The CNIL said that the policy is too wide, and that Google has not cooperated with it in resolving these issues.
It has asked Google to publicly commit to the rules of data protection, and told it to give users more control over their data and make it easy for them to opt out of any changes that it might bring about.
The CNIL said that it was not clear whether Google actually respects "key data protection principles," adding that it, and other European data protection authorities, want it to publicly commit to things like "data quality, data minimisation, proportionality and right to object".
It said that it should provide comprehensive information on this, and offer three levels of detail that could be applied, or referred to, by users depending on to what level they engage with its services. "The ergonomics of the Policy could also be improved with interactive presentations," it added.
Currently, the Google collection picture is bleak. The firm collects too much information, said the CNIL, and combines it in very broad ways.
"The European DPAs note that this combination pursues different purposes such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research," it said in its statement.
"The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data."
Google has been told to change its practices when collecting and combining data and to make sure that it has its users' consent before it does any such thing. It should, said the CNIL give users the chance to consent, or refuse such combinations.
The CNIL said that it had the agreement of 27 other European data watchdogs.
Google and the CNIL had apparently been working closely on resolving their differences, but still failed to meet an accord.
Following earlier criticisms, Google told us in May that it had requested a sit down and discussion with the French government watchdog.
"We asked for a meeting with the CNIL," said a spokesperson. "Having a meeting with them gives us chance to put things into context and explain the broader actions we are taking to protect our users' privacy."
"Our preliminary analysis shows that Google's new policy does not meet requirements of the European Directive on Data Protection, especially regarding the information provided to data subjects," said Isabelle Falque-Pierrotin from the CNIL.
"The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such proceedings." µ
Yes means yes. No means yes. Here means no. But only for eight hours. Possibly
But it won't arrive until the fourth quarter, apparently
Smartphone to see a VR launch courtesy of firm's new Loop headset