The move follows a legal challenge in the US to the policy, where it is charged with violating the Computer Fraud Abuse Act.
Replacing more that 60 privacy policies for services such as YouTube and Gmail, the new single policy was implemented in March. At the time it was accused of putting advertisers’ interests ahead of its own users.
The EU action is being led by the French data protection authority, the Commission Nationale de l’Information et des Liberties (CNIL), and has been seen as evidence of a new joint approach to data issues.
The CNIL has sent a letter to Google chief executive Larry Page on behalf of members of the Article 29 Working Party that outlines its concerns. It said Google should adopt to remedy the concerns expressed by it and the other privacy watchdogs.
Google faces a “phase of litigation” if it does not take action to implement the recommendations with the next “three or four months,” CNIL president Isabelle Flaque-Pierrotin warned.
The CNIL is highly critical of Google, noting that it “provides insufficient information to its users on its personal data processing operations”, doesn’t tell people how long data will be held, and allows “uncontrolled” combination of data across its service.
It notes that for Google users, merely visiting a site which displays one of its “+1” buttons is recorded and kept for at least 18 months and can be associated with other data from other Google services. Data collected via a DoubleClick ad cookie – which is then associated with a unique identifying number – is stored by Google for two years, and can be renewed without consultation.