Google has been told by the EU to change the way it gathers personal data information if it is to avoid “high risks to the privacy of users”.
It follows a nine month investigation into the company’s personal data collection practices.
Since March, Google has combined data from sites like YouTube and Gmail to better target it’s advertising.
It meant 60 individual privacy policies for individual Google owned sites were merged into a single policy for all of its services.
Google has maintained the policy complies with EU law.
But regulators immediately raised concerns about the changes when they were implemented earlier this year.
The French data regulator, CNIL, was tasked by the EU to investigate the policy on behalf of the other countries in the EU.
The investigations were overseen by the Article 29 Working Party, a group of representatives from each member state tasked with promoting the application of the EU’s Data Protection Directive.
It stopped short of declaring Google’s data gathering practices illegal, but made clear 12 measures the company must put in place to satisfy the concerns.
“Combining personal data on such a large scale creates high risks to the privacy of users. Therefore, Google should modify its practices when combining data across services for these purposes.” the letter states.
Those recommendations are said to include a focus on personal information and browsing records, as well as the collection of location based data and credit card details.