Among the French watchdog’s concerns was the way the US group combines anonymous data from users’ browsing histories across its services to better target advertising.
Prior to the new policy, this data – which includes users’ web and map searches, along with browsing history while they are signed in to the site – had been separate. Users were also not given the ability to opt out if they wanted to use the full range of Google’s products.
The tech firm had been warned months earlier that the policy may breach EU data rules, sparking the months-long investigation.
CNIL president Isabelle Falque-Pierrotin said regulators were prepared to talk to Google, adding: “If Google does not conform in the allotted time, we will enter into the disciplinary phase”.
Some national data protection regulators including those in Belgium, France and the Netherlands have, in the past, imposed fines on companies that have breached rules. Such sanctions cannot be imposed EU-wide.
When Google was found to have broken data protection rules after its Street View cars collected unauthorised data on public wifi networks in 2010, it faced dozens of separate cases.
In that instance, Google was fined €100,000 by the French watchdog and the Netherlands threatened a €1 million fine if it did not change its policy.
Chris Watson, a lawyer at CMS Cameron McKenna LLP, said: “How the case turns out will be an important test case of Europe’s (EU) ability to enforce its point of view on online privacy.”
– (Additional reporting: Reuters)