France's data protection authority has given Google three months to change the way it handles users' private data, or face legal sanctions.
In its June 10 decision, CNIL ordered Google to clearly explain to users the ways in which data collected about them will be used; to keep data for no longer than is necessary for the purposes it has declared to users; not to combine data from different sources without legal authority; to fairly process data collected from "passive" users of Google's services through DoubleClick and Analytics cookies or Google +1 buttons on the pages they visit; and to obtain informed consent from users before storing cookies in their mobile phone, PC or other terminal.
If it does not comply, Google could face a fine of a maximum of €150,000 (or €300,000 for a second offense), and could in certain circumstances be ordered to refrain from processing personal data in certain ways for a period of three months.
Such orders are usually secret, but CNIL decided that, given the gravity of the situation, it would publish the order as an additional sanction against Google.
Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at firstname.lastname@example.org.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.