They have been criticised for resulting in the "uncontrolled" use of personal data without an individual's clear consent, relating to their use of YouTube and Gmail.
The commissioners this week told Google to give people more detailed control over personal data and said the changes the search giant introduced in March amounted to breaking European data-protection law, because the company was storing, without consent, cookies and data about sites people visited for between 18 months and two years.
The body stopped short of demanding a wholesale recall of these changes, which unified Google's privacy policies – and data – from about 60 services into a single data store.
However, the commission noted that Google "provides insufficient information to its users on its personal-data processing operations" and does not tell people how long data will be held.
The CNIL said for Google users a visit to a site displaying a "+1" button is recorded and kept for at least 18 months and can be linked with data from other Google services. Data collected via a DoubleClick ad cookie – which is then associated with a unique identifying number – is stored by Google for two years and can be renewed without consultation.
The CNIL also criticised Google for being unco-operative when responding to commissioners' queries.
The report was applauded by privacy groups, although sources close to Google indicated that it mostly outlined actions the search giant "should" carry out rather than "must" carry out, which is being interpreted as light-touch regulation rather than full-on confrontation.
But the commission may be biding its time. Bradley Shears, a United States lawyer, said: "It appears that the CNIL is providing Google one last opportunity to take the appropriate actions necessary to properly address its concerns before going down the litigation route."
Marc Dautlich, a specialist in data-protection law at Pinsent Masons in London, said: "If Google's get-out is that it's only being told 'should' rather than 'must', then it becomes a question of trust. How does a company purport to be transparent and trusted if they're put to the test and use a legal nicety to avoid it?"
European Union data-protection commissioners began examining Google's proposed changes to its privacy policies in February. The company went ahead with the March changes despite the CNIL's requests to delay them and warnings that they could be illegal.
Nick Pickles, director of privacy campaign group Big Brother Watch, said: "Consumers have been kept in the dark about how much data Google collects and what happens to that data.
"Unless people are aware just how much of their behaviour is being monitored and recorded, it is impossible to make an informed choice about using services." – © Guardian News & Media 2012