The letter, which stopped short of declaring Google‘s approach to collecting user data illegal, comes after a nine-month investigation led by France’s Commission Nationale de l’Informatique (CNIL) on behalf of the EU’s regulators.
Google must spell out its intentions and methods for combining data collected from its various services, and the web search giant must ask its users for explicit consent when bundling their data together, the regulators say in the letter sent to Google.
“Combining personal data on such a large scale creates high risks to the privacy of users,” says the letter, signed by 24 of EU’s 27 data regulators plus those of Croatia and Liechtenstein. It has not yet been signed by data regulators from Greece, Romania and Lithuania.
“Therefore, Google should modify its practices when combining data across services for these purposes.”
Under its new system, which the company introduced in March, Google consolidated 60 privacy policies into one and began pooling data it collects on users across its services, including YouTube, Gmail and its social network Google+.
Google replied to CNIL with a 94-page document but that regulators found unsatisfactory.
The first five ask the company to give users more information about how their personal information and browsing records will be used, with special attention paid to location data and credit card data.
Google could not immediately be reached for comment.
(Reporting By Claire Davenport; additional reporting by Leila Abboud; editing by Rex Merrifield)