It follows the firm’s decision in March to consolidate 60 separate privacy policies into a single agreement. The move allowed it to pool data from across its products, including use of its video site YouTube, social network Google+ and smartphone system Android – potentially helping it target adverts.
French data privacy regulator CNIL – which led the inquiry – said the US company had "months" to make changes. Google has been told it should give clearer information about what data is being collected and for what purpose. It has also been told to give users more control over how the information is combined.
It has been warned that if it took no action, CNIL would "enter a phase of litigation". Google said it needed more time to provide a detailed response.
"We have received the report and are reviewing it now," said Peter Fleischer, its global privacy counsel. "Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law."
Although Google has not been directly accused of acting illegally, it has been accused of providing "incomplete and approximate" details raising "deep concerns about data protection and the respect of the European law".