The Italian Data Protection Commissioner has given Google 18 months to change the way it treats and stores user data.
A statement from the Italian Data Protection Authority also says that the Mountain View giant will have to make it clear that any personal data it does collect may be used for profiling, as well as for commercial purposes.
While the regulator did concede that Google has made progress towards adhering to local laws, it says the company still has some way to go in order to achieve full compliance in areas such as seeking prior consent for profiling for commercial purposes and the length of time that personal data is stored.
Specifically, the regulator says Google must remove personal information within two months of receiving a request from an active user. The company will also have to remove personal data from its backup systems within six months.
A Google spokesman said:
Google has been given until the end of September to provide legally binding proposals outlining how it will comply with Italy’s requirements.
If the company fails to achieve compliance with the Italian Data Protection Authority’s demands it could face a fine of up to 1 million euros ($1.35m or £790,000) as well as possible criminal proceedings.
Other European countries, including the UK, Netherlands and France have all recently shown concern over the practices undertaken by Google, largely on the back of its decision to roll 60 of its privacy policies into one.
That change, in 2012, saw the company consolidate the privacy policies of services such as YouTube, Google Search and Gmail but users were not given any choice over whether they wanted to accept the conditions or not.
Last November, the Dutch privacy watchdog declared that Google broke the country’s privacy laws following a seven month investigation.
Then, in January this year, Google was fined 150,000 euros ($202,000 or £118,000) by the French data watchdog after it ignored a three-month deadline to clean up its data privacy policies.
The UK’s Information Commissioner also ordered Google to make changes to its privacy policies last year but there is no word yet on whether the company ever complied with that request.
Previously, the company has also found itself in hot water over its Street View mapping service which was found to have steamrollered its way over user privacy by snaffling up data from Wi-Fi networks.
It also currently faces the headache of dealing with tens of thousands of right to be forgotten link removal requests following a ruling from the European Court of Justice (ECJ) in May.
In respect of the latter, the Italian regulator says it is awaiting clarification before applying the ECJ ruling within its own jurisdiction.