Along with other Internet companies like Facebook and Microsoft, Google collects personal data, like the sex and age of users and their Web browsing histories, in order to tailor their services to individual users and also to sell ads.
European privacy regulators had expressed concern last winter about the new procedures and had asked Google to delay implementing them. After the company declined, the European Commission asked France’s privacy agency to take the lead on a legal analysis, which resulted in the warning letter Tuesday to Mr. Page.
The privacy regulators said Google provided users with incomplete disclosure about its processing and storage of the data, as well as insufficient control over how information from different Google services is blended to build detailed personal profiles. Google also makes it too cumbersome for users to block the collection of these data, the regulators said.
Ms. Falque-Pierrotin, whose agency, called CNIL, conducted an investigation of the policy change on behalf of the other European Union data-protection authorities, said she would give Google “three to four months” to make changes. If the company refuses, she and other officials said, the data-protection authorities might take legal action or impose fines.
Google said it was reviewing the letter and an accompanying report from the data-protection authorities, but added that it was confident that the new policy respected European Union law.
The letter to Mr. Page is only the latest addition to a growing list of regulatory headaches for Google. Antitrust officials at the European Commission are investigating whether Google has used its search engine to favor its own services and through preferential rankings to put competitors at a disadvantage. A similar inquiry is under way at the U.S. Federal Trade Commission.
David Vladeck, the F.T.C.’s director of consumer protection, met last week in Brussels with Ms. Falque-Pierrotin, said Cecelia Prewett, an F.T.C. spokeswoman. She declined to divulge what they discussed.
On privacy, Google has been under growing scrutiny since it acknowledged in 2010 that it had collected private data on individuals when it took photographs for its Street View mapping feature. Regulators in several countries, including the United States and France, have fined Google in connection with this practice; criminal and civil investigations are still open in Germany.
“There’s a collective concern being expressed by different regulatory agencies in many parts of the world about the use of information online,” said Joel Reidenberg, director of the Center on Law and Information Policy at Fordham University in New York. “As the trend goes this way, we can expect to see more of these kinds of concerns expressed and a decreasing hesitancy about taking action.”
While European Union lawmakers are working on an overhaul of the bloc’s data-protection rules, with an eye toward updating them for the borderless era of the Internet, enforcement remains a matter for national regulators. In France, CNIL has the power to fine companies as much as €300,000, or about $390,000, for privacy breaches. In some countries, data protection agencies can bring criminal complaints; in others, it cannot.
Given this fragmentation, analysts said it was striking that the national regulators, acting at the request of an advisory panel created by the European Commission, had come together to issue a joint letter to Google.
“On the one hand, this is the first time all the European data-protection agencies have acted together as a group to tell a company that its actions are unacceptable,” Mr. Reidenberg said. “On the other hand, there is a bit of a mixed message, because they are refraining from taking any immediate action.”
Coordinating such regulations and enforcement across continents is even more difficult, especially when cultural differences intrude, like in the perceived greater attachment to privacy in Europe than in, say, the United States. But regulators and Internet companies say greater alignment is desirable at a time when digital communications zip across borders and companies like Google operate on an ever more global scale.
Jacob Kohnstamm, chairman of the European Commission’s data-protection panel, said that regulators in Canada and some Asian countries had participated in the investigation, in an effort to give the inquiry an intercontinental scope. He and Ms. Falque-Pierrotin said the European regulators had also consulted with the F.T.C., though the U.S. agency did not sign the letter to Mr. Page.
In the letter, the European officials said Google’s new policy allowed the company to “combine almost any data from any service for any purpose.”
The regulators asked Google to give consumers more visibility over how their data is collected, used and combined, saying one possibility might be to create “interactive online presentations.” The regulators also chided Google for failing to specify how long it kept certain kinds of data, and urged the company to make it easier for users to “opt out” if they did not want their information gathered.
The regulators also said Google did not distinguish between data of different levels of sensitivity, saying the company attached the same importance to credit card numbers or the contents of a search query, for example. And they said so-called passive users of Google services — that is, those who use a Google feature embedded in a third-party Web site — often are provided with no information on Google’s data policies.
Jeff Gould, the president of SafeGov, a group in San Francisco that represents companies selling software and hardware to governments, said Google’s “approach is that we can take anything we learn from you from our services to build a profile of a user to serve targeted ads.”
“My view is that is a completely legitimate model, if you give the consumer the opportunity to opt out,” he said.
Analysts say Google needed to change its policy to keep pace with rivals like Apple and Facebook, whose services are more integrated than Google’s. Ms. Falque-Pierrotin countered that greater transparency could actually be a competitive advantage for Google.
“If Google did that responsibly, I don’t think it would kill their business,” Mr. Gould said. “But that is the 64,000-terabyte question.”
Eric Pfanner reported from Paris, and Kevin J. O’Brien from Berlin.
Original article on The New York Times