“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products,” the ICO said.
Failure to do so, the ICO said, will leave Google “open to the possibility of formal enforcement action”.
In February, France’s privacy watchdog, CNIL, warned that Google could face could face a coordinated "repressive action" if it failed to comply with EU recommendations.
The EU investigation began in March 2012, when Google started combining data from across its sites to better target advertising, which regulators see as "high-risk" to users’ privacy.
The new policy was implemented after the company combined 60 separate privacy policies into a single agreement, which raised privacy concerns on both sides of the Atlantic.
Google maintains that its privacy practices respect European laws.
"We have engaged fully with the authorities involved through this process, and we'll continue to do so going forward," it said in a statement.
However, in April CNIL said Google had yet to respond to the EU recommendations, and issued a three-month deadline, while Spain charged Google with infringing its data protection laws.
CNIL wants Google to specify what it is using personal data for, and how long it is held. It also wants Google to let users opt out of having their data centralised in a single location.
- EU data protection regulators begin action against Google
- Google closer to action from European privacy regulators
- Google gets record fine over privacy bypassing cookies
- Google lacks enterprise credibility
- Google privacy re-write raises data protection concerns
Google faces a French fine of up to €300,000.
The Spanish Data Protection Agency said that it had found evidence of five serious privacy law breaches and that Google cold face fines of up to €1.5m.
The alleged infringements are disproportionate use of private data, diverting private data for other users, storing private data for excessive or undetermined periods, failure to handle private data in a legitimate way, and obstructing users in the exercise of their rights.
While these fines are small in comparison with Google’s first quarter revenues of $14bn, charges and fines from other EU data protection authorities could follow from the UK, Germany, Italy and the Netherlands.
“We will continue to co-ordinate our efforts to ensure that people’s privacy rights are respected,” the ICO said.