whether the rules should be updated.